[SECURITY] Fedora 14 Update: udev-161-7.fc14

updates at fedoraproject.org updates at fedoraproject.org
Wed Nov 24 22:38:33 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-17930
2010-11-19 21:53:42
--------------------------------------------------------------------------------

Name        : udev
Product     : Fedora 14
Version     : 161
Release     : 7.fc14
URL         : http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
Summary     : A rule-based device node and kernel event manager
Description :
udev is a collection of tools and a daemon to manage events received
from the kernel and deal with them in user-space. Primarily this
involves managing permissions, and creating and removing meaningful
symlinks to device nodes in /dev when hardware is discovered or
removed from the system.

--------------------------------------------------------------------------------
Update Information:

It was discovered that /dev/systty device file created by dracut-generated initramfs scripts used an insecure file permissions.  This could possibly allow local user to snoop on other user's terminal.

Updated dracut no longer creates this file as device file, rather creates it a symbolic link to tty0 device file.  However, for this change to take effect, user needs to re-generate initramfs (any initramfs for all kernels that are going to be booted in the future) using updated dracut version and reboot the system.

This update also provides updated udev packages that replace systty device file with a symlink on udev package upgrade and each udev start.  This provides a work-around fix for users that fail to regenerate their initramfs and reboot as described above.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 18 2010 Harald Hoyer <harald at redhat.com> 161-7
- fix /dev/systty
Resolves: rhbz#654935
* Fri Nov 12 2010 Harald Hoyer <harald at redhat.com> 161-6
- add ACLs for PDA devices
Resolves: rhbz#642435
* Fri Nov 12 2010 Harald Hoyer <harald at redhat.com> 161-5
- enlarged the import buffer to fix the ressize bugs
Resolves: rhbz#652318
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #654489 - CVE-2010-4176  dracut: /dev/systty permissions could allow remote users to snoop on local users
        https://bugzilla.redhat.com/show_bug.cgi?id=654489
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update udev' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list