Yellow Dog Linux Security Advisory: YDU-20020810-2

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Sat, 10 Aug 2002 00:57:10 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	mm
Issue Date: 	August 10, 2002	
Priority:	medium	
Advisory ID: 	YDU-20020810-2


1. 	Topic:

	Updated mm packages are available.


2. 	Problem:

	"Updated mm packages are now available for [Yellow Dog] Linux [2.2 and
	2.3]. These updates address possible vulnerabilities in how the MM library
	opens temporary files.

	The MM library provides an abstraction layer which allows related processes
	to share data easily. On systems where shared memory or other
	inter-process communication mechanisms are not available, the MM library
	emulates them using temporary files. MM is used in [Yellow Dog] Linux to
	providing shared memory pools to Apache modules.

	Versions of MM up to and including 1.1.3 open temporary files in an unsafe
	manner, allowing a malicious local user to cause an application which uses
	MM to overwrite any file to which it has write access.

	All users are advised to upgrade to these errata packages, which contain a
	patched version of MM that is not vulnerable to this issue.

	Thanks to Marcus Meissner for providing a patch for this issue."
	(from Red Hat Advisory)

3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install mm

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
				ppc/mm-1.1.3-8.2.3a.ppc.rpm

		Yellow Dog Linux 2.2
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
				ppc/mm-1.1.3-8.2.2a.ppc.rpm
			  	

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
dc9b9ca7c892b8a9a12f350992d50c4d  ppc/mm-1.1.3-8.2.3a.ppc.rpm
730e6a5ed0ecd367bdef2ebb4fa8c0ca  ppc/mm-devel-1.1.3-8.2.3a.ppc.rpm
537816ffe832c7821ff431dd6e639182  SRPMS/mm-1.1.3-8.2.3a.src.rpm

[Yellow Dog Linux 2.2]
33292d73a8f6cdba73ca42c0f912e4aa  ppc/mm-1.1.3-8.2.2a.ppc.rpm
1690686691a9d6ba5292f33568518c37  ppc/mm-devel-1.1.3-8.2.2a.ppc.rpm
a1d929d8253a48bc3eb0ebc2441f3995  SRPMS/mm-1.1.3-8.2.2a.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml