Advisories » MGASA-2020-0336

Updated python-rstlib packages fix security vulnerability

Publication date: 18 Aug 2020
Modification date: 18 Aug 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-14019

Description

Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for
/etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is
used and thus permissions are not preserved upon editing. An adversary with
prior access to /etc/target/saveconfig.json could access a later version,
resulting in a loss of integrity depending on their permission settings
(CVE-2020-14019).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=27042
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14019

SRPMS

7/core

• python-rtslib-2.1.73-1.mga7