Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


SOT Linux Advisory: gdm2, perl

Aug 28, 2003, 15:51 (0 Talkback[s])

[ Thanks to SOT Security Team for these advisories. ]


SOT Linux Security Advisory

Subject: Updated gdm2 package for SOT Linux 2003
Advisory ID: SLSA-2003:37
Date: Tuesday, August 26, 2003
Product: SOT Linux 2003

1. Problem description

GDM is the GNOME Display Manager for X.

Versions of GDM prior to 2.4.1.6 contain a bug where GDM will run as root when examining the ~/.xsession-errors file when using the "examine session errors" feature, allowing local users the ability to read any text file on the system by creating a symlink. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0547 to this issue.

Also addressed by these erratum packages are two problems in the X Display Manager Control Protocol (XDMCP) which allow a denial of service attack (DoS) by crashing the gdm daemon. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names CAN-2003-0548 and CAN-2003-0549 to these issues.

Users of GDM are advised to upgrade to these erratum packages.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/gdm2-2.4.1.3-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/gdm2-2.4.1.3-2.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/gdm2-2.4.1.3-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/gdm2-2.4.1.3-2.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum
/Desktop/i386/gdm2-2.4.1.3-2.i386.rpm 8c84f306490f3781821ec08d45bd84f3
/Desktop/SRPMS/gdm2-2.4.1.3-2.src.rpm 3c8f5b2c67554648a4c8a2c781c50afc
/Server/i386/gdm2-2.4.1.3-2.i386.rpm 8c84f306490f3781821ec08d45bd84f3
/Server/SRPMS/gdm2-2.4.1.3-2.src.rpm 3c8f5b2c67554648a4c8a2c781c50afc

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0549

Copyright(c) 2001-2003 SOT


SOT Linux Security Advisory

Subject: Updated perl package for SOT Linux 2003
Advisory ID: SLSA-2003:39
Date: Wednesday, August 27, 2003
Product: SOT Linux 2003

1. Problem description

Perl is a high-level interpreted programming language well known for its flexibility and ability to work with text streams.

obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

It is recommended that all users of the CGI.pm module upgrade their packages.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/perl-5.8.0-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/perl-5.8.0-3.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/perl-5.8.0-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/perl-5.8.0-3.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum
/Desktop/i386/perl-5.8.0-3.i386.rpm b6dcb1281ed82092fa5ad416ceee92e6
/Desktop/SRPMS/perl-5.8.0-3.src.rpm fbb3d13a704067d50571236a2c151f03
/Server/i386/perl-5.8.0-3.i386.rpm b6dcb1281ed82092fa5ad416ceee92e6
/Server/SRPMS/perl-5.8.0-3.src.rpm fbb3d13a704067d50571236a2c151f03

5. References

http://eyeonsecurity.org/advisories/CGI.pm/adv.html

Copyright(c) 2001-2003 SOT