Cristian Gafton
2000-Apr-21 11:29 UTC
SECURITY: [RHSA-2000:012] New openldap packages available
-----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: New openldap packages. Advisory ID: RHSA-2000:012-05 Issue date: 2000-04-13 Updated on: 2000-04-21 Product: Red Hat Linux Keywords: openldap startup symlink overwrite denial Cross references: N/A - --------------------------------------------------------------------- 1. Topic: New openldap packages are available which fix a security vulnerability in Red Hat Linux 6.1 and 6.2. 2. Relevant releases/architectures: Red Hat Linux 6.1 - i386 alpha sparc Red Hat Linux 6.2 - i386 alpha sparc 3. Problem description: OpenLDAP follows symbolic links when creating files. The default location for these files is /usr/tmp, which is a symlink to /tmp, which in turn is a world-writable directory. Local users can destroy the contents of any file on any mounted filesystem. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. Administrators with existing databases should also move their NEXTID and *.dbb files from /usr/tmp to /var/lib/ldap, and verify that the ''directory'' setting in /etc/openldap/slapd.conf is changed accordingly. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 10714 - Insecure file creation using static files which follow symlinks. 6. Obsoleted by: N/A 7. Conflicts with: N/A 8. RPMs required: Red Hat Linux 6.1: intel: ftp://updates.redhat.com/6.1/i386/openldap-1.2.9-6.i386.rpm alpha: ftp://updates.redhat.com/6.1/alpha/openldap-1.2.9-6.alpha.rpm sparc: ftp://updates.redhat.com/6.1/sparc/openldap-1.2.9-6.sparc.rpm sources: ftp://updates.redhat.com/6.1/SRPMS/openldap-1.2.9-6.src.rpm Red Hat Linux 6.2: intel: ftp://updates.redhat.com/6.2/i386/openldap-1.2.9-6.i386.rpm alpha: ftp://updates.redhat.com/6.2/alpha/openldap-1.2.9-6.alpha.rpm sparc: ftp://updates.redhat.com/6.2/sparc/openldap-1.2.9-6.sparc.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/openldap-1.2.9-6.src.rpm 9. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- fa79c61565a72407db4695ef8468a482 6.1/alpha/openldap-1.2.9-6.alpha.rpm 058c4aa63710da7490f98da4b3cad53d 6.1/i386/openldap-1.2.9-6.i386.rpm 17fbdb33172a7884f56b4fc746b1b763 6.1/SRPMS/openldap-1.2.9-6.src.rpm 816fccd85990833f7c5dfb7f2dc6e0a1 6.1/sparc/openldap-1.2.9-6.sparc.rpm fa79c61565a72407db4695ef8468a482 6.2/alpha/openldap-1.2.9-6.alpha.rpm 816fccd85990833f7c5dfb7f2dc6e0a1 6.2/sparc/openldap-1.2.9-6.sparc.rpm 17fbdb33172a7884f56b4fc746b1b763 6.2/SRPMS/openldap-1.2.9-6.src.rpm 058c4aa63710da7490f98da4b3cad53d 6.2/i386/openldap-1.2.9-6.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 10. References: Thanks also go to Stan Bubrouski for reporting this problem. Cristian - -- - ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "How could this be a problem in a country where we have Intel and Microsoft?" --Al Gore on Y2K -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOQCeJPGvxKXU9NkBAQFIAgP/fBO8WkawNk6qa2/1y3UO0o0t49xbBXPe KM6qBojNW8yWKdsfGGgVkgvby/1gH+uFxd49mFNMbG8GUNIxOw8r2MfaQXERnnFb IQ66mYSH5hesXw6wVnw0aIdnOMfd5BRpEZLXUnhrp+wf+IbtaQE6+g3MbmcoRSk4 jmsdnVhD6iQ=Yz4F -----END PGP SIGNATURE-----
Reasonably Related Threads
- Re: IPMASQ and lock-up of all terminals ---- Sum mary and update
- [RHSA-1999:042-01] screen defaults to not using Unix98 ptys
- SECURITY: RHSA-1999:040 New PAM packages available
- [SECURITY] RHSA-1999:034 New proftpd packages available
- [SECURITY] RHSA-2000:009-02.text: New gpm packages available