[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000913-4

Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000913-4
dburcaw@terraplex.com
Date: Mon Sep 25 2000 - 18:56:54 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: dburcaw@terraplex.com: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000925-1"
• Previous message: dburcaw@terraplex.com: "[yellowdog-updates] Yellow Dog Linux Bugfix Update: YDU-20000913-2"

Yellow Dog Linux Security Announcement
--------------------------------------

Package: mgetty
Issue Date: September 13, 2000
Update Date: September 13, 2000
Priority: high
Advisory ID: YDU-20000913-4

1. Topic:

   The mgetty-sendfax package contains a security vulnerability.

2. Problem:

   "The faxrunq and faxrunqd commands supplied with the mgetty-sendfax package
   use a file named /var/spool/fax/outgoing/.lastrun to keep track of the date
   and time when the faxrunq command was last run. /var/tmp is a
   world-writable directory, and no check is made to ensure that .lastrun is
   not a symbolic link to another file. A malicious user can create a
   symbolic link named /var/spool/fax/outgoing/.lastrun which points to any
   file on a mounted filesystem, and that file's contents will be destroyed
   the next time faxrunq is run." (from Red Hat's errata advisory)

3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   mgetty onto your system:

           yup update mgetty
           yup update mgetty-sendfax
           yup update mgetty-viewfax
           yup update mgetty-voice

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   mgetty-1.1.22-1.6.x.ppc.rpm
   mgetty-sendfax-1.1.22-1.6.x.ppc.rpm
   mgetty-viewfax-1.1.22-1.6.x.ppc.rpm
   mgetty-voice-1.1.22-1.6.x.ppc.rpm

        rpm -Fvh mgetty-*-1.1.22-1.6.x.ppc.rpm

4. Verification

MD5 checksum Package
-------------------------------- ----------------------------
83e4028473750ca75a46f3fb190f6315 SRPMS/mgetty-1.1.22-1.6.x.src.rpm
65e0d72a4881a9899339ecc9c0be0f66 RPMS/mgetty-1.1.22-1.6.x.ppc.rpm
716955dd40e6f54fd7867269554129c5 RPMS/mgetty-sendfax-1.1.22-1.6.x.ppc.rpm
b276dbf741fb5e00c12ec33de295573a RPMS/mgetty-viewfax-1.1.22-1.6.x.ppc.rpm
00b41bfbc5db9722a3305cfa78a2dce1 RPMS/mgetty-voice-1.1.22-1.6.x.ppc.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename

5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml

• Next message: dburcaw@terraplex.com: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000925-1"
• Previous message: dburcaw@terraplex.com: "[yellowdog-updates] Yellow Dog Linux Bugfix Update: YDU-20000913-2"

This archive was generated by hypermail 2a24 : Mon Sep 25 2000 - 18:59:28 MDT