[SECURITY] [DLA 3643-1] pmix security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3643-1] pmix security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 31 Oct 2023 21:45:58 +0100
Message-id: <[🔎] 169876898422.186814.6091352799510833318@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3643-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
October 31, 2023                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : pmix
Version        : 3.1.2-3+deb10u1
CVE ID         : CVE-2023-41915
Debian Bug     : 1051729

It was discovered that there was an arbitrary file overwrite
vulnerability in pmix, a library used in parallel/cluster computing.

Attackers could have obtained ownership of arbitrary files via a
symlink-related race condition during execution of library code with
UID 0. 

For Debian 10 buster, this problem has been fixed in version
3.1.2-3+deb10u1.

We recommend that you upgrade your pmix packages.

For the detailed security status of pmix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pmix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmVBKFYACgkQHpU+J9Qx
HlhwaQ//Wvxx47p4W+/8bvD1TpnEUdq3sLkAzzXL8S4w1BMhQfTqqAi7Nnuh0cez
1AGQN3msm+aowkQGyVzkrKGDmOJ/DTcNZxvEOl9R2HoAK/FmLW7FQ2f68g1Zc/lu
RKS1jFSU53b9InbDBucRDAdPgqOsEnKJ3SEfVR34Gn9yEZ3l4VzF7Wy97rjaDAOC
2vNFmZI2hE6D3wvRu4KvwjJGBAeaPX+LQ/XhAp8veoMDjhG89YgVMZyCjKmJ/zDf
OgqejwToGoYiuDgU9+yTY5Bf+qL2inXZeWX6VYZHYPNfwaHy7zUa1uKVZc7WnqmN
KA2uYoF8iguQEond/o4GN3oqLLPdNv7Svsu61ak9joir2dbI4AQDOdcivwB5S6C0
GPZ5fn+GO1uN4fQIApelnb4cnhGL+ElW4kqfLogPjWt2eCQnDU1cUztOyQRuZ/sL
D2ZOpUBvQVuwhmB0jOm4XHUr9oJf8g5VZvFYQtIxYcENLQs2kBKRjAq0Yx1Bjno7
H9JPHgAOhMaRCMJDGoh58LHu/kXegn4Kn3i74hbrJ7XSXVaM99iuPwlQvhrlmVZJ
fAgFugQFGGYq46UtojG4UYaN4YEADUKdNWd8Bb9ZU3zs9oiqtMwrN8r65a74shGa
iBaR1lG9HLj7BcoklN/wOeukqRz24lIElH6/zmFWKS6PdHXW2y8=
=wZoD
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3638-1] h2o security update
Previous by thread: [SECURITY] [DLA 3638-1] h2o security update
Index(es):
- Date
- Thread