[yellowdog-updates] Yellow Dog Security Advisory: YDU-2000502-2

Subject: [yellowdog-updates] Yellow Dog Security Advisory: YDU-2000502-2
From: Dan Burcaw (dburcaw@terraplex.com)
Date: Tue May 02 2000 - 21:40:30 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Dan Burcaw: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000507-2"
• Previous message: Dan Burcaw: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-2000502-1"

Yellow Dog Linux Security Announcement
--------------------------------------

Package: openldap
Issue Date: May 02, 2000
Update Date: May 02, 2000
Priority: high
Advisory ID: YDU-2000502-2

1. Topic:

   The OpenLDAP program has a security vulnerability which
   can allow local users to destroy critical file.

2. Problem:

   OpenLDAP follows symbolic links when creating files. The
   default location for these files is /usr/tmp which is
   linked to /tmp. /tmp is a world-writable directory,
   therefore local users can destroy any file on any mounted
   filesystem.

3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   man onto your system:

           yup update openldap

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   openldap-1.2.9-6.ppc.rpm

        rpm -Fvh openldap-1.2.9-6.ppc.rpm

   Administrators with existing databases should also move their NEXTID
   and *.dbb files from /usr/tmp to /var/lib/ldap, and verify that the
   'directory' setting in /etc/openldap/slapd.conf is changed accordingly.

4. Verification

MD5 checksum Package
-------------------------------- ----------------------------
653d224a5f8071019d6f1c133e23cad4 RPMS/openldap-1.2.9-6.ppc.rpm
bd67b599f128b81a36a0b12964b86d2d RPMS/openldap-devel-1.2.9-6.ppc.rpm
0138dcd59341910e51b894792a99ffe5 SRPMS/openldap-1.2.9-6.src.rpm

All updates are signed by Terra Soft Solutions, Inc.
with our GPG key which is available at:
http://www.yellowdoglinux.com/resources/public_key.shtml

You can verify each package with the following command: rpm --checksig filename

If you only wish to verify that each package has not been corrupted or tampered with,
examine only the md5sum with the following command: rpm --checksig --nogpg filename

5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml

• Next message: Dan Burcaw: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000507-2"
• Previous message: Dan Burcaw: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-2000502-1"

This archive was generated by hypermail 2a24 : Tue May 02 2000 - 21:42:07 MDT