OracleVM 3.2 : rpm (OVMSA-2016-0077)

high Nessus Plugin ID 91753
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Add missing files in /usr/share/doc/

- Fix warning when applying the patch for #1163057

- Fix race condidition where unchecked data is exposed in the file system (CVE-2013-6435)(#1163057)

- Fix segfault on rpmdb addition when header unload fails (#706935)

- Fix segfault on invalid OpenPGP packet (#743203)

- Account for excludes and hardlinks wrt payload max size (#716853)

- Fix payload size tag generation on big-endian systems (#648516)

- Track all install failures within a transaction (#671194)

- fix changelog (bug #707677 is actually #808547)

- Document -D and -E options in man page (#814602)

- Require matching arch for freshen on colored transactions (#813282)

- Add DWARF 3 and 4 support to debugedit (#808547)

- No longer add \n to group tag in Python bindings (#783451)

- Fix typos in Japanese rpm man page (#760552)

- Bump Geode compatibility up to i686 (#620570)

- Proper region tag validation on package/header read (CVE-2012-0060)

- Double-check region size against header size (CVE-2012-0061)

- Validate negated offsets too in headerVerifyInfo (CVE-2012-0815)

- Revert fix for #740291, too many packages rely on the broken behavior

- Add support for XZ-compressed sources and patches to rpmbuild (#620674)

- Avoid unnecessary assert-death when closing NULL fd (#573043)

- Add scriptlet error notification callbacks (#533831)

- Honor --noscripts for pre- and posttrans scriptlets too (#740345)

- Avoid bogus error on printing empty ds from python (#628883)

- File conflicts correctness & consistency fixes (#740291)

- Create the directory used for transaction lock if necessary (#510469)

- Only enforce default umask during transaction (#673821)

- fix thinko in the CVE backport

- fix CVE-2011-3378 (#742157)

- accept windows cr/lf line endings in gpg keys (#530212)

- Backport multilib ordering fixes from rpm 4.8.x (#641892)


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 91753

File Name: oraclevm_OVMSA-2016-0077.nasl

Version: 2.6

Type: local

Published: 6/22/2016

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:popt, p-cpe:/a:oracle:vm:rpm, p-cpe:/a:oracle:vm:rpm-libs, p-cpe:/a:oracle:vm:rpm-python, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/21/2016

Vulnerability Publication Date: 12/24/2011

Reference Information

CVE: CVE-2011-3378, CVE-2012-0060, CVE-2012-0061, CVE-2012-0815, CVE-2013-6435

BID: 49799, 52865, 71558