---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: SUSE update for yast2-backup SECUNIA ADVISORY ID: SA32832 VERIFY ADVISORY: http://secunia.com/advisories/32832/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: openSUSE 10.2 http://secunia.com/advisories/product/13375/ openSUSE 10.3 http://secunia.com/advisories/product/16124/ openSUSE 11.0 http://secunia.com/advisories/product/19180/ SuSE Linux Enterprise Server 8 http://secunia.com/advisories/product/1171/ SUSE Linux Enterprise Server 9 http://secunia.com/advisories/product/4118/ SUSE Linux Enterprise Server 10 http://secunia.com/advisories/product/12192/ SOFTWARE: Novell Open Enterprise Server 1.x http://secunia.com/advisories/product/4664/ DESCRIPTION: SUSE has issued an update for yast2-backup. This fixes a security issue, which can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to yast2-backup not properly sanitising filenames, which can be exploited to inject arbitrary shell commands via specially crafted filenames. SOLUTION: Apply updated packages. Platform Independent: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/noarch/yast2-backup-2.16.6-0.1.noarch.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/yast2-backup-2.15.7-0.1.noarch.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/noarch/yast2-backup-2.14.2-0.1.noarch.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/yast2-backup-2.16.6-0.1.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/yast2-backup-2.15.7-0.1.src.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/yast2-backup-2.14.2-0.1.src.rpm Open Enterprise Server http://download.novell.com/index.jsp?search=Search&keywords=9b5088ff155f0ef71eeac627566a4ebe Novell Linux POS 9 http://download.novell.com/index.jsp?search=Search&keywords=9b5088ff155f0ef71eeac627566a4ebe Novell Linux Desktop 9 http://download.novell.com/index.jsp?search=Search&keywords=9b5088ff155f0ef71eeac627566a4ebe SUSE SLES 9 http://download.novell.com/index.jsp?search=Search&keywords=9b5088ff155f0ef71eeac627566a4ebe SuSE Linux Enterprise Server 8 http://download.novell.com/index.jsp?search=Search&keywords=83466dc61c7874dbb83c7035c8f3fed2 SUSE Linux Enterprise Server 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=873b8cb0771c68aded76518d4b12c766 SUSE Linux Enterprise Desktop 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=873b8cb0771c68aded76518d4b12c766 SUSE Linux Enterprise Server 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=388de739f171e7e9754618a1fee7894e SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=388de739f171e7e9754618a1fee7894e PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SUSE-SA:2008:054 http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00003.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------