5307371 2000-07-27  21:39  /48 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11947>
Ärende: CONECTIVA LINUX SECURITY ANNOUNCEMENT - MAN
------------------------------------------------------------
From: Security <secure@CONECTIVA.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000727112404.C17869@conectiva.com.br>

----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
----------------------------------------------------------------------

PACKAGE : man
SUMMARY : Insecure directory creation in /tmp
DATE    : 2000-07-27
AFFECTED CONECTIVA VERSIONS : 5.1


DESCRIPTION This announcement is being re-released specifically for
Conectiva Linux 5.1.

Redhat has identified a problem with the man package which also
affects Conectiva Linux. Conectiva Linux versions prior to 5.1 have
already been patched.  The man package has a script called makewhatis
that is run weekly by the cron daemon as root. This script creates a
directory in /tmp and some files under it with predictable names,
thus making it possible for a local attacker to alter any file in the
system via symlink attacks.


SOLUTION
All users of Conectiva Linux 5.1 should upgrade.
Conectiva Linux versions prior to 5.1 have already been patched.


DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/man-1.5g-9cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/man-1.5g-9cl.src.rpm

----------------------------------------------------------------------

All packages are signed with Conectiva's PGP key. The key can be
obtained at http://www.conectiva.com.br/conectiva/contato.html

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br
(5307371) ------------------------------------------(Ombruten)