Summary
The remote host is missing updates announced in
advisory GLSA 200411-22.
Solution
All Davfs2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-fs/davfs2-0.2.2-r1'
All lvm-user users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=sys-fs/lvm-user-1.0.7-r2'
http://www.securityspace.com/smysecure/catid.html?in=GLSA%20200411-22 http://bugs.gentoo.org/show_bug.cgi?id=68406
http://bugs.gentoo.org/show_bug.cgi?id=69149
Insight
Davfs2 and the lvmcreate_initrd script (included in the lvm-user package) are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running them.
Severity
Classification
-
CVE CVE-2004-0972 -
CVSS Base Score: 2.1
AV:L/AC:L/Au:N/C:N/I:P/A:N
Related Vulnerabilities