----- Forwarded message from "Katherine M. Moussouris" <[EMAIL PROTECTED]> ----- > From: "Katherine M. Moussouris" <[EMAIL PROTECTED]> > Date: Wed, 17 May 2000 19:39:59 -0700 > To: [EMAIL PROTECTED] > Subject: [TL-Security-Announce] openLDAP TLSA2000010-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ______________________________________________________________________________ > > TurboLinux Security Announcement > > > Package: OpenLDAP 1.2.9 and earlier > Date: Wed May 17 16:13:03 PDT 2000 > > Affected TurboLinux versions: 6.0.2 and earlier > Vulnerability Type: local users can destroy any file > TurboLinux Advisory ID#: TLSA2000010-1 > BugTraq ID#: NA > Credits: This vulnerability was posted to Bugtraq in an > announcement by RedHat on April 22, 2000. > ______________________________________________________________________________ > > A security hole was discovered in the packages mentioned above. > Please update the packages in your installation as soon as possible or > disable the service. > _____________________________________________________________________________ > > 1. Problem Summary > > From MandrakeSoft's excellent summary: > OpenLDAP follows symbolic links when creating files. The default > location for these files is /usr/tmp, which is a symlink to /tmp, > which in turn is a world-writable directory. > > 2. Impact > > Local users can destroy the contents of any file on any mounted > filesystem. > > 3. Solution > > Update the packages from our ftp server by running the following command > for EACH new openldap package (4 total): > > rpm -Fvh ftp_path_to_filename > > Where ftp_path_to_filename are the following: > > ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-1.2.10-1.i386.rpm > ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-devel-1.2.10-1.i386.rpm > ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-libs-1.2.10-1.i386.rpm > ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-server-1.2.10-1.i386.rpm > > The source rpm can be downloaded here: > > ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/openldap-1.2.10-1.src.rpm > > **Note: You must rebuild and install the rpms if you choose to download > and install the srpm. Simply installing the srpm alone WILL NOT CLOSE > THE SECURITY HOLE. > > Please verify the md5 checksum of the updates before you install: > > MD5 sum Package Name > - ------------------------------------------------------------ > 25c417d01c89ecb5a5e8690d2dee1d92 openldap-1.2.10-1.i386.rpm > 0053d6ba1f2bb47dfe49673ab3a6ca5a openldap-devel-1.2.10-1.i386.rpm > 106ec91d5acae8e60c227e64867aa335 openldap-libs-1.2.10-1.i386.rpm > e04f082c50c08d51c6ec0f75361e3923 openldap-servers-1.2.10-1.i386.rpm > > fc7f1252ea654cb5a70b6cc7afea0a5d openldap-1.2.10-1.src.rpm > ______________________________________________________________________________ > > These packages are GPG signed by Turbolinux for security. Our key > is available here: > > http://www.turbolinux.com/security/tlgpgkey.asc > > To verify a package, use the following command: > > rpm --checksig name_of_rpm > > To examine only the md5sum, use the following command: > > rpm --checksig --nogpg name_of_rpm > > **Note: Checking GPG keys requires RPM 3.0 or higher. > > ______________________________________________________________________________ > You can find more updates on our ftp server: > > ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation > and Server security updates > ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation > and Server security updates > > Our webpage for security announcements: > > http://www.turbolinux.com/security > > If you want to report vulnerabilities, please contact: > > [EMAIL PROTECTED] > ______________________________________________________________________________ > > Subscribe to the TurboLinux Security Mailing lists: > > TL-security - A moderated list for discussing security issues in TurboLinux > products. > Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security > > TL-security-announce - An announce-only mailing list for security updates > and alerts. > Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security-announce > ______________________________________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.1 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE5I1Mi7eR7bnHQKeQRArgLAKCSvgG9bT7hjuvjqTjbXK0XiAD13gCfe7jh > Pt3wGbnjFY2bPDpAnJP9Av4= > =eaXf > -----END PGP SIGNATURE----- > > > > _______________________________________________ > TL-Security-Announce mailing list > [EMAIL PROTECTED] > http://www.turbolinux.com/mailman/listinfo/tl-security-announce > > ----- End forwarded message ----- Ronny -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
