5842306 2000-12-08 16:07 -0200 /73 rader/ <secure@CONECTIVA.COM.BR> Sänt av: joel@lysator.liu.se Importerad: 2000-12-11 00:55 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: secure@CONECTIVA.COM.BR Mottagare: Bugtraq (import) <14131> Ärende: [CLA-2000:354] Conectiva Linux Security Announcement - tcsh ------------------------------------------------------------ From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200012081807.QAA22462@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - ----------------------------------------------------------------------- PACKAGE : tcsh SUMMARY : Insecure temporary file creation DATE : 2000-12-08 16:06:00 ID : CLA-2000:354 RELEVANT RELEASES : 6.0 - ---------------------------------------------------------------------- DESCRIPTION (This is a specific update for Conectiva Linux 6.0, previous versions were already updated.) When using in-here documents (via the "<<" redirect), tcsh creates a temporary file in an insecure manner that could allow a symlink attack to overwrite arbitrary files. SOLUTION It is recommended that all tcsh users upgrade to the latest package. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SPMS/tcsh-6.10.00-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcsh-6.10.00-1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ---------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato - ----------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.conectiva.com.br/suporte/atualizacoes - ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6MSNR42jd0JmAcZARAj73AJ0bECqxm+UzMF/AHJtmuHULsazs+ACgsniv ex9QQsnocF+PAqbkjXidqz0= =zdO5 -----END PGP SIGNATURE----- (5842306) --------------------------------(Ombruten)