Linux-Mandrake Security Update Advisory: Package name: man
Jul 07, 2000, 19:44 (0 Talkback[s])
(Other stories by Vincent Danen)
Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame
Date: Fri, 7 Jul 2000 09:41:01 -0600
From: Vincent Danen vdanen@MANDRAKESOFT.COM
Subject: [Security Announce] man update
Linux-Mandrake Security Update Advisory.
Date: July 7th, 2000
Package name: man
Affected versions: 6.0, 6.1, 7.0, 7.1
Problem: Internet Security Systems (ISS) X-Force has identified
a vulnerability in the makewhatis Bourne shell script that ships
with many Linux distributions. It is found in versions 1.5e and
higher of man, and handles temporary files insecurely. Local users
may gain a variety of privileges depending on the complexity of the
exploit. The mode of any file on the system can be changed to 0700.
Any file on the system may be created or overwritten as root. Local
users may also be able to read any system file by forcing a copy of
it into the whatis database.
Please upgrade to:
To upgrade automatically, use « MandrakeUpdate ». If
you want to upgrade manually, download the updated package from one
of our FTP server mirrors and uprade with "rpm -Uvh package_name".
All mirrors are listed on http://www.mandrake.com/en/ftp.php3.
Updated packages are available in the "updates/" directory.
For example, if you are looking for an updated RPM package for
Mandrake 7.1, look for it in: updates/7.1/RPMS/
- We give the md5 sum for each package. It lets you check the
integrity of the downloaded package by running the md5sum command
on the package ("md5sum package.rpm").
- You generally do not need to download the source package with a
- All the updated packages are listed on the website on http://www.linux-mandrake.com/en/fupdates.php3
- To subscribe/unsubscribe from the "security-announce" list and
subscribe/unsubscribe from the "security-discuss" list see: