Orlitzky

**Name of the Vulnerable Software and Affected Versions** imapsync versions through 2.229 **Description** The issue concerns the use of predictable paths under /tmp and /var/tmp in the default mode of operation. Since these paths are typically world-writable, an attacker can modify imapsync's cache and overwrite files belonging to the user who runs it. **Recommendations** For versions through 2.229, consider changing the default temporary directories to a more secure location that is not world-writable, or apply specific permissions to restrict access to these directories until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SageMath FlintQS version 1.0 **Description** The issue allows a local user to overwrite files with the privileges of a different user who is running SageMath FlintQS, due to its reliance on pathnames under TMPDIR, which is typically world-writable. **Recommendations** For SageMath FlintQS version 1.0, consider restricting access to the TMPDIR to prevent unauthorized file overwrites until a patch is available. As a temporary workaround, restrict write access to the TMPDIR directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Singular versions prior to 4.3.1 **Description** The issue is related to the use of predictable /tmp pathnames in files such as sdb.cc within the Singular interface. This predictability allows local users to gain the privileges of other users via a procedure in a file under /tmp. The problem specifically concerns the handling of temporary files by certain files in the Singular interface, not the lack of a safe temporary-file creation capability in the Singular language itself. **Recommendations** For versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to files under /tmp that are used by the Singular interface, such as those accessed by sdb.cc, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenRC versions 0.42.1 and earlier **Description** The issue allows local users to take ownership of arbitrary files because a non-terminal path component can be a symlink. This is related to the `checkpath` function in OpenRC. **Recommendations** For OpenRC versions 0.42.1 and earlier, consider restricting access to the `checkpath` function until a patch is available. As a temporary workaround, avoid using symlinks as non-terminal path components to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: opentmpfiles versions 0.3.1 and earlier Description: The issue allows local users to take ownership of arbitrary files due to mishandled d entries, which enables a symlink attack. Recommendations: For versions 0.3.1 and earlier, consider restricting file access permissions to prevent unauthorized ownership changes until a patch is available. As a temporary workaround, consider implementing additional file system monitoring to detect and prevent symlink attacks.

**Name of the Vulnerable Software and Affected Versions** OpenDKIM versions 2.10.3 and earlier **Description** The test suite in libopendkim allows local users to gain privileges via a symlink attack against the /tmp/testkeys file. This issue is related to the files t-testdata.h, t-setup.c, and t-cleanup.c, and is applicable to users who engage in unit-testing the library. **Recommendations** For OpenDKIM versions 2.10.3 and earlier, consider restricting access to the test suite to prevent local users from gaining privileges via a symlink attack. As a temporary workaround, avoid using the test suite until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenRC opentmpfiles versions 0.1.3 and earlier Description: The issue allows local users to obtain ownership of arbitrary files by creating a hard link inside a directory on which "chown -R" will be run, when the fs.protected hardlinks sysctl is turned off. Recommendations: For OpenRC opentmpfiles versions 0.1.3 and earlier, as a temporary workaround, consider restricting the use of the "chown -R" command on directories that may contain hard links until a patch is available.

[Content removed]

**Name of the Vulnerable Software and Affected Versions** Icinga 2 versions 2.x through 2.8.1 **Description** The issue allows local users to gain privileges by exploiting a chown call for a filename in a user-writable directory. This is achieved by leveraging access to the `$ICINGA2 USER` account for creation of a link. **Recommendations** For Icinga 2 versions 2.x through 2.8.1, consider restricting access to the `$ICINGA2 USER` account to minimize the risk of exploitation. Additionally, monitor user-writable directories for suspicious activity. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Icinga Core versions prior to 1.14.0 Icinga Core through 1.14.0 **Description** The issue allows local users to gain privileges by leveraging access to a non-root account. This is related to the execution of bin/icinga as root and the support of configuration options where certain files are owned by a non-root account. The affected components include bin/icingastats, bin/ido2db, and bin/log2ido. **Recommendations** For Icinga Core versions prior to 1.14.0, update to version 1.14.0 or later to resolve the issue. For Icinga Core through 1.14.0, update to version 1.14.0 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nagios Core versions prior to 4.4 **Description** The issue allows local users to gain privileges by leveraging access to a non-root account that owns certain configuration files or the executable. This is possible because Nagios Core initially executes as root but supports configuration options where key files are owned by non-root accounts. **Recommendations** For Nagios Core versions prior to 4.4, consider restricting access to the configuration files and executable to prevent local users from exploiting this issue. As a temporary workaround, ensure that all files related to Nagios Core are owned by a root account to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nagios Core versions prior to 4.3.3 **Description** The issue allows local users to potentially kill arbitrary processes by modifying the nagios.lock PID file. This can be achieved by leveraging access to the non-root account used by Nagios Core before a root script executes a command to kill a process based on the PID stored in the nagios.lock file. **Recommendations** For Nagios Core versions prior to 4.3.3, update to version 4.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the nagios.lock file to prevent unauthorized modifications until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Tinyproxy versions 1.8.4 and earlier **Description** The issue allows local users to potentially kill arbitrary processes by modifying the tinyproxy.pid file, which is created after privileges are dropped to a non-root account. This could be exploited before a root script executes a command to kill a process based on the pid file content. **Recommendations** For Tinyproxy versions 1.8.4 and earlier, consider restricting access to the /run/tinyproxy/tinyproxy.pid file to prevent unauthorized modifications until a fix is available. As a temporary workaround, avoid using the "kill `cat /run/tinyproxy/tinyproxy.pid`" command in root scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.