[530] in linux-security and linux-alert archive
(fwd) CERT Vendor-Initiated Bulletin VB-95:10 - Vulnerability in elm 2.4 (fwd)
daemon@ATHENA.MIT.EDU (Joel Maslak)
Wed Dec 20 02:42:27 1995
Date: Tue, 19 Dec 1995 13:49:59 -0700 (MST)
From: Joel Maslak <j@pobox.com>
To: linux-security@tarsier.cv.nrao.edu
-----BEGIN PGP SIGNED MESSAGE-----
This definitely affects Slackware 3.0.
Joel Maslak
Today's dreams WILL become tomorrow's realities!
- - ---------- Forwarded message ----------
Relay-Version: ANU News - V6.1B10 04/18/95 OpenVMS AXP V6.2; site roper.uwyo.edu
Path: roper.uwyo.edu!csn!nntp-xfer-2.csn.net!uucp-1.csn.net!csn!magnus.acs.ohio-state.edu!math.ohio-state.edu!cis.ohio-state.edu!nntp.sei.cmu.edu!news.sei.cmu.edu!cert-advisory
Newsgroups: comp.security.announce
Subject: CERT Vendor-Initiated Bulletin VB-95:10 - Vulnerability in elm 2.4
Message-ID: <1995Dec18.155615.22980@sei.cmu.edu>
From: CERT Bulletin <cert-advisory@cert.org>
Date: Mon, 18 Dec 1995 15:56:15 EST
Reply-To: cert-advisory-request@cert.org
Sender: netnews@sei.cmu.edu (Netnews)
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Keywords: security CERT
Approved: cert-advisory@cert.org
Originator: cert-advisory@why.cert.org
Lines: 164
CERT Vendor-Initiated Bulletin VB-95:10
December 18, 1995
Topic: Vulnerability in elm 2.4 PL 24
Source: Bill Pemberton, University of Virginia
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Bill
Pemberton, who is the coordinator of the group that maintains elm. Mr.
Pemberton urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.
========================FORWARDED TEXT STARTS HERE============================
I. Description
Elm will follow symlinks in /tmp when opening temp files. All systems that
support symlinks are vulnerable.
II. Impact
Users on the system can create files in the directories of other elm users.
You can determine what version of elm you are running with the -v command line
option (run "elm -v").
III. Solution
Upgrade to elm 2.4 PL 25. The patch to upgrade from elm 2.4 PL 24 to PL 25
is available at:
ftp://ftp.myxa.com/pub/elm/elm2.4.p25
MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83
The full distribution of elm 2.4 PL 25 is available at:
ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z
MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2
IV. Contact information
Bill Pemberton wfp5p@virginia.edu
ITC/Unix Systems flash@virginia.edu
University of Virginia uunet!virginia!wfp5p
=========================FORWARDED TEXT ENDS HERE=============================
CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous
FTP from info.cert.org.
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.
If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).
Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT is a service mark of Carnegie Mellon University.
CERT Vendor-Initiated Bulletin VB-95:10
December 18, 1995
Topic: Vulnerability in elm 2.4 PL 24
Source: Bill Pemberton, University of Virginia
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Bill
Pemberton, who is the coordinator of the group that maintains elm. Mr.
Pemberton urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.
========================FORWARDED TEXT STARTS HERE============================
I. Description
Elm will follow symlinks in /tmp when opening temp files. All systems that
support symlinks are vulnerable.
II. Impact
Users on the system can create files in the directories of other elm users.
You can determine what version of elm you are running with the -v command line
option (run "elm -v").
III. Solution
Upgrade to elm 2.4 PL 25. The patch to upgrade from elm 2.4 PL 24 to PL 25
is available at:
ftp://ftp.myxa.com/pub/elm/elm2.4.p25
MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83
The full distribution of elm 2.4 PL 25 is available at:
ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z
MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2
IV. Contact information
Bill Pemberton wfp5p@virginia.edu
ITC/Unix Systems flash@virginia.edu
University of Virginia uunet!virginia!wfp5p
=========================FORWARDED TEXT ENDS HERE=============================
CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous
FTP from info.cert.org.
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.
If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).
Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMNclbw997Hm3GXY1AQGnUgP/XC7c05JlPbx5Vr0XArzyds9SrTDu0ljA
/3/WFo9IHZk5sL5xByjVL31re5iUDWd4aB3i6JX/3DLbYjOVw6pbHJ2q0hgQN9D3
wEruDZWyO+POunsW7xy+d87Sx4Y77stGB17MaxltsMvbgVRFQLYnZfguylF38x1W
Ugf2CBnKoTg=
=ZoCt
-----END PGP SIGNATURE-----
