Home Security

Red Hat Security Advisory: New openldap packages

By

April 23, 2000

Date: Fri, 21 Apr 2000 14:29:51 -0400
From: Cristian Gafton gafton@REDHAT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: SECURITY: [RHSA-2000:012] New openldap packages
available

Red Hat, Inc. Security Advisory

Synopsis: New openldap packages.
Advisory ID: RHSA-2000:012-05
Issue date: 2000-04-13
Updated on: 2000-04-21
Product: Red Hat Linux
Keywords: openldap startup symlink overwrite denial
Cross references: N/A

1. Topic:

New openldap packages are available which fix a security
vulnerability in Red Hat Linux 6.1 and 6.2.

2. Relevant releases/architectures:

Red Hat Linux 6.1 – i386 alpha sparc
Red Hat Linux 6.2 – i386 alpha sparc

3. Problem description:

OpenLDAP follows symbolic links when creating files. The default
location for these files is /usr/tmp, which is a symlink to /tmp,
which in turn is a world-writable directory. Local users can
destroy the contents of any file on any mounted filesystem.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

Administrators with existing databases should also move their
NEXTID and *.dbb files from /usr/tmp to /var/lib/ldap, and verify
that the ‘directory’ setting in /etc/openldap/slapd.conf is changed
accordingly.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla
for more info):

10714 – Insecure file creation using static files which follow
symlinks.

6. Obsoleted by:

N/A

7. Conflicts with:

N/A

8. RPMs required:

Red Hat Linux 6.1:

intel:
ftp://updates.redhat.com/6.1/i386/openldap-1.2.9-6.i386.rpm

alpha:
ftp://updates.redhat.com/6.1/alpha/openldap-1.2.9-6.alpha.rpm

sparc:
ftp://updates.redhat.com/6.1/sparc/openldap-1.2.9-6.sparc.rpm

sources:
ftp://updates.redhat.com/6.1/SRPMS/openldap-1.2.9-6.src.rpm

Red Hat Linux 6.2:

intel:
ftp://updates.redhat.com/6.2/i386/openldap-1.2.9-6.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/openldap-1.2.9-6.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/openldap-1.2.9-6.sparc.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/openldap-1.2.9-6.src.rpm

9. Verification:

MD5 sum                           Package Name

fa79c61565a72407db4695ef8468a482 6.1/alpha/openldap-1.2.9-6.alpha.rpm
058c4aa63710da7490f98da4b3cad53d 6.1/i386/openldap-1.2.9-6.i386.rpm
17fbdb33172a7884f56b4fc746b1b763 6.1/SRPMS/openldap-1.2.9-6.src.rpm
816fccd85990833f7c5dfb7f2dc6e0a1 6.1/sparc/openldap-1.2.9-6.sparc.rpm
fa79c61565a72407db4695ef8468a482 6.2/alpha/openldap-1.2.9-6.alpha.rpm
816fccd85990833f7c5dfb7f2dc6e0a1 6.2/sparc/openldap-1.2.9-6.sparc.rpm
17fbdb33172a7884f56b4fc746b1b763 6.2/SRPMS/openldap-1.2.9-6.src.rpm
058c4aa63710da7490f98da4b3cad53d 6.2/i386/openldap-1.2.9-6.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm –checksig

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg

10. References:

Thanks also go to Stan Bubrouski for reporting this problem.

Cristian

Complete Story

Previous articleCRN: Interest in Linux on System 390 catches IBM off guard

Next articlesendmail.net: Email and the IETF: Notes from Adelaide

Red Hat Security Advisory: New openldap packages

Get the Free Newsletter!

Must Read

How to Install Docker on Ubuntu 24.04

How to Install Freenginx on Ubuntu (Ultimate Guide)

How to Install KDE Plasma in Ubuntu, Debian and Mint

How to Install LAMP on Ubuntu 24.04

Bat is a Modern Drop-in Replacement for Cat Command on Linux

Our Brands