On Mon, Dec 07, 2009 at 08:56:07AM +0100, Stefan Hornburg (Racke) wrote:
> >CVE-2009-3736[0]:
> >| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
> >| attempts to open a .la file in the current working directory, which
> >| allows local users to gain privileges via a Trojan horse file.

> >Note that this problem also affects etch and lenny, so if your package
> >is affected, please coordinate with the security team to release the
> >DSA for the affected packages.

> >If you fix the vulnerability please also make sure to include the
> >CVE id in your changelog entry.

> Is there a patch available for the vulnerability?

The patch is to not use embedded copies of libltdl, we have a system libltdl
that all packages should be using.

It appears that courier-authlib is already doing this.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to