Bug#883247: CVE-2017-16933: icinga2: root privilege escalation via prepare-dirs

Fri, 01 Dec 2017 01:54:38 -0800 

Package: icinga2
Version: None
X-Debbugs-CC: t...@security.debian.org 
secure-testing-t...@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerability was published for icinga2.

CVE-2017-16933:
| etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a chown
| call for a filename in a user-writable directory, which allows local
| users to gain privileges by leveraging access to the $ICINGA2_USER
| account for creation of a link.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

https://security-tracker.debian.org/tracker/CVE-2017-16933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16933
https://github.com/Icinga/icinga2/issues/5793

Please adjust the affected versions in the BTS as needed.

-- 
Henri Salo

Attachment: signature.asc
Description: PGP signature

Reply via email to