[SECURITY] Fedora 9 Update: libHX-1.23-1.fc9

updates at fedoraproject.org updates at fedoraproject.org
Thu Sep 11 17:17:03 UTC 2008


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-7976
2008-09-11 11:07:05
--------------------------------------------------------------------------------

Name        : libHX
Product     : Fedora 9
Version     : 1.23
Release     : 1.fc9
URL         : http://jengelh.hopto.org/files/libHX/
Summary     : General-purpose library for typical low-level operations
Description :
A library for:
- rbtree with key-value pair extension
- deques (double-ended queues) (Stacks (LIFO) / Queues (FIFOs))
- platform independent opendir-style directory access
- platform independent dlopen-style shared library access
- auto-storage strings with direct access
- command line option (argv) parser
- shconfig-style config file parser
- platform independent random number generator with transparent
  /dev/urandom support
- various string, memory and zvec ops

--------------------------------------------------------------------------------
Update Information:

A security flaw in the pam_mount's handling of user defined volumes using the
'luserconf' option has been fixed in this update. The vulnerability allowed
users to arbitrarily mount filesystems at arbitrary locations.    More details
about this vulnerability can be found in the announcement message sent to the
pam-mount-user mailinglist at SourceForge: http://sourceforge.net/mailarchive/me
ssage.php?msg_name=alpine.LNX.1.10.0809042353120.17569%40fbirervta.pbzchgretzou.
qr    Upstream changelog (excluding the git shortlog) for versions 0.43-0.47:
- mount.crypt: fix option slurping (SF bug #2054323)  - properly handle simple
sgrp config items (Debian bug #493497)  - src: correct error check in run_lsof()
- conf: check that slash follows home tilde  - conf: wildcard inadvertently
matched root sometimes  - fix double-freeing the authentication token  - use ofl
instead of lsof/fuser  - kill-on-logout support (terminate processes that would
stand in the    way of unmounting)  - mount.crypt: auto-detect necessity for
running losetup  - mount.crypt: add missing null command to conform to sh syntax
(SF bug #2089446)  - conf: fix printing of strings when luser volume options
were not ok  - conf: re-add luserconf security checks  - add support for encfs
1.3.x (1.4.x already has been in for long)  - conf: add the "noroot" attribute
for <volume> to force mounting with    the unprivileged user account (required
for FUSE filesystems)  - replace fixed-size buffers and arrays with dynamic ones
(complete)    Note: This update also introduces a new version of libHX, which is
required by updated pam_mount.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep  5 2008 Till Maas <opensource at till.name> - 1.23-1
- Update to latest version
* Wed Jun 11 2008 Till Maas <opensource till name> - 1.18-2
- Set variable V for make: displays full compiler commandline
* Wed Jun 11 2008 Till Maas <opensource till name> - 1.18-1
- Update to latest version
* Tue May 27 2008 Till Maas <opensource till name> - 1.17-1
- Update to latest version
* Mon May  5 2008 Till Maas <opensource till name> - 1.15-1
- Update to latest version
- Update description
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #461464 - pam_mount: missing luserconf security checks
        https://bugzilla.redhat.com/show_bug.cgi?id=461464
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update libHX' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list