Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
I get these advisories from RH now and then. FAIK, you all find out this
sort of stuff way before I do anyway; is anyone interested in me
forwarding future advisories to the list? At any rate, here's
tonight's. Hope it's of some use to somebody.
Dave
-- [from RedHat, 5 May, 02, 20:17 CDT]
Security Advisory - RHSA-2002:062-08
------------------------------------------------------------------------
------
Summary:
Insecure DocBook stylesheet option
DocBook is a document markup language that can be transformed into
other formats using a stylesheet. The default stylesheet provided
with Red Hat Linux has an insecure option enabled.
Description:
The default stylesheet used when converting a DocBook document to
multiple HTML files allows an untrusted document to write files
outside of the current directory. This is because element
identifiers (specified in the document) are used to form the names of
the output files. If an untrusted document uses a full pathname as an
identifier, it can cause that file to be written to -- as long as the
user performing the conversion has write access.
Updated docbook-utils packages are available that disable this
feature and enable filenames to be generated based on the type
of the element rather than its identifier.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0169 to this issue.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0169
----------------------------------------------------------------------
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact