Bugzilla – Bug 97193
VUL-0: CVE-2005-2231: heartbeat insecure temporary files
Last modified: 2021-10-17 14:57:05 UTC
We received the following report via full-disclosure. The issue is public. The can number links to http://secunia.com/advisories/16039 To determine whether this needs to be patched in released products we need to know whether those insecure tmp files are created at predictable times, eg by automatically running scripts or only interactively. Do you know whether the fixes went upstream? Date: Tue, 19 Jul 2005 07:59:53 +0200 (CEST) From: Martin Schulze <joey@infodrom.org> To: Debian Security Announcements <debian-security-announce@lists.debian.org> Cc: Subject: [Full-disclosure] [SECURITY] [DSA 761-1] New heartbeat packages fix insecure temporary files User-Agent: dsa-launch $Revision: 1.18 $ Resent-From: list@murphy.debian.org (Mailing List Manager) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 761-1 security@debian.org http://www.debian.org/security/ Martin Schulze July 19th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : heartbeat Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE ID : CAN-2005-2231 Eric Romang discovered several insecure temporary file creations in heartbeat, the subsystem for High-Availability Linux. [...]
They are only created interactively when the test harness is run, which is not a common operation. The fixes have been submitted upstream and will likely be merged quickly, and I'll prepare updated packages soon. Can't say whether I can manage to do so during Kernel Summit / OLS yet, though.
Well in this case there is no need to release security updates. Fix for 10.0 is sufficient.
is it fixed in 10.0?
Yes, it's fixed in STABLE.
CVE-2005-2231: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)