Savane - News: New Savane release fixes symlink attack and privilege escalation [Gna!]

Savane - News: New Savane release fixes symlink attack and privilege escalation

Group

Main
- Main
- View Members
- Search
Homepage
Download
Docs
- Browse
- Submit
- Edit
- Digest
- Export
- Search
Support
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
Mailing Lists
Source Code
- Use Subversion
- Browse Sources Repository
Bugs
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
Tasks
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
News
- Browse
- Atom Feed
- Submit
- Manage

Show feedback again

New Savane release fixes symlink attack and privilege escalation

Item posted by Sylvain Beucler <beuc> on Wed 02 Dec 2009 10:24:18 PM UTC.

Sylvain Beucler discovered that Savane, a 100% free software hosting platform, is vulnerable to a symlink attack on ~/.ssh user directories that may allow the attacker to gain access to other user accounts.

We forwarded the patch to gforge, which was also vulnerable, where it was identified as Debian-assigned CVE-2009-3304, disclosed today.

We recommend that you upgrade your Savane installation with new version 3.0+3.
The new version only contains this fix, hence does not otherwise introduce changes in its behavior.

Comments:

Thanks (posted by Alex, Thu 30 Dec 2010 06:42:36 PM UTC)

Thanks for information. I've just started using this platform. I was convinced by this video: http://www.tubesfan.com/watch/gnu-savannah-100-free-software-mass-hosting . It has so many advantages. Besides, it is nice that here one can find various tips. Thanks a lot.

[ Reply ]

Start a New Thread:

You could post if you were logged in

Show feedback again