Yellow Dog Linux Security Advisory: YDU-20020810-2
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Sat, 10 Aug 2002 00:57:10 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: mm
Issue Date: August 10, 2002
Priority: medium
Advisory ID: YDU-20020810-2
1. Topic:
Updated mm packages are available.
2. Problem:
"Updated mm packages are now available for [Yellow Dog] Linux [2.2 and
2.3]. These updates address possible vulnerabilities in how the MM library
opens temporary files.
The MM library provides an abstraction layer which allows related processes
to share data easily. On systems where shared memory or other
inter-process communication mechanisms are not available, the MM library
emulates them using temporary files. MM is used in [Yellow Dog] Linux to
providing shared memory pools to Apache modules.
Versions of MM up to and including 1.1.3 open temporary files in an unsafe
manner, allowing a malicious local user to cause an application which uses
MM to overwrite any file to which it has write access.
All users are advised to upgrade to these errata packages, which contain a
patched version of MM that is not vulnerable to this issue.
Thanks to Marcus Meissner for providing a patch for this issue."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install mm
b) Updating manually...
Download the updates below for your version of Yellow Dog Linux
and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 2.3
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/mm-1.1.3-8.2.3a.ppc.rpm
Yellow Dog Linux 2.2
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
ppc/mm-1.1.3-8.2.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 2.3]
dc9b9ca7c892b8a9a12f350992d50c4d ppc/mm-1.1.3-8.2.3a.ppc.rpm
730e6a5ed0ecd367bdef2ebb4fa8c0ca ppc/mm-devel-1.1.3-8.2.3a.ppc.rpm
537816ffe832c7821ff431dd6e639182 SRPMS/mm-1.1.3-8.2.3a.src.rpm
[Yellow Dog Linux 2.2]
33292d73a8f6cdba73ca42c0f912e4aa ppc/mm-1.1.3-8.2.2a.ppc.rpm
1690686691a9d6ba5292f33568518c37 ppc/mm-devel-1.1.3-8.2.2a.ppc.rpm
a1d929d8253a48bc3eb0ebc2441f3995 SRPMS/mm-1.1.3-8.2.2a.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml