[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000926-1

Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000926-1
dburcaw@terraplex.com
Date: Tue Sep 26 2000 - 16:32:31 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Previous message: dburcaw@terraplex.com: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000925-1"

Yellow Dog Linux Security Announcement
--------------------------------------

Package: glibc
Issue Date: September 26, 2000
Update Date: September 26, 2000
Priority: high
Advisory ID: YDU-20000926-1

1. Topic:

   Security problems in glibc were found that could allow local users to
   gain root access.
 

2. Problem:

   
   "The dynamic linker ld.so uses several environment variables like LD_PRELOAD
   and LD_LIBRARY_PATH to load additional libraries or modify the library
   search path. It is unsafe to accept arbitrary user specified values
   of these variables when executing setuid applications, so ld.so handles
   them specially in setuid programs and also removes them from the
   environment.

   One of the discovered bugs causes these variables not to be
   removed from the environment under certain circumstances. This does not
   cause any threat to setuid application themselves, but it could be
   exploited if a setuid application does not either drop privileges or clean
   up its environment prior to executing other programs.

   A number of additional bugs have been found in glibc locale and
   internationalization security checks." (from Red Hat errata advisory)

3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   glibc onto your system:

           yup update glibc
           yup update glibc-devel
           yup update glibc-profile
           yup update nscd

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   glibc-2.1.3-15f.ppc.rpm
   glibc-devel-2.1.3-15f.ppc.rpm
   glibc-profile-2.1.3-15f.ppc.rpm
   nscd-2.1.3-15f.ppc.rpm

        rpm -Fvh *-2.1.3-15f.ppc.rpm

4. Verification

MD5 checksum Package
-------------------------------- ----------------------------
7bf4e480d16ec6b922e51e051627e84f RPMS/glibc-2.1.3-15f.ppc.rpm
50d9b472da7ab9cb211e34c813d00288 RPMS/glibc-devel-2.1.3-15f.ppc.rpm
cdd33e9b0259a6072cff5f62dfff33a2 RPMS/glibc-profile-2.1.3-15f.ppc.rpm
2ed0f6b48cb753189efd1bc2c77041f9 RPMS/nscd-2.1.3-15f.ppc.rpm
6b7bd7bc7ebeb08180c50c4f39bb9a3a SRPMS/glibc-2.1.3-15f.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename

5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml

• Previous message: dburcaw@terraplex.com: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000925-1"

This archive was generated by hypermail 2a24 : Tue Sep 26 2000 - 16:35:08 MDT