linux security - Jun 2000 - Security Advisory: local ROOT exploit in BRU

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		local ROOT exploit in BRU
Advisory number: 	CSSA-2000-018.0
Issue date: 		2000 June, 14
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a serious vulnerability in the commandline option and logfile
   handling of the BRU Backup Utility which can be exploited by a local
   attacker to gain root access to the machine.

   We ship BRU on the commercial software CD-ROM of our OpenLinux productline,
   but it's not installed by default.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        up to BRU-15.1P-4

   OpenLinux eServer 2.3        not included
   and OpenLinux eBuilder

   OpenLinux eDesktop 2.4	up to BRU-15.1D-8


3. Solution

   Workaround:

   If you do not need BRU, issue as root:

        rpm -e BRU

   Otherwise remove the suid-root bit by issuing as root:

        chmod u-s /bru/bru /bin/bru

   If you want to use BRU as a normal user, you have to point the
'BRUEXECLOG'
   environment variable to a file writeable by the user, like

    	bash/sh:

        	BRUEXECLOG=~/.brulog
        	export BRUEXECLOG

    	tcsh/csh:

        	setenv BRUEXECLOG=~/.brulog

   Also do ignore the
 	bru: [W171] warning - BRU must be owned by root and have suid bit set
   warning on further BRU calls.

4. OpenLinux Desktop 2.3

   See workaround above

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   not included

6. OpenLinux eDesktop 2.4

   See workaround above

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

   Caldera Systems wishes to thank the Network Security department of Speakeasy
   Networks for discovering and reporting the bug, and Enhanced Software
   Technologies, Inc. for suggesting the workaround.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5R3Fl18sy83A/qfwRArQvAJ4kXFmdyA+bAEeaOkYmsfsJkhNpxACfYYxP
/TBrKh4Lxxpb/Pe9Z/pMMnw=K8/3
-----END PGP SIGNATURE-----


From mail@mail.redhat.com Jun 17:30:58 2000  -0400
Received: (qmail 23122 invoked from network); 15 Jun 2000 21:30:59 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 15 Jun 2000 21:30:59 -0000
Received: from lacrosse.corp.redhat.com (lacrosse.corp.redhat.com
[207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id RAA01997;
	Thu, 15 Jun 2000 17:30:58 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id RAA26187;
	Thu, 15 Jun 2000 17:30:56 -0400
Message-Id: <200006152130.RAA26187@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:036-01] New emacs packages available
Content-transfer-encoding: 8bit
Approved: ewt@redhat.com
To: redhat-watch-list@redhat.com
From: bugzilla@redhat.com
Cc: linux-security@redhat.com
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Thu, 15 Jun 2000 17:30 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          New emacs packages available
Advisory ID:       RHSA-2000:036-01
Issue date:        2000-06-15
Updated on:        2000-06-15
Product:           Red Hat Linux
Keywords:          emacs vulnerability
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

With emacs < 20.7, unprivileged local users can eavesdrop the communication
between Emacs and its subprocesses.

2. Relevant releases/architectures:

Red Hat Linux 6.0 - i386 alpha sparc
Red Hat Linux 6.1 - i386 alpha sparc
Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

With emacs < 20.7, unprivileged local users can eavesdrop the communication
between Emacs and its subprocesses.

This release also fix many minor problems.

The problem also exists for Red Hat 5.x. Unfortunately, the fixes require UNIX98
PTYs. This is only available on Red Hat 6.x and higher. If this problem concerns
you, an upgrade is recommended.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

11335 - emacs-nox built with X11 locale
10948 - emacs-nox does not accept pasted data
10798 - Emacs shell-script mode doesn't know about bash2
9895 - Nit: png file marked as conf file.


6. RPMs required:

Red Hat Linux 6.2:

intel:
ftp://ftp.redhat.com/redhat/updates/6.2/i386/emacs-20.7-1.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/emacs-el-20.7-1.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/emacs-X11-20.7-1.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/emacs-leim-20.7-1.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/emacs-nox-20.7-1.i386.rpm

alpha:
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/emacs-20.7-1.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/emacs-el-20.7-1.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/emacs-X11-20.7-1.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/emacs-leim-20.7-1.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/emacs-nox-20.7-1.alpha.rpm

sparc:
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/emacs-20.7-1.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/emacs-el-20.7-1.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/emacs-X11-20.7-1.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/emacs-leim-20.7-1.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/emacs-nox-20.7-1.sparc.rpm

sources:
ftp://ftp.redhat.com/redhat/updates/6.2/SRPMS/emacs-20.7-1.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
4338ef85b6f9c374879eeee77ae0eee9  6.2/SRPMS/emacs-20.7-1.src.rpm
9fbdc8b24f30bc0784a75b5d169df0c7  6.2/alpha/emacs-20.7-1.alpha.rpm
c008af143f571ae71d4f5415bd82968d  6.2/alpha/emacs-X11-20.7-1.alpha.rpm
718587a7b03c7b216d8c7825bedf1a0f  6.2/alpha/emacs-el-20.7-1.alpha.rpm
12add74edfdbb60bbf62db1a6fd8f89e  6.2/alpha/emacs-leim-20.7-1.alpha.rpm
1fa10098c9e56296d8d10a8e198b6e12  6.2/alpha/emacs-nox-20.7-1.alpha.rpm
e51141f6c521cf8009cc94669e00dc3f  6.2/i386/emacs-20.7-1.i386.rpm
7e2254b2c46deeb6a1ee8840cd4b2c2a  6.2/i386/emacs-X11-20.7-1.i386.rpm
27ef1a3ba0d97968ccca79d5421b8a1b  6.2/i386/emacs-el-20.7-1.i386.rpm
9057e85bf9cfd24057d0bdc8f16164ad  6.2/i386/emacs-leim-20.7-1.i386.rpm
19a8145b213dbcb54a3d8bad1fadcda0  6.2/i386/emacs-nox-20.7-1.i386.rpm
b4d69bb3e1ca46e2e164b2c342e7e615  6.2/sparc/emacs-20.7-1.sparc.rpm
2fc732546034395a8921fd2541f49fa1  6.2/sparc/emacs-X11-20.7-1.sparc.rpm
10e8880bf285287f328cf28888e0dcf1  6.2/sparc/emacs-el-20.7-1.sparc.rpm
0cc9c30a1bb74774913603def608fc55  6.2/sparc/emacs-leim-20.7-1.sparc.rpm
a6ae2d4b6afcb0022d59183b12472361  6.2/sparc/emacs-nox-20.7-1.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://www.securityfocus.com/bid/1125




From mail@mail.redhat.com Jun 19:00:12 2000  -0400
Received: (qmail 8172 invoked from network); 15 Jun 2000 23:00:13 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 15 Jun 2000 23:00:13 -0000
Received: from lacrosse.corp.redhat.com (root@lacrosse.corp.redhat.com
[207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id TAA12860;
	Thu, 15 Jun 2000 19:00:12 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id TAA14652;
	Thu, 15 Jun 2000 19:00:10 -0400
Message-Id: <200006152300.TAA14652@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:025-12] Updated Kerberos 5 packages are now available for
Red Hat Linux.
Content-transfer-encoding: 8bit
Approved: ewt@redhat.com
To: redhat-watch-list@redhat.com, linux-security@redhat.com
From: bugzilla@redhat.com
Cc: 
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Thu, 15 Jun 2000 19:00 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          Updated Kerberos 5 packages are now available for Red Hat
Linux.
Advisory ID:       RHSA-2000:025-12
Issue date:        2000-05-16
Updated on:        2000-06-15
Product:           Red Hat Linux
Keywords:          N/A
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

Security vulnerabilities have been found in the Kerberos 5 implementation
shipped with Red Hat Linux 6.2.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

A number of possible buffer overruns were found in libraries included
in the affected packages.  A denial-of-service vulnerability was also found
in the ksu program.

* A remote user may gain unauthorized root access to a machine running
  services authenticated with Kerberos 4.

* A remote user may gain unauthorized root access to a machine running
  krshd, regardless of whether the program is configured to accept
  Kerberos 4 authentication.

* A local user may gain unauthorized root access by exploiting v4rcp
  or ksu.

* A remote user can cause a KDC to become unresponsive or crash by sending
  it an improperly formatted request.

* A remote user may execute certain FTP commands without authorization
  on systems using the FTP server included in the krb5-workstation
  package.

* An attacker with access to a local account may gain unauthorized
  root access on systems using the FTP server included in the
  krb5-workstation package.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

10653 - 'stat' unresolved on "libkrb5.so.2.2" load
11496 - security-updated krb5 packages fail dependencies


6. RPMs required:

Red Hat Linux 6.2:

intel:
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-configs-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-devel-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-libs-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-server-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-workstation-1.1.1-21.i386.rpm

alpha:
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-configs-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-devel-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-libs-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-server-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-workstation-1.1.1-21.alpha.rpm

sparc:
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-configs-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-devel-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-libs-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-server-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-workstation-1.1.1-21.sparc.rpm

sources:
ftp://ftp.redhat.com/redhat/updates/6.2/SRPMS/krb5-1.1.1-21.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
220dd8648e6560215475f29f12cf7fbf  6.2/SRPMS/krb5-1.1.1-21.src.rpm
506aa4887dbb63ee0fdf1b0617db5d92  6.2/alpha/krb5-configs-1.1.1-21.alpha.rpm
19d3648a64b259a3a83ef70ecf3c1d3e  6.2/alpha/krb5-devel-1.1.1-21.alpha.rpm
ea30e1a247aa7d4c516ead13c825c8cb  6.2/alpha/krb5-libs-1.1.1-21.alpha.rpm
55805f5199f7c2c24c03f4609a2cbd81  6.2/alpha/krb5-server-1.1.1-21.alpha.rpm
a98473df43eedf564efe9a05b30c2baf  6.2/alpha/krb5-workstation-1.1.1-21.alpha.rpm
43d0af74bb628d446dc8781e9d0ae08b  6.2/i386/krb5-configs-1.1.1-21.i386.rpm
d13ac3cc0e680b0e452aeb34749ea7b4  6.2/i386/krb5-devel-1.1.1-21.i386.rpm
76882356337e55cd3bd5e0d5cfa454de  6.2/i386/krb5-libs-1.1.1-21.i386.rpm
93efde6cc79b16245f5e27e793a8a4ad  6.2/i386/krb5-server-1.1.1-21.i386.rpm
aa00aa8b26a50b75317f51e447a17420  6.2/i386/krb5-workstation-1.1.1-21.i386.rpm
ff7f959f22e80e9aeabb3a1c6602e225  6.2/sparc/krb5-configs-1.1.1-21.sparc.rpm
1cce9df9c5591fe43c1340334d01d6be  6.2/sparc/krb5-devel-1.1.1-21.sparc.rpm
cc67fdfad917452f383e45a9945e5ae0  6.2/sparc/krb5-libs-1.1.1-21.sparc.rpm
0215d914b0d9e2f78830ef7df9b14fea  6.2/sparc/krb5-server-1.1.1-21.sparc.rpm
3f564e722e61c1e4e8bd1a3faa108b3d  6.2/sparc/krb5-workstation-1.1.1-21.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://www.securityfocus.com/bid/1220
http://www.securityfocus.com/bid/1338
http://web.mit.edu/kerberos/www/advisories/index.html

Thanks to Chris Evans, Mike Friedman, Jim Paris, Matt Power, Andrew
Newman, Christopher R. Thompson, and Marcus Watts for reporting these
problems to us and the Kerberos 5 team.




From mail@mail.redhat.com Jun 04:23:51 2000  -0400
Received: (qmail 5588 invoked from network); 16 Jun 2000 08:23:54 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 16 Jun 2000 08:23:54 -0000
Received: from lacrosse.corp.redhat.com (root@lacrosse.corp.redhat.com
[207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id EAA30377;
	Fri, 16 Jun 2000 04:23:51 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id EAA15484;
	Fri, 16 Jun 2000 04:23:50 -0400
Message-Id: <200006160823.EAA15484@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:025-13] Updated Kerberos 5 packages are now available for
Red Hat Linux.
Content-transfer-encoding: 8bit
Approved: ewt@redhat.com
To: redhat-watch-list@redhat.com, linux-security@redhat.com
From: bugzilla@redhat.com
Cc: 
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Fri, 16 Jun 2000 04:23 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          Updated Kerberos 5 packages are now available for Red Hat
Linux.
Advisory ID:       RHSA-2000:025-13
Issue date:        2000-05-16
Updated on:        2000-06-16
Product:           Red Hat Linux
Keywords:          N/A
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

Security vulnerabilities have been found in the Kerberos 5 implementation
shipped with Red Hat Linux 6.2.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

A number of possible buffer overruns were found in libraries included
in the affected packages.  A denial-of-service vulnerability was also found
in the ksu program.

* A remote user may gain unauthorized root access to a machine running
  services authenticated with Kerberos 4.

* A remote user may gain unauthorized root access to a machine running
  krshd, regardless of whether the program is configured to accept
  Kerberos 4 authentication.

* A local user may gain unauthorized root access by exploiting v4rcp
  or ksu.

* A remote user can cause a KDC to become unresponsive or crash by sending
  it an improperly formatted request.

* A remote user may execute certain FTP commands without authorization
  on systems using the FTP server included in the krb5-workstation
  package.

* An attacker with access to a local account may gain unauthorized
  root access on systems using the FTP server included in the
  krb5-workstation package.

The prior errata announcement for these package contained incorrect md5sum
values.  The correct md5sums are listed below.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

10653 - 'stat' unresolved on "libkrb5.so.2.2" load
11496 - security-updated krb5 packages fail dependencies


6. RPMs required:

Red Hat Linux 6.2:

intel:
ftp://updates.redhat.com/6.2/i386/krb5-configs-1.1.1-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/krb5-devel-1.1.1-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/krb5-libs-1.1.1-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/krb5-server-1.1.1-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/krb5-workstation-1.1.1-21.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/krb5-configs-1.1.1-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/krb5-devel-1.1.1-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/krb5-libs-1.1.1-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/krb5-server-1.1.1-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/krb5-workstation-1.1.1-21.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/krb5-configs-1.1.1-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/krb5-devel-1.1.1-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/krb5-libs-1.1.1-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/krb5-server-1.1.1-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/krb5-workstation-1.1.1-21.sparc.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/krb5-1.1.1-21.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
f181b2037de905e80288e387b60f4e52  6.2/SRPMS/krb5-1.1.1-21.src.rpm
f561bcf39652922fe17c0f8f9d657a92  6.2/alpha/krb5-configs-1.1.1-21.alpha.rpm
182af71accb3ed83e8c3775b52474ea1  6.2/alpha/krb5-devel-1.1.1-21.alpha.rpm
ea27afca5259f61dc990859a68c08efc  6.2/alpha/krb5-libs-1.1.1-21.alpha.rpm
12cd0badc97753ede1ab24741e8b127a  6.2/alpha/krb5-server-1.1.1-21.alpha.rpm
583ca4a6755bdc4a248eaa5fe5a37418  6.2/alpha/krb5-workstation-1.1.1-21.alpha.rpm
3616f4ca518aebf7a6aba1fe9a8858fe  6.2/i386/krb5-configs-1.1.1-21.i386.rpm
d61dbe28620c5ff5fc8f6f87802875c4  6.2/i386/krb5-devel-1.1.1-21.i386.rpm
df9cca2508bc2a7bcfabb75ead5ec176  6.2/i386/krb5-libs-1.1.1-21.i386.rpm
a43f18ed47e8b59142c37460f9202b25  6.2/i386/krb5-server-1.1.1-21.i386.rpm
0fe3ee19148e92ac7b5d7a04f14168d0  6.2/i386/krb5-workstation-1.1.1-21.i386.rpm
b31276f906d284cbfc3afb03b7373ddb  6.2/sparc/krb5-configs-1.1.1-21.sparc.rpm
c29e9f755f42ca1c3112d8ebb4dc65df  6.2/sparc/krb5-devel-1.1.1-21.sparc.rpm
cd7af0e48f5144fa9020319e88ca8db4  6.2/sparc/krb5-libs-1.1.1-21.sparc.rpm
e4155d32ad39fd1989a60e8ff3d2562d  6.2/sparc/krb5-server-1.1.1-21.sparc.rpm
cbecb34317007c04480e258c3cf859bb  6.2/sparc/krb5-workstation-1.1.1-21.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://www.securityfocus.com/bid/1220
http://www.securityfocus.com/bid/1338
http://web.mit.edu/kerberos/www/advisories/index.html

Thanks to Chris Evans, Mike Friedman, Jim Paris, Matt Power, Andrew
Newman, Christopher R. Thompson, and Marcus Watts for reporting these
problems to us and the Kerberos 5 team.




From mail@mail.redhat.com Jun 12:38:18 2000  -0400
Received: (qmail 18983 invoked from network); 21 Jun 2000 16:38:20 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 21 Jun 2000 16:38:20 -0000
Received: from lacrosse.corp.redhat.com (root@lacrosse.corp.redhat.com
[207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id MAA30113;
	Wed, 21 Jun 2000 12:38:18 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id MAA11647;
	Wed, 21 Jun 2000 12:38:17 -0400
Message-Id: <200006211638.MAA11647@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:037-01] New Linux kernel fixes security bug
Content-transfer-encoding: 8bit
Approved: ewt@redhat.com
To: redhat-watch-list@redhat.com, linux-security@redhat.com
From: bugzilla@redhat.com
Cc: bugtraq@securityfocus.com
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Wed, 21 Jun 2000 12:38 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          New Linux kernel fixes security bug
Advisory ID:       RHSA-2000:037-01
Issue date:        2000-06-20
Updated on:        2000-06-20
Product:           Red Hat Linux
Keywords:          capabilities setuid suid agpgart 810 aacraid 3x90x MegaRAID
Acenic
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

This new kernel release fixes a security hole that could
affect any setuid program on the system.  In addition,
several accumulated fixes are included.

2. Relevant releases/architectures:

Red Hat Linux 6.0 - i386 alpha sparc
Red Hat Linux 6.1 - i386 alpha sparc
Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

A security bug involving setuid programs is fixed in
this kernel.

Added or updated drivers include:
  Updated AMI MegaRAID driver
  Updated Acenic Gigabit Ethernet driver
  Added Adaptec RAID (aacraid) driver
  Updated to latest 3c90x driver from 3Com
  Updated agpgart handling for latest Intel 810 chipset
  Updated SCSI error handling

An error case in raw I/O handling was fixed.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

11998 - Local root vulnerability in the kernel capabilities feature


6. RPMs required:

Red Hat Linux 6.2:

intel:
ftp://updates.redhat.com/6.2/i386/kernel-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-headers-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-source-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-doc-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-utils-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-smp-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-BOOT-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-pcmcia-cs-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-ibcs-2.2.16-3.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/kernel-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-source-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-doc-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-utils-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-smp-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-BOOT-2.2.16-3.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/kernel-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-source-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-doc-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-utils-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-smp-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-BOOT-2.2.16-3.sparc.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/kernel-2.2.16-3.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
7135cd70a5b0896574a38363867637e2  6.2/SRPMS/kernel-2.2.16-3.src.rpm
8d2d1a5312c847a422633abde5178733  6.2/alpha/kernel-2.2.16-3.alpha.rpm
358b77b381dcf7e6e95e181eb271f368  6.2/alpha/kernel-BOOT-2.2.16-3.alpha.rpm
3306014cf0d5d3cd6aaf3eb7b495c786  6.2/alpha/kernel-doc-2.2.16-3.alpha.rpm
89e60b43d47202dc7a237e287b60a39f  6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm
6a166b661bc6e6b078d111c2a18ef1bf  6.2/alpha/kernel-smp-2.2.16-3.alpha.rpm
88f53a2105dbf03801b10abc1ddfbbd8  6.2/alpha/kernel-source-2.2.16-3.alpha.rpm
51914ffb09fbe7df6d12a10f713f0b0a  6.2/alpha/kernel-utils-2.2.16-3.alpha.rpm
f639d81c76c4a35332f3f4b8bae40b0c  6.2/i386/kernel-2.2.16-3.i386.rpm
08aa0ee0e630c0b740bca1eb630b598c  6.2/i386/kernel-BOOT-2.2.16-3.i386.rpm
e6de480a599e9b4faa7cceab4ed73ce9  6.2/i386/kernel-doc-2.2.16-3.i386.rpm
438d3cfcf28ca7beb39a94b4bd438cec  6.2/i386/kernel-headers-2.2.16-3.i386.rpm
2b5026d45dc07324324dcb4cf936afe4  6.2/i386/kernel-ibcs-2.2.16-3.i386.rpm
dcdf1ba8a2154b15789a3f660c71c166  6.2/i386/kernel-pcmcia-cs-2.2.16-3.i386.rpm
94a8f4a294d743b78078274ef30722b8  6.2/i386/kernel-smp-2.2.16-3.i386.rpm
409750698f4d7a21ba3527880c2017fe  6.2/i386/kernel-source-2.2.16-3.i386.rpm
4a7bb771616f294803342e71912a2847  6.2/i386/kernel-utils-2.2.16-3.i386.rpm
4deba2b9f3285d63b96daef2bcd599e4  6.2/sparc/kernel-2.2.16-3.sparc.rpm
514d9ce2b85ec5954bf47e609a7f2048  6.2/sparc/kernel-BOOT-2.2.16-3.sparc.rpm
d776ec3b12207a7122e13c802102b731  6.2/sparc/kernel-doc-2.2.16-3.sparc.rpm
43fc3b6f6c71b232407c6099f444d9e8  6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm
3c509252e3d9a681afc2598ad28a688a  6.2/sparc/kernel-smp-2.2.16-3.sparc.rpm
0839ab7161bc75b40b09a0bbf7625a74  6.2/sparc/kernel-source-2.2.16-3.sparc.rpm
a9d8ebf3009225593ca63e9d587bd123  6.2/sparc/kernel-utils-2.2.16-3.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

N/A




From mail@mail.redhat.com Jun 16:35:36 2000  -0400
Received: (qmail 17596 invoked from network); 21 Jun 2000 20:35:36 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 21 Jun 2000 20:35:36 -0000
Received: from lacrosse.corp.redhat.com (root@lacrosse.corp.redhat.com
[207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id QAA27056;
	Wed, 21 Jun 2000 16:35:36 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id QAA09463;
	Wed, 21 Jun 2000 16:35:35 -0400
Message-Id: <200006212035.QAA09463@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:037-02] New Linux kernel fixes security bug
Content-transfer-encoding: 8bit
Approved: ewt@redhat.com
To: redhat-watch-list@redhat.com, linux-security@redhat.com
From: bugzilla@redhat.com
Cc: bugtraq@securityfocus.com
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Wed, 21 Jun 2000 16:35 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          New Linux kernel fixes security bug
Advisory ID:       RHSA-2000:037-01
Issue date:        2000-06-20
Updated on:        2000-06-20
Product:           Red Hat Linux
Keywords:          capabilities setuid suid agpgart 810 aacraid 3x90x MegaRAID
Acenic
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

This new kernel release fixes a security hole that could
affect any setuid program on the system.  In addition,
several accumulated fixes are included.

2. Relevant releases/architectures:

Red Hat Linux 6.0 - i386 alpha sparc
Red Hat Linux 6.1 - i386 alpha sparc
Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

A security bug involving setuid programs is fixed in
this kernel.

Added or updated drivers include:
  Updated AMI MegaRAID driver
  Updated Acenic Gigabit Ethernet driver
  Added Adaptec RAID (aacraid) driver
  Updated to latest 3c90x driver from 3Com
  Updated agpgart handling for latest Intel 810 chipset
  Updated SCSI error handling

An error case in raw I/O handling was fixed.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

11998 - Local root vulnerability in the kernel capabilities feature


6. RPMs required:

Red Hat Linux 6.2:

intel:
ftp://updates.redhat.com/6.2/i386/kernel-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-headers-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-source-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-doc-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-utils-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-smp-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-BOOT-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-pcmcia-cs-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-ibcs-2.2.16-3.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/kernel-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-source-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-doc-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-utils-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-smp-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-BOOT-2.2.16-3.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/kernel-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-source-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-doc-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-utils-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-smp-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-BOOT-2.2.16-3.sparc.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/kernel-2.2.16-3.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
7135cd70a5b0896574a38363867637e2  6.2/SRPMS/kernel-2.2.16-3.src.rpm
8d2d1a5312c847a422633abde5178733  6.2/alpha/kernel-2.2.16-3.alpha.rpm
358b77b381dcf7e6e95e181eb271f368  6.2/alpha/kernel-BOOT-2.2.16-3.alpha.rpm
3306014cf0d5d3cd6aaf3eb7b495c786  6.2/alpha/kernel-doc-2.2.16-3.alpha.rpm
89e60b43d47202dc7a237e287b60a39f  6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm
6a166b661bc6e6b078d111c2a18ef1bf  6.2/alpha/kernel-smp-2.2.16-3.alpha.rpm
88f53a2105dbf03801b10abc1ddfbbd8  6.2/alpha/kernel-source-2.2.16-3.alpha.rpm
51914ffb09fbe7df6d12a10f713f0b0a  6.2/alpha/kernel-utils-2.2.16-3.alpha.rpm
f639d81c76c4a35332f3f4b8bae40b0c  6.2/i386/kernel-2.2.16-3.i386.rpm
08aa0ee0e630c0b740bca1eb630b598c  6.2/i386/kernel-BOOT-2.2.16-3.i386.rpm
e6de480a599e9b4faa7cceab4ed73ce9  6.2/i386/kernel-doc-2.2.16-3.i386.rpm
438d3cfcf28ca7beb39a94b4bd438cec  6.2/i386/kernel-headers-2.2.16-3.i386.rpm
2b5026d45dc07324324dcb4cf936afe4  6.2/i386/kernel-ibcs-2.2.16-3.i386.rpm
dcdf1ba8a2154b15789a3f660c71c166  6.2/i386/kernel-pcmcia-cs-2.2.16-3.i386.rpm
94a8f4a294d743b78078274ef30722b8  6.2/i386/kernel-smp-2.2.16-3.i386.rpm
409750698f4d7a21ba3527880c2017fe  6.2/i386/kernel-source-2.2.16-3.i386.rpm
4a7bb771616f294803342e71912a2847  6.2/i386/kernel-utils-2.2.16-3.i386.rpm
4deba2b9f3285d63b96daef2bcd599e4  6.2/sparc/kernel-2.2.16-3.sparc.rpm
514d9ce2b85ec5954bf47e609a7f2048  6.2/sparc/kernel-BOOT-2.2.16-3.sparc.rpm
d776ec3b12207a7122e13c802102b731  6.2/sparc/kernel-doc-2.2.16-3.sparc.rpm
43fc3b6f6c71b232407c6099f444d9e8  6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm
3c509252e3d9a681afc2598ad28a688a  6.2/sparc/kernel-smp-2.2.16-3.sparc.rpm
0839ab7161bc75b40b09a0bbf7625a74  6.2/sparc/kernel-source-2.2.16-3.sparc.rpm
a9d8ebf3009225593ca63e9d587bd123  6.2/sparc/kernel-utils-2.2.16-3.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

N/A




From mail@mail.redhat.com Jun 17:33:53 2000  -0400
Received: (qmail 27069 invoked from network); 22 Jun 2000 21:33:53 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 22 Jun 2000 21:33:53 -0000
Received: from lacrosse.corp.redhat.com (root@lacrosse.corp.redhat.com
[207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id RAA04260;
	Thu, 22 Jun 2000 17:33:53 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id RAA01309;
	Thu, 22 Jun 2000 17:33:49 -0400
Message-Id: <200006222133.RAA01309@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:038-01] Zope update
Content-transfer-encoding: 8bit
Approved: ewt@redhat.com
To: redhat-watch-list@redhat.com
From: bugzilla@redhat.com
Cc: linux-security@redhat.com, bugtraq@securityfocus.com
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Thu, 22 Jun 2000 17:33 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          Zope update
Advisory ID:       RHSA-2000:038-01
Issue date:        2000-06-22
Updated on:        2000-06-22
Product:           Red Hat Powertools
Keywords:          Zope
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

Remote vulnerabilities exist with all Zope-2.0 releases.

2. Relevant releases/architectures:

Red Hat Powertools 6.1 - noarch
Red Hat Powertools 6.2 - noarch

3. Problem description:

This hotfix corrects issues with an inadequately protected method in one of the
base classes in the DocumentTemplate package that could allow the contents of
DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without
forcing proper user authorization.

4. Solution:

Users of Red Hat Powertools 6.1 who have not upgraded Zope to the version of
Zope released in Red Hat Powertools 6.2 (2.1.2-5) need to do so prior to
installing this Zope update. The Zope packages from 6.2 are located at:

ftp://ftp.redhat.com/pub/redhat/powertools/6.2/

After you have upgraded to Zope-2.1.2-5 install the Zope-Hotfix package. To
install the update, use this command:

rpm -Uvh Zope-Hotfix-06_16_2000-1.noarch.rpm

Once the Zope-Hotfix package is installed, restart Zope.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

N/A

6. RPMs required:

Red Hat Powertools 6.1:

Red Hat Powertools 6.2:

noarch:
ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-06_16_2000-1.noarch.rpm

sources:
ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-Hotfix-06_16_2000-1.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
9f0f351b44a834ef84f56ae6a6d2a5df  6.2/SRPMS/Zope-Hotfix-06_16_2000-1.src.rpm
dee87d4dd038b1a10f6e46a0883197b3  6.2/noarch/Zope-Hotfix-06_16_2000-1.noarch.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert