linux, säkerhet

5467466 2000-09-13  19:10  /58 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12763>
Ärende: Conectiva Linux Security Announcement - xpdf
------------------------------------------------------------
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200009131214.JAA20521@distro.conectiva.com.br>

-----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
-----------------------------------------------------------------------

PACKAGE   : xpdf
SUMMARY   : Shell commands in URLs and insecure use of /tmp
DATE      : 2000-09-12 15:31:00
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1

----------------------------------------------------------------------

DESCRIPTION
 Versions prior to 0.91 of xpdf have some security problems:
 1) Insecure file creation in /tmp which could be exploited via
 symlink attacks;
 2) Shell commands inserted in URLs would be expanded and executed by
 the shell when the user opened such an URL from within xpdf.
 Please note that xpdf is not SUID and therefore any attack which uses
 these vulnerabilities will only have the privileges of the user
 running xpdf.


SOLUTION
 All xpdf users should upgrade.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/xpdf-0.91-1cl.i386.rpm


----------------------------------------------------------------------

All packages are signed with Conectiva's GPG key. The key can be
obtained at http://www.conectiva.com.br/contato

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br
(5467466) ------------------------------------------(Ombruten)