* Stefano Lattarini (stefano.lattar...@gmail.com) wrote: > This message announces the Automake 1.11.6 bug-fixing release. > > This release FIXES A SECURITY VULNERABILITY (CVE-2012-3386), so you are > strongly encouraged to upgrade your existing Automake installation ASAP. > > With this release, the recipe of the 'distcheck' target no longer grants > temporary world-wide write permissions on the extracted distdir. Even if > such rights were only granted for a vanishingly small time window, the > implied race condition proved to be enough to allow a local attacker to > run arbitrary code with the privileges of the user running "make distcheck". > > The fix of this security vulnerability is the only change between the > earlier 1.11.5 release and the present 1.11.6 one. > > Download the fixed release here: > > ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.gz > ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.xz > > Please report bugs and problems to <bug-autom...@gnu.org>, and send > general comments and feedback to <automake@gnu.org>. > > Thanks to everyone who has reported problems, contributed patches, > and helped testing Automake!
Are older versions of automake also vulnerable? -- Eric Dorland <e...@kuroneko.ca> ICQ: #61138586, Jabber: ho...@jabber.com
signature.asc
Description: Digital signature
