From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- metadata/glsa/glsa-201412-15.xml | 61 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 metadata/glsa/glsa-201412-15.xml (limited to 'metadata/glsa/glsa-201412-15.xml') diff --git a/metadata/glsa/glsa-201412-15.xml b/metadata/glsa/glsa-201412-15.xml new file mode 100644 index 000000000000..ee8e27cc8cfc --- /dev/null +++ b/metadata/glsa/glsa-201412-15.xml @@ -0,0 +1,61 @@ + + + + MCollective: Privilege escalation + Two vulnerabilities have been found in MCollective, the worst of + which could lead to privilege escalation. + + mcollective + 2014-12-13 + 2014-12-13: 1 + 513292 + 517286 + local + + + 2.5.3 + 2.5.3 + + + +

MCollective is a framework to build server orchestration or parallel job + execution systems. +

+ + +

Two vulnerabilities have been found in MCollective:

+ +
    +
  • An untrusted search path vulnerability exists in MCollective + (CVE-2014-3248) +
    • +
  • MCollective does not properly validate server certificates + (CVE-2014-3251) +
    • +
+ + +

A local attacker can execute arbitrary a Trojan horse shared library, + potentially resulting in arbitrary code execution and privilege + escalation. Furthermore, a local attacker may be able to establish + unauthorized MCollective connections. +

+ + +

There is no known workaround at this time.

+ + +

All MCollective users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/mcollective-2.5.3" + + + + CVE-2014-3248 + CVE-2014-3251 + + K_F + ackle + -- cgit v1.2.3