[2345] in linux-security and linux-alert archive
[linux-security] Re: [RHSA-2000:005-05] New majordomo packages available
daemon@ATHENA.MIT.EDU (Robert E. Wijnberg)
Thu Jun 1 06:16:39 2000
Message-ID: <39353748.A04F471E@wijnberg.net>
Date: Wed, 31 May 2000 18:01:12 +0200
From: "Robert E. Wijnberg" <rob@wijnberg.net>
MIME-Version: 1.0
To: redhat-watch-list@redhat.com
CC: linux-security@redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Resent-From: linux-security@redhat.com
Please fix this link into :
intel:
ftp://ftp.redhat.com/pub/redhat/updates/powertools/6.1/i386/majordomo-1.94.5-2.i386.rpm
alpha:
ftp://ftp.redhat.com/pub/redhat/updates/powertools/6.1/alpha/majordomo-1.94.5-2.alpha.rpm
sparc:
ftp://ftp.redhat.com/pub/redhat/updates/powertools/6.1/sparc/majordomo-1.94.5-2.sparc.rpm
sources:
ftp://ftp.redhat.com/pub/redhat/updates/powertools/6.1/SRPMS/majordomo-1.94.5-2.src.rpm
bugzilla@redhat.com wrote:
>
> ---------------------------------------------------------------------
> Red Hat, Inc. Security Advisory
>
> Synopsis: New majordomo packages available
> Advisory ID: RHSA-2000:005-05
> Issue date: 2000-01-20
> Updated on: 2000-05-31
> Product: Red Hat Powertools
> Keywords: majordomo
> Cross references: N/A
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> New majordomo packages are available to fix local security problems in majordomo.
>
> 2. Relevant releases/architectures:
>
> Red Hat Powertools 6.1 - i386 alpha sparc
>
> 3. Problem description:
>
> A vulnerability in /usr/lib/majordomo/resend and /usr/lib/majordomo/wrapper will allow execution of arbitrary commands with elevated privileges.
>
> It is recommended that all users of Red Hat Linux using the majordomo package upgrade to the fixed package, which will resolve the vulnerability in /usr/lib/majordomo/resend. To secure /usr/lib/majodomo/wrapper, please read the solution section below.
>
> Once an official patch has been released by the majordomo maintainers, we will release an updated package which will fix both vulnerabilities.
>
> 4. Solution:
>
> For each RPM for your particular architecture, run:
>
> rpm -Fvh [filename]
>
> where filename is the name of the RPM.
>
> Once the package is installed, become "root" and execute this command:
>
> chmod o-x /usr/lib/majordomo/wrapper
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> N/A
>
> 6. RPMs required:
>
> Red Hat Powertools 6.1:
>
> intel:
> ftp://ftp.redhat.com/redhat/updates/powertools/6.1/i386/majordomo-1.94.5-2.i386.rpm
>
> alpha:
> ftp://ftp.redhat.com/redhat/updates/powertools/6.1/alpha/majordomo-1.94.5-2.alpha.rpm
>
> sparc:
> ftp://ftp.redhat.com/redhat/updates/powertools/6.1/sparc/majordomo-1.94.5-2.sparc.rpm
>
> sources:
> ftp://ftp.redhat.com/redhat/updates/powertools/6.1/SRPMS/majordomo-1.94.5-2.src.rpm
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> ad994a1742d90a593b8ecfbf52634cd7 6.1/SRPMS/majordomo-1.94.5-2.src.rpm
> 8c829a13c2229060c899ffdc7e7db38c 6.1/alpha/majordomo-1.94.5-2.alpha.rpm
> f0e22f364abcbe4c217f2b8eb180037d 6.1/i386/majordomo-1.94.5-2.i386.rpm
> 89e327c6c92acc97db34e541f34c0c67 6.1/sparc/majordomo-1.94.5-2.sparc.rpm
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/corp/contact.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> Thanks to Brock Tellier at btellier@USA.NET for noting the vulnerability in resend, to Shevek at shevek@anarres.org and Olaf Kirch at okir@monad.swb.de for noting the vulnerability in the wrapper.
>
> --
> To unsubscribe: mail redhat-watch-list-request@redhat.com with
> "unsubscribe" as the Subject.
>
> --
> To unsubscribe:
> mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null
--
\\\///
/ _ _ \
(| (.)(.) |)
-------------------------.OOOo--()--oOOO.-------------------------
pub 768/FE7D0209 1998/06/26 Robert E.Wijnberg <rob@wijnberg.net>
Key fingerprint = AA 01 89 69 C0 D1 54 1A EB 36 45 73 A3 12 F4 9A
------------------------------------------------------------------
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
