ALAS-2013-256

Amazon Linux 1 Security Advisory: ALAS-2013-256
Advisory Release Date: 2013-12-11 20:32 Pacific
Advisory Updated Date: 2014-09-16 22:06 Pacific

Severity: Medium

References: CVE-2012-4516 CVE-2013-2561
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in the way ibutils handled temporary files. A local attacker could use this flaw to cause arbitrary files to be overwritten as the root user via a symbolic link attack.

It was discovered that librdmacm used a static port to connect to the ib_acm service. A local attacker able to run a specially crafted ib_acm service on that port could use this flaw to provide incorrect address resolution information to librmdacm applications.

Affected Packages:

openmpi

Issue Correction:
Run yum update openmpi to update your system.

New Packages:

i686:
    openmpi-debuginfo-1.5.4-2.24.amzn1.i686
    openmpi-devel-1.5.4-2.24.amzn1.i686
    openmpi-1.5.4-2.24.amzn1.i686

src:
    openmpi-1.5.4-2.24.amzn1.src

x86_64:
    openmpi-debuginfo-1.5.4-2.24.amzn1.x86_64
    openmpi-1.5.4-2.24.amzn1.x86_64
    openmpi-devel-1.5.4-2.24.amzn1.x86_64

Additional References

Red Hat: CVE-2012-4516, CVE-2013-2561

Mitre: CVE-2012-4516, CVE-2013-2561