Detections
Analytics

OracleVM 3.2 : rpm (OVMSA-2016-0077)

high Nessus Plugin ID 91753

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - Add missing files in /usr/share/doc/

 - Fix warning when applying the patch for #1163057

 - Fix race condidition where unchecked data is exposed in the file system (CVE-2013-6435)(#1163057)

 - Fix segfault on rpmdb addition when header unload fails (#706935)

 - Fix segfault on invalid OpenPGP packet (#743203)

 - Account for excludes and hardlinks wrt payload max size (#716853)

 - Fix payload size tag generation on big-endian systems (#648516)

 - Track all install failures within a transaction (#671194)

 - fix changelog (bug #707677 is actually #808547)

 - Document -D and -E options in man page (#814602)

 - Require matching arch for freshen on colored transactions (#813282)

 - Add DWARF 3 and 4 support to debugedit (#808547)

 - No longer add \n to group tag in Python bindings (#783451)

 - Fix typos in Japanese rpm man page (#760552)

 - Bump Geode compatibility up to i686 (#620570)

 - Proper region tag validation on package/header read (CVE-2012-0060)

 - Double-check region size against header size (CVE-2012-0061)

 - Validate negated offsets too in headerVerifyInfo (CVE-2012-0815)

 - Revert fix for #740291, too many packages rely on the broken behavior

 - Add support for XZ-compressed sources and patches to rpmbuild (#620674)

 - Avoid unnecessary assert-death when closing NULL fd (#573043)

 - Add scriptlet error notification callbacks (#533831)

 - Honor --noscripts for pre- and posttrans scriptlets too (#740345)

 - Avoid bogus error on printing empty ds from python (#628883)

 - File conflicts correctness & consistency fixes (#740291)

 - Create the directory used for transaction lock if necessary (#510469)

 - Only enforce default umask during transaction (#673821)

 - fix thinko in the CVE backport

 - fix CVE-2011-3378 (#742157)

 - accept windows cr/lf line endings in gpg keys (#530212)

 - Backport multilib ordering fixes from rpm 4.8.x (#641892)

Solution

Update the affected packages.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000492.html

Plugin Details

Severity: High

ID: 91753

File Name: oraclevm_OVMSA-2016-0077.nasl

Version: 2.6

Type: local

Published: 6/22/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:popt, p-cpe:/a:oracle:vm:rpm, p-cpe:/a:oracle:vm:rpm-libs, p-cpe:/a:oracle:vm:rpm-python, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/21/2016

Vulnerability Publication Date: 12/24/2011

Reference Information

CVE: CVE-2011-3378, CVE-2012-0060, CVE-2012-0061, CVE-2012-0815, CVE-2013-6435

BID: 49799, 52865, 71558