newsSavane - News: New Savane release fixes symlink attack and privilege escalation

 
 
Show feedback again
Latest News
New Savane release fixes symlink attack and privilege escalation posted by beuc, Wed 02 Dec 2009 10:24:18 PM UTC - 1 reply
Release 3.0: markup language and anti-spam tools posted by yeupou, Mon 04 Dec 2006 09:38:30 AM UTC - 12 replies
Release 2.0: interface heavy improvements, bugfixes and cosmetics posted by yeupou, Tue 03 Oct 2006 08:06:29 AM UTC - 42 replies
We need packagers! posted by yeupou, Tue 19 Sep 2006 06:09:45 PM UTC - 2 replies
Release 1.4: security fix (XSS), bugfixes, cosmetics posted by yeupou, Sat 04 Feb 2006 09:26:26 AM UTC - 0 replies
[Submit News]
[22 news in archive]

New Savane release fixes symlink attack and privilege escalation

Item posted by Sylvain Beucler <beuc> on Wed 02 Dec 2009 10:24:18 PM UTC.

Sylvain Beucler discovered that Savane, a 100% free software hosting platform, is vulnerable to a symlink attack on ~/.ssh user directories that may allow the attacker to gain access to other user accounts.

We forwarded the patch to gforge, which was also vulnerable, where it was identified as Debian-assigned CVE-2009-3304, disclosed today.

We recommend that you upgrade your Savane installation with new version 3.0+3.
The new version only contains this fix, hence does not otherwise introduce changes in its behavior.

Comments:

Message: 300
Thanks (posted by alex1, Thu 30 Dec 2010 06:42:36 PM UTC)

Thanks for information. I've just started using this platform. I was convinced by this video: http://www.tubesfan.com/watch/gnu-savannah-100-free-software-mass-hosting . It has so many advantages. Besides, it is nice that here one can find various tips. Thanks a lot.

Thread Author Date
Thanksalex1Thu 30 Dec 2010 06:42:36 PM UTC

 

Post a followup to this message

You could post if you were logged in
Show feedback again

Back to the top


Copyright (C) 2004-2006, the Gna! people. Posted items are owned by whoever posted them.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

Powered by Savane 3.1-cleanup