oss-sec mailing list archives
[Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 23 Jan 2013 11:25:56 -0500 (EST)
Hello vendors, just FYI notification that haproxy upstream has recently corrected [2] improper dropping of supplementary groups [1] after setuid / setgid calls. We have further investigated this issue and have reasons to believe that by itself this is NOT a security issue (another flaw would need to be found in haproxy this to be actually possible to use for something interesting). For now we are considering this fix to be a preventive measure / security hardening (but took the time to notify you explicitly about this as you might still want to backport it into affected versions). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: [1] https://bugzilla.redhat.com/show_bug.cgi?id=894626 [2] http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3
Current thread:
- [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Jan Lieskovsky (Jan 23)
- Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Kurt Seifried (Jan 24)