Originally Published: Friday, 7 July 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Std View]

Linux-Mandrake Security Update Advisory - man

Mandrake announced a security update concerning the man package. The makewhatis shell script handles temporary files insecurely. New packages are now downloadable.

Date: Fri, 7 Jul 2000 09:41:01 -0600 From: Vincent Danen To: security-announce@linux-mandrake.com Subject: [Security Announce] man update

_____________________________________________________________________

Linux-Mandrake Security Update Advisory. _____________________________________________________________________

Date: July 7th, 2000

Package name: man

Affected versions: 6.0, 6.1, 7.0, 7.1

Problem: Internet Security Systems (ISS) X-Force has identified a vulnerability in the makewhatis Bourne shell script that ships with many Linux distributions. It is found in versions 1.5e and higher of man, and handles temporary files insecurely. Local users may gain a variety of privileges depending on the complexity of the exploit. The mode of any file on the system can be changed to 0700. Any file on the system may be created or overwritten as root. Local users may also be able to read any system file by forcing a copy of it into the whatis database.

Please upgrade to:

md5sum: f4f87cab84a716a2ccb8c74b3325c0c9 6.0/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 6.0/SRPMS/man-1.5g-15mdk.src.rpm md5sum: 2b01457036a6813fa616adbca97fcb36 6.1/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 6.1/SRPMS/man-1.5g-15mdk.src.rpm md5sum: ea883685faa409148f9b55c442a0438c 7.0/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 7.0/SRPMS/man-1.5g-15mdk.src.rpm md5sum: fbc1b9e04d75f267650f291d99f467f1 7.1/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 7.1/SRPMS/man-1.5g-15mdk.src.rpm

To upgrade automatically, use MandrakeUpdate . If you want to upgrade manually, download the updated package from one of our FTP server mirrors and uprade with "rpm -Uvh package_name". All mirrors are listed on http://www.mandrake.com/en/ftp.php3. Updated packages are available in the "updates/" directory.

For example, if you are looking for an updated RPM package for Mandrake 7.1, look for it in: updates/7.1/RPMS/

Notes: - We give the md5 sum for each package. It lets you check the integrity of the downloaded package by running the md5sum command on the package ("md5sum package.rpm"). - You generally do not need to download the source package with a .src.rpm suffix - All the updated packages are listed on the website on http://www.linux-mandrake.com/en/fupdates.php3 - To subscribe/unsubscribe from the "security-announce" list and subscribe/unsubscribe from the "security-discuss" list see: http://www.linux-mandrake.com/en/flists.php3#security