Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CentOS Update for dbus CESA-2012:1261 centos6

Information

Severity

Severity

Medium

Family

Family

CentOS Local Security Checks

CVSSv2 Base

CVSSv2 Base

6.9

CVSSv2 Vector

CVSSv2 Vector

AV:L/AC:M/Au:N/C:C/I:C/A:C

Solution Type

Solution Type

Vendor Patch

Created

Created

9 years ago

Modified

Modified

3 years ago

Summary

The remote host is missing an update for the 'dbus' package(s) announced via the referenced advisory.

Insight

Insight

D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). (CVE-2012-3524) Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities. However, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities. Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.

Affected Software

Affected Software

dbus on CentOS 6

Solution

Solution

Please install the updated packages.

Common Vulnerabilities and Exposures (CVE)