MGASA-2012-0172
| Date: | July 19th, 2012 |
| Affected releases: | 2 |
Description:
Updated busybox packages fix security vulnerability:
The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
options provided in DHCP server replies, such as the client hostname. A
malicious DHCP server could send such an option with a specially-crafted
value to a DHCP client. If this option's value was saved on the client
system, and then later insecurely evaluated by a process that assumes the
option is trusted, it could lead to arbitrary code execution with the
privileges of that process. Note: udhcpc is not used on Red Hat Enterprise
Linux by default, and no DHCP client script is provided with the busybox
packages (CVE-2011-2716).
Additionally, build issues with Linux kernel 3.3 have been fixed.
Updated Packages:
busybox-1.19.3-1.1.mga2
busybox-static-1.19.3-1.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716
https://rhn.redhat.com/errata/RHSA-2012-0810.html
https://bugs.mageia.org/show_bug.cgi?id=6673
