ALAS-2013-250

Amazon Linux 1 Security Advisory: ALAS-2013-250
Advisory Release Date: 2013-12-02 20:28 Pacific
Advisory Updated Date: 2014-09-16 21:55 Pacific

Severity: Low

References: CVE-2012-0786 CVE-2012-0787 RHSA-2013-1537
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack. (CVE-2012-0786, CVE-2012-0787)

Affected Packages:

augeas

Issue Correction:
Run yum update augeas to update your system.

New Packages:

i686:
    augeas-libs-1.0.0-5.5.amzn1.i686
    augeas-debuginfo-1.0.0-5.5.amzn1.i686
    augeas-1.0.0-5.5.amzn1.i686
    augeas-devel-1.0.0-5.5.amzn1.i686

src:
    augeas-1.0.0-5.5.amzn1.src

x86_64:
    augeas-devel-1.0.0-5.5.amzn1.x86_64
    augeas-1.0.0-5.5.amzn1.x86_64
    augeas-debuginfo-1.0.0-5.5.amzn1.x86_64
    augeas-libs-1.0.0-5.5.amzn1.x86_64

Additional References

Red Hat: CVE-2012-0786, CVE-2012-0787

Mitre: CVE-2012-0786, CVE-2012-0787