5260854 2000-07-07 21:04 /79 rader/ Postmaster
Mottagare: Bugtraq (import) <11634>
Ärende: [Security Announce] man update
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Authentication-Warning: devel.danen.net: vdanen set sender t
vdanen@mandrakesoft.com using -f
Mail-Followup-To: security-announce@linux-mandrake.com
Linux Mandrake Security <mdk-security@freezer-burn.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.2i
X-Operating-System: Linux Mandrake 2.2.15-4mdk i586
X-Loop: security-announce@linux-mandrake.com
X-Sequence: 104
Precedence: list
Message-ID: <20000707094101.B3678@mandrakesoft.com>
Date: Fri, 7 Jul 2000 09:41:01 -0600
Reply-To: security-discuss@linux-mandrake.com
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Vincent Danen <vdanen@MANDRAKESOFT.COM>
Organization: Danen Consulting Services (www.danen.net)
X-To: security-announce@linux-mandrake.com
X-cc: Linux Mandrake Security <mdk-security@freezer-burn.org>
To: BUGTRAQ@SECURITYFOCUS.COM
_____________________________________________________________________
Linux-Mandrake Security Update Advisory.
_____________________________________________________________________
Date: July 7th, 2000
Package name: man
Affected versions: 6.0, 6.1, 7.0, 7.1
Problem: Internet Security Systems (ISS) X-Force has identified a
vulnerability in the makewhatis Bourne shell script that ships with
many Linux distributions. It is found in versions 1.5e and higher
of man, and handles temporary files insecurely. Local users may gain
a variety of privileges depending on the complexity of the exploit.
The mode of any file on the system can be changed to 0700. Any file
on the system may be created or overwritten as root. Local users may
also be able to read any system file by forcing a copy of it into the
whatis database.
Please upgrade to:
md5sum: f4f87cab84a716a2ccb8c74b3325c0c9 6.0/RPMS/man-1.5g-15mdk.i586.rpm
md5sum: 52d021732aa09d517eeff8b60d427a69 6.0/SRPMS/man-1.5g-15mdk.src.rpm
md5sum: 2b01457036a6813fa616adbca97fcb36 6.1/RPMS/man-1.5g-15mdk.i586.rpm
md5sum: 52d021732aa09d517eeff8b60d427a69 6.1/SRPMS/man-1.5g-15mdk.src.rpm
md5sum: ea883685faa409148f9b55c442a0438c 7.0/RPMS/man-1.5g-15mdk.i586.rpm
md5sum: 52d021732aa09d517eeff8b60d427a69 7.0/SRPMS/man-1.5g-15mdk.src.rpm
md5sum: fbc1b9e04d75f267650f291d99f467f1 7.1/RPMS/man-1.5g-15mdk.i586.rpm
md5sum: 52d021732aa09d517eeff8b60d427a69 7.1/SRPMS/man-1.5g-15mdk.src.rpm
To upgrade automatically, use « MandrakeUpdate ». If you want to
upgrade manually, download the updated package from one of our FTP
server mirrors and uprade with "rpm -Uvh package_name". All mirrors
are listed on http://www.mandrake.com/en/ftp.php3. Updated packages
are available in the "updates/" directory.
For example, if you are looking for an updated RPM package for
Mandrake 7.1, look for it in: updates/7.1/RPMS/
Notes:
- We give the md5 sum for each package. It lets you check the integrity of
the downloaded package by running the md5sum command on the package
("md5sum package.rpm").
- You generally do not need to download the source package with a
.src.rpm
suffix
- All the updated packages are listed on the website on
http://www.linux-mandrake.com/en/fupdates.php3
- To subscribe/unsubscribe from the "security-announce" list and
subscribe/unsubscribe from the "security-discuss" list see:
http://www.linux-mandrake.com/en/flists.php3#security
(5260854) ------------------------------------------(Ombruten)