OracleVM 3.2 : rpm (OVMSA-2016-0077)

High Nessus Plugin ID 91753


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Add missing files in /usr/share/doc/

- Fix warning when applying the patch for #1163057

- Fix race condidition where unchecked data is exposed in the file system (CVE-2013-6435)(#1163057)

- Fix segfault on rpmdb addition when header unload fails (#706935)

- Fix segfault on invalid OpenPGP packet (#743203)

- Account for excludes and hardlinks wrt payload max size (#716853)

- Fix payload size tag generation on big-endian systems (#648516)

- Track all install failures within a transaction (#671194)

- fix changelog (bug #707677 is actually #808547)

- Document -D and -E options in man page (#814602)

- Require matching arch for freshen on colored transactions (#813282)

- Add DWARF 3 and 4 support to debugedit (#808547)

- No longer add \n to group tag in Python bindings (#783451)

- Fix typos in Japanese rpm man page (#760552)

- Bump Geode compatibility up to i686 (#620570)

- Proper region tag validation on package/header read (CVE-2012-0060)

- Double-check region size against header size (CVE-2012-0061)

- Validate negated offsets too in headerVerifyInfo (CVE-2012-0815)

- Revert fix for #740291, too many packages rely on the broken behavior

- Add support for XZ-compressed sources and patches to rpmbuild (#620674)

- Avoid unnecessary assert-death when closing NULL fd (#573043)

- Add scriptlet error notification callbacks (#533831)

- Honor --noscripts for pre- and posttrans scriptlets too (#740345)

- Avoid bogus error on printing empty ds from python (#628883)

- File conflicts correctness & consistency fixes (#740291)

- Create the directory used for transaction lock if necessary (#510469)

- Only enforce default umask during transaction (#673821)

- fix thinko in the CVE backport

- fix CVE-2011-3378 (#742157)

- accept windows cr/lf line endings in gpg keys (#530212)

- Backport multilib ordering fixes from rpm 4.8.x (#641892)


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 91753

File Name: oraclevm_OVMSA-2016-0077.nasl

Version: $Revision: 2.3 $

Type: local

Published: 2016/06/22

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:popt, p-cpe:/a:oracle:vm:rpm, p-cpe:/a:oracle:vm:rpm-libs, p-cpe:/a:oracle:vm:rpm-python, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/06/21

Reference Information

CVE: CVE-2011-3378, CVE-2012-0060, CVE-2012-0061, CVE-2012-0815, CVE-2013-6435

BID: 49799, 52865, 71558

OSVDB: 75930, 75931, 81009, 81010, 81011, 115601