Subject: [yellowdog-updates] Yellow Dog Security Advisory: YDU-2000502-2
From: Dan Burcaw (dburcaw@terraplex.com)
Date: Tue May 02 2000 - 21:40:30 MDT
Yellow Dog Linux Security Announcement
--------------------------------------
Package: openldap
Issue Date: May 02, 2000
Update Date: May 02, 2000
Priority: high
Advisory ID: YDU-2000502-2
1. Topic:
The OpenLDAP program has a security vulnerability which
can allow local users to destroy critical file.
2. Problem:
OpenLDAP follows symbolic links when creating files. The
default location for these files is /usr/tmp which is
linked to /tmp. /tmp is a world-writable directory,
therefore local users can destroy any file on any mounted
filesystem.
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command will
automatically retrieve and install the fixed version of
man onto your system:
yup update openldap
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update.
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
openldap-1.2.9-6.ppc.rpm
rpm -Fvh openldap-1.2.9-6.ppc.rpm
Administrators with existing databases should also move their NEXTID
and *.dbb files from /usr/tmp to /var/lib/ldap, and verify that the
'directory' setting in /etc/openldap/slapd.conf is changed accordingly.
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
653d224a5f8071019d6f1c133e23cad4 RPMS/openldap-1.2.9-6.ppc.rpm
bd67b599f128b81a36a0b12964b86d2d RPMS/openldap-devel-1.2.9-6.ppc.rpm
0138dcd59341910e51b894792a99ffe5 SRPMS/openldap-1.2.9-6.src.rpm
All updates are signed by Terra Soft Solutions, Inc.
with our GPG key which is available at:
http://www.yellowdoglinux.com/resources/public_key.shtml
You can verify each package with the following command: rpm --checksig filename
If you only wish to verify that each package has not been corrupted or tampered with,
examine only the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml
This archive was generated by hypermail 2a24 : Tue May 02 2000 - 21:42:07 MDT