gnu automake security alert CVE-2012-3386
Not sure if this is the correct place to put such notices, but the chaps over at GNU posted some sort of security fix for automake:
"Please note that Automake 1.12.2 and Automake 1.11.6 fix a security issue (CVE-2012-3386)..." https://lists.gnu.org/archive/html/a.../msg00023.html
Further explanation: https://lists.gnu.org/archive/html/a.../msg00023.html
"It is important to stress that this vulnerability impacts not only the Automake package itself, but all packages with Automake-generated makefiles. For an effective fix it is necessary to regenerate the Makefile.in files with a fixed Automake version.
The most recent version of automake I could find in current at mirrors.slackware.com is 1.11.5 from 24Jun2012. I figure the distcheck issues is no big deal, which is why we didn't upgrade to 1.11.6? Only folks that use it are those who compile packages from source code, which is probably on a box immune to such nonsense.
"GNU Automake 1.12.2 as well as 1.11.6 fix a locally-exploitable security-related race condition that affects "make distcheck" for all packages that use Automake."
I only mention it because I came across a deprecated form of autoconf.ac that needs an autoupdate massage.
In all my years of using Linux and compiling various packages from source I can not say I have ever invoked "make distcheck"
Checking out the docs for it and it looks like the only people who would ever use this are the developers of various programs themselves to ensure that their resulting source tarball behaves itself.
|All times are GMT -5. The time now is 11:33 PM.|