Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-28-1 augeas

Debian Security Advisory

DLA-28-1 augeas -- LTS security update

Date Reported:

01 Aug 2014

Affected Packages:

augeas

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 731111, Bug 731132.
In Mitre's CVE dictionary: CVE-2012-0786, CVE-2012-0787, CVE-2013-6412.

More information:

Multiple race conditions were discovered in augeas when saving configuration files which expose it to symlink attacks. Write access to the directory where the configuration file is located is required by the attacker.

For Debian 6 Squeeze, these issues have been fixed in augeas version 0.7.2-1+deb6u1