Question...is the OpenLDAP on the "MandrakeUpgrade" servers (that is version 1.2.9) "fixed" or does it exhibit this problem still? I'm assuming that it's the "fixed" version, as the below announcement below credits MandrakeSoft for finding the problem? Jay > ______________________________________________________________________________ > > TurboLinux Security Announcement > > Package: OpenLDAP 1.2.9 and earlier > Date: Wed May 17 16:13:03 PDT 2000 > > Affected TurboLinux versions: 6.0.2 and earlier > Vulnerability Type: local users can destroy any file > TurboLinux Advisory ID#: TLSA2000010-1 > BugTraq ID#: NA > Credits: This vulnerability was posted to Bugtraq in an > announcement by RedHat on April 22, 2000. > ______________________________________________________________________________ > > A security hole was discovered in the packages mentioned above. > Please update the packages in your installation as soon as possible or > disable the service. > _____________________________________________________________________________ > > 1. Problem Summary > > From MandrakeSoft's excellent summary: > OpenLDAP follows symbolic links when creating files. The default > location for these files is /usr/tmp, which is a symlink to /tmp, > which in turn is a world-writable directory. > > 2. Impact > > Local users can destroy the contents of any file on any mounted > filesystem. >
