Originally Published: Sunday, 23 July 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Std View]

Linux-Mandrake Security Update Advisory - inn

A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed. This new version also does not install inews as setgid news or rnews as setuid root. Many other security paranoia fixes have been made as well.

Date: Sat, 22 Jul 2000 12:53:51 -0600 From: Linux Mandrake Security Team Subject: MDKSA-2000:023 inn update To: BUGTRAQ@SECURITYFOCUS.COM

________________________________________________________________________

Linux-Mandrake Security Update Advisory ________________________________________________________________________

Package name: inn Date: July 22nd, 2000 Advisory ID: MDKSA-2000:023

Affected versions: 6.0, 6.1, 7.0, 7.1 ________________________________________________________________________

Problem Description:

A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed. This new version also does not install inews as setgid news or rnews as setuid root. Many other security paranoia fixes have been made as well. ________________________________________________________________________

Please verify these md5 checksums of the updates prior to upgrading to ensure the integrity of the downloaded package. You can do this by running the md5sum program on the downloaded package by using "md5sum package.rpm".

Linux-Mandrake 6.0: eb1a1f9a42623ed0de6d94376aa02937 6.0/RPMS/inews-2.2.3-1mdk.i586.rpm 6d76b7615e559b66795dba28791145ba 6.0/RPMS/inn-2.2.3-1mdk.i586.rpm 57338dfdb19813de897c1ebbc7199646 6.0/RPMS/inn-devel-2.2.3-1mdk.i586.rpm 0295f03b4b45b26ddc05f06e81603fba 6.0/SRPMS/inn-2.2.3-1mdk.src.rpm

Linux-Mandrake 6.1: 200cc96d3c6c5e1b646b1c68462bc82a 6.1/RPMS/inews-2.2.3-1mdk.i586.rpm eecd59ad60b9f395034d7e15ca0606f7 6.1/RPMS/inn-2.2.3-1mdk.i586.rpm 911699abe06c7c46d6f7329ac63a633a 6.1/RPMS/inn-devel-2.2.3-1mdk.i586.rpm 0295f03b4b45b26ddc05f06e81603fba 6.1/SRPMS/inn-2.2.3-1mdk.src.rpm

Linux-Mandrake 7.0: e2236748f00ea0e1162ba1e76851e9b8 7.0/RPMS/inews-2.2.3-1mdk.i586.rpm 18afe1cbd3340f059d2762f9e3d642dd 7.0/RPMS/inn-2.2.3-1mdk.i586.rpm f573433ad19ca6e1de591d73fe92ad52 7.0/RPMS/inn-devel-2.2.3-1mdk.i586.rpm 0295f03b4b45b26ddc05f06e81603fba 7.0/SRPMS/inn-2.2.3-1mdk.src.rpm

Linux-Mandrake 7.1: 1ca85a595222542fc6a5932c58828d3e 7.1/RPMS/inews-2.2.3-1mdk.i586.rpm f3d4471afbb49bca81cb30c301e111f7 7.1/RPMS/inn-2.2.3-1mdk.i586.rpm d386b423d391343c9a627eb69773d657 7.1/RPMS/inn-devel-2.2.3-1mdk.i586.rpm 0295f03b4b45b26ddc05f06e81603fba 7.1/SRPMS/inn-2.2.3-1mdk.src.rpm ________________________________________________________________________

To upgrade automatically, use MandrakeUpdate .

If you want to upgrade manually, download the updated package from one of our FTP server mirrors and uprade with "rpm -Uvh package_name".

You can download the updates directly from: ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates

Or try one of the other mirrors listed at:

http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them.

Please be aware that sometimes it takes the mirrors a few hours to update, so if you want an immediate upgrade, please use one of the two above-listed mirrors.

You can view other security advisories for Linux-Mandrake at:

http://www.linux-mandrake.com/en/fupdates.php3

If you want to report vulnerabilities, please contact

security@linux-mandrake.com