MGASA-2016-0354

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0354.html

Import Source

https://advisories.mageia.org/MGASA-2016-0354.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2016-0354

Related

Published

2016-10-23T10:32:38Z

Modified

2016-10-23T10:18:13Z

Summary

Updated guile packages fix security vulnerability

Details

The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process’ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions (CVE-2016-8605).

GNU Guile, an implementation of the Scheme language, provides a “REPL server” which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network (CVE-2016-8606).

The guile package has been updated to version 2.0.13, fixing these issues and other bugs. See the upstream release announcements for details.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / guile

Package

Name: guile
Purl: pkg:rpm/mageia/guile?arch=source&distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.13-1.mga5

Ecosystem specific

{
    "section": "core"
}