Monday, November 2, 2020

ESB-2020.3767 – [UNIX/Linux][Debian] junit4: Access confidential data – Existing account 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3767
                          junit4 security update
                              2 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           junit4
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15250  

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2426

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running junit4 check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2426-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
November 01, 2020                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : junit4
Version        : 4.12-4+deb9u1
CVE ID         : CVE-2020-15250
Debian Bug     : 972231

In junit4 the test rule TemporaryFolder contains a local information
disclosure vulnerability. On Unix like systems, the system's temporary
directory is shared between all users on that system. Because of this,
when files and directories are written into this directory they are, by
default, readable by other users on that same system. This vulnerability
does not allow other users to overwrite the contents of these directories
or files. This is purely an information disclosure vulnerability. This
vulnerability impacts you if the JUnit tests write sensitive information,
like API keys or passwords, into the temporary folder, and the JUnit
tests execute in an environment where the OS has other untrusted users.

For Debian 9 stretch, this problem has been fixed in version
4.12-4+deb9u1.

We recommend that you upgrade your junit4 packages.

For the detailed security status of junit4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/junit4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+e7HMACgkQhj1N8u2c
KO970w/8DmMTLdPz8rtUmFEnUZ4Gi8lAjZgvgKPkyCYxSRWpUkbBBEYtXr7DDaXZ
c4ym50U3/XBKIplEN0oxp5sEv7AdO4loHMZu0n8IBjoFiAX+V4rb8U24MNnFET+K
BQGqgVFas0m+e5deHXWpTb4pcWirMSph0NmQIhxucDm5HbGFuveU9RNnt6AuoWWv
hG6y+Qzrhs1cs5hdON8FK0BSnWTKECzziKAbhArvzhotV73ha60/QZ1SC7fYKayG
wrllMDtw4EQwvDLcwuO5Aei5VhZIuTrvkEUkvHfiUArWegevTh9tsOohxKcO21aW
Kz2J0Hin0QjPz/y3NpwbzM405qtx8YsO4qhvVGYjFZwGA3gLdeA1NatdPoSbk9Yi
Wg9V+GxvnCrASx5mAj6uLlp+B87p/r5/tDcKXi9LPoLvf5bznYowDCn6X2MpLGfh
SjQ3esxNImw70ic5x025NSRJTN2bEzip5i1XRjLQVjLLdOuh6x5Ec414H01s5aa+
53vJbuCroqGz+g1qjcEr/ynZWNhsBtC9sqzmbgXEwWkACPdluXlAtKz3e87pb+s+
p5BAOqED6m/2Buh9dDCF7UM/Hr5tuNgKi675UKDeWUiJQpWfjdYhK6PRyqkP5ZDJ
KBiPUF16wudM6W+zrPu/fjdg0NEGLq7VJ8+eNZO9tWjSg/SOgpY=
=eFH1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX59gu+NLKJtyKPYoAQjHpA/9EnN9b4EBOcryhio91CZTZnTv/nKXYQyK
0gUouseGv5I97DXi04IcbxhbflxtldO+068IvBFTfOEIf+EOVlM/hibI32KMrQPH
VbuxHi8UQW4T5BSHbUksf/c1Zjj2lkSNaej+oBUUKkU+6cteOXB8APMPM17ZQUKw
hWVEep7yJ7v+7CWLXzlac4elil34sygCq4Ts/H5yIiWUSmIDEp6eP2ONK0Jt0Aq/
VTsyioAVLmsVxYtOVJSuR7pSpB5TNZxYXLTgFbvnOJYBbYVW2gHTB9oU8XtKTVnD
BS4BqOh9kwYw1sih75Lmrp2ZM1y8qQc/fVgLGlQskpWxt8oh8DIJLkXk5qSWiEl7
QLZse4XvI8oFDm4RdrlPq4nFyEe0ClTX+pkMQewBUlR9HZAq6s7c8uYu+k18DxBB
dSOGpRiwACQMLWtZdbjpPLpbTJNOkx3mDwu9tI8TCkrNAh8jSb+hxxQaGKFBOVE5
Ejxj1WgV3AYpZCVgT0LVZrUByloZtvpIDdemgMPWViuaj660uNnXzumm2IBAqP5/
EDbF/S4s1r6jsoTrqKF/duXTMb2HoKHOyG7mq5Po9g7zwio7xc1VN1fxaq1WhKaf
6luCwMAbNPTr8pa/pNeNIJbOpuYty8Bh0q3F69d6+nwp8HwDYQQqYBRgjmnsm3fy
5xwD2c+bB1E=
=JgaJ
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3767 – [UNIX/Linux][Debian] junit4: Access confidential data – Existing account appeared first on Malware Devil.



https://malwaredevil.com/2020/11/02/esb-2020-3767-unix-linuxdebian-junit4-access-confidential-data-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3767-unix-linuxdebian-junit4-access-confidential-data-existing-account
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...