kexec-tools-2.0.0-209.AXS4
エラータID: AXSA:2012-12:01
リリース日:
2012/01/18 Wednesday - 12:10
題名:
kexec-tools-2.0.0-209.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- 現時点では CVE-2011-3588, CVE-2011-3589, CVE-2011-3590 の情報が公開されておりません。
CVEの情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2011-3588
The SSH configuration in the Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, disables the StrictHostKeyChecking option, which allows man-in-the-middle attackers to spoof kdump servers, and obtain sensitive core information, by using an arbitrary SSH key.
The SSH configuration in the Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, disables the StrictHostKeyChecking option, which allows man-in-the-middle attackers to spoof kdump servers, and obtain sensitive core information, by using an arbitrary SSH key.
CVE-2011-3589
The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, uses world-readable permissions for vmcore files, which allows local users to obtain sensitive information by inspecting the file content, as demonstrated by a search for a root SSH key.
The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, uses world-readable permissions for vmcore files, which allows local users to obtain sensitive information by inspecting the file content, as demonstrated by a search for a root SSH key.
CVE-2011-3590
The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, includes all of root's SSH private keys within a vmcore file, which allows context-dependent attackers to obtain sensitive information by inspecting the file content.
The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, includes all of root's SSH private keys within a vmcore file, which allows context-dependent attackers to obtain sensitive information by inspecting the file content.
追加情報:
N/A
ダウンロード:
SRPMS
- kexec-tools-2.0.0-209.AXS4.src.rpm
MD5: d685f9d49832b162b7c8b19e3a1b9b80
SHA-256: 3f58ca43e5afddb5d8d441ac219c32dae670c1c7ace5b1a4e77d04ab1abfc90b
Size: 490.05 kB
Asianux Server 4 for x86
- kexec-tools-2.0.0-209.AXS4.i686.rpm
MD5: 4533c6c6e835cef1135111e133ffb99d
SHA-256: 0e0939ea2f342fbc597368ed837d3e2bb600ec57c4dbd2c65f6a602595842eb2
Size: 245.21 kB
Asianux Server 4 for x86_64
- kexec-tools-2.0.0-209.AXS4.x86_64.rpm
MD5: b67702e84e1c5da3df8d2ef57c3c511b
SHA-256: 44d4ebdf2f34c8507ef3db38a930355d9b5ee55a44137953e47728995879ef01
Size: 254.06 kB