Security update for guile SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2645-1 Final 1 1 2016-10-26T09:08:11Z current 2016-10-26T09:08:11Z 2016-10-26T09:08:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for guile This update for guile fixes the following issues: - CVE-2016-8606: REPL server vulnerable to HTTP inter-protocol attacks (bsc#1004226). - CVE-2016-8605: Thread-unsafe umask modification (bsc#1004221). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-10/msg00098.html E-Mail link for openSUSE-SU-2016:2645-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 guile-2.0.11-3.3.1 guile-debuginfo-2.0.11-3.3.1 guile-debugsource-2.0.11-3.3.1 guile-devel-2.0.11-3.3.1 guile-modules-2_0-2.0.11-3.3.1 libguile-2_0-22-2.0.11-3.3.1 libguile-2_0-22-debuginfo-2.0.11-3.3.1 libguilereadline-v-18-18-2.0.11-3.3.1 libguilereadline-v-18-18-debuginfo-2.0.11-3.3.1 guile-2.0.11-3.3.1 as a component of openSUSE 13.2 guile-debuginfo-2.0.11-3.3.1 as a component of openSUSE 13.2 guile-debugsource-2.0.11-3.3.1 as a component of openSUSE 13.2 guile-devel-2.0.11-3.3.1 as a component of openSUSE 13.2 guile-modules-2_0-2.0.11-3.3.1 as a component of openSUSE 13.2 libguile-2_0-22-2.0.11-3.3.1 as a component of openSUSE 13.2 libguile-2_0-22-debuginfo-2.0.11-3.3.1 as a component of openSUSE 13.2 libguilereadline-v-18-18-2.0.11-3.3.1 as a component of openSUSE 13.2 libguilereadline-v-18-18-debuginfo-2.0.11-3.3.1 as a component of openSUSE 13.2 The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected. CVE-2016-8605 openSUSE 13.2:guile-2.0.11-3.3.1 openSUSE 13.2:guile-debuginfo-2.0.11-3.3.1 openSUSE 13.2:guile-debugsource-2.0.11-3.3.1 openSUSE 13.2:guile-devel-2.0.11-3.3.1 openSUSE 13.2:guile-modules-2_0-2.0.11-3.3.1 openSUSE 13.2:libguile-2_0-22-2.0.11-3.3.1 openSUSE 13.2:libguile-2_0-22-debuginfo-2.0.11-3.3.1 openSUSE 13.2:libguilereadline-v-18-18-2.0.11-3.3.1 openSUSE 13.2:libguilereadline-v-18-18-debuginfo-2.0.11-3.3.1 low 3.2 AV:L/AC:L/Au:S/C:P/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-10/msg00098.html https://www.suse.com/security/cve/CVE-2016-8605.html CVE-2016-8605 https://bugzilla.suse.com/1004221 SUSE Bug 1004221 The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack. CVE-2016-8606 openSUSE 13.2:guile-2.0.11-3.3.1 openSUSE 13.2:guile-debuginfo-2.0.11-3.3.1 openSUSE 13.2:guile-debugsource-2.0.11-3.3.1 openSUSE 13.2:guile-devel-2.0.11-3.3.1 openSUSE 13.2:guile-modules-2_0-2.0.11-3.3.1 openSUSE 13.2:libguile-2_0-22-2.0.11-3.3.1 openSUSE 13.2:libguile-2_0-22-debuginfo-2.0.11-3.3.1 openSUSE 13.2:libguilereadline-v-18-18-2.0.11-3.3.1 openSUSE 13.2:libguilereadline-v-18-18-debuginfo-2.0.11-3.3.1 low 3.2 AV:A/AC:H/Au:N/C:P/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-10/msg00098.html https://www.suse.com/security/cve/CVE-2016-8606.html CVE-2016-8606 https://bugzilla.suse.com/1004226 SUSE Bug 1004226