Hi security team,
the loop-aes-utils package in sarge is affected by CAN-2005-2876
(#328626). I've prepared a stable-security upload of 2.12p-4sarge1
with a fix backported from 2.12r-pre1:
http://people.debian.org/~xam/security/loop-aes-utils/
This bug will be fixed in unstable with 2.12p-9 (pending upload).
Note that this update will not be effective until mount is also
fixed. The /bin/umount binary from 'mount' is diverted to
/bin/umount.orig and remains setuid root, so an attacker could
just use that binary instead of the one from loop-aes-utils.
cheers,
Max
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 16 Sep 2005 15:12:02 +0200
Source: loop-aes-utils
Binary: loop-aes-utils
Architecture: source i386
Version: 2.12p-4sarge1
Distribution: stable-security
Urgency: high
Maintainer: [EMAIL PROTECTED]
Changed-By: Max Vozeler <[EMAIL PROTECTED]>
Description:
loop-aes-utils - Tools for mounting and manipulating filesystems
Changes:
loop-aes-utils (2.12p-4sarge1) stable-security; urgency=high
.
* [SECURITY] CAN-2005-2876. Applied patch from 2.12r-pre1 to
fix a local privilege escalation vulnerability in umount -r.
Files:
e708365ea3b674ef3983edda999d8070 684 admin optional
loop-aes-utils_2.12p-4sarge1.dsc
f085322d67f1300c914910c1ca1fd95f 69614 admin optional
loop-aes-utils_2.12p-4sarge1.diff.gz
de42b52353becd80ee61922a1b21486a 142250 admin optional
loop-aes-utils_2.12p-4sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDKssbnVvVEbfNotwRAhUGAKCSHj4ioqGwIT2pmDgFH7xl+l5VjQCfR273
6QgKuGXJnEKqu+Sx9mStamA=
=BVgD
-----END PGP SIGNATURE-----
