ALAS-2014-302

Amazon Linux 1 Security Advisory: ALAS-2014-302
Advisory Release Date: 2014-03-10 09:40 Pacific
Advisory Updated Date: 2014-09-17 22:50 Pacific

Severity: Low

References: CVE-2014-1858 CVE-2014-1859
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

f2py insecurely uses a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py.

Affected Packages:

numpy

Issue Correction:
Run yum update numpy to update your system.

New Packages:

i686:
    numpy-f2py-1.7.2-8.10.amzn1.i686
    numpy-debuginfo-1.7.2-8.10.amzn1.i686
    numpy-1.7.2-8.10.amzn1.i686

noarch:
    numpy-doc-1.7.2-8.10.amzn1.noarch

src:
    numpy-1.7.2-8.10.amzn1.src

x86_64:
    numpy-1.7.2-8.10.amzn1.x86_64
    numpy-f2py-1.7.2-8.10.amzn1.x86_64
    numpy-debuginfo-1.7.2-8.10.amzn1.x86_64

Additional References

Red Hat: CVE-2014-1858, CVE-2014-1859

Mitre: CVE-2014-1858, CVE-2014-1859