Linux-Mandrake Security Update Advisory: exmh update
Jan 26, 2001, 20:47 (0 Talkback[s])
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Date: Fri, 26 Jan 2001 11:37:03 -0700
From: Linux Mandrake Security Team firstname.lastname@example.org
To: Linux Mandrake Security Announcements
Subject: [Security Announce] MDKSA-2001:015 - exmh update
Linux-Mandrake Security Update Advisory
Package name: exmh
Date: January 26th, 2001
Advisory ID: MDKSA-2001:015
Affected versions: 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1
All versions of exmh prior to 2.3.1 use the /tmp directory for
storing temporary files. This was done in an insecure manner as
exmh did not check to ensure that nobody placed a symlink with the
same name in /tmp in the meantime and thus was vulnerable to a
symlink attack. This could lead to a malicious local user being
able to overwrite any file writable by the user executing exmh.
These updated versions of exmh now use /tmp/username unless TMPDIR
or EXMHTMPDIR is set.
Please verify the update prior to upgrading to ensure the integrity
of the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Linux-Mandrake Security Team
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.
Corporate Server 1.0.1:
To upgrade automatically, use
If you want to upgrade manually, download the updated package
from one of our FTP server mirrors and uprade with "rpm -Uvh
You can download the updates directly from:
Or try one of the other mirrors listed at:
Updated packages are available in the "updates/[ver]/RPMS/"
directory. For example, if you are looking for an updated RPM
package for Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/".
Updated source RPMs are available as well, but you generally do not
need to download them.
Please be aware that sometimes it takes the mirrors a few hours
to update, so if you want an immediate upgrade, please use one of
the two above-listed mirrors.
You can view other security advisories for Linux-Mandrake
If you want to report vulnerabilities, please contact
Linux-Mandrake has two security-related mailing list services
that anyone can subscribe to:
Linux-Mandrake's security announcements mailing list. Only
announcements are sent to this list and it is read-only.
Linux-Mandrake's security discussion mailing list. This list is
open to anyone to discuss Linux-Mandrake security specifically and
Linux security in general.
To subscribe to either list, send a message to email@example.com with
"subscribe [listname]" in the body of the message.
To remove yourself from either list, send a message to firstname.lastname@example.org with
"unsubscribe [listname]" in the body of the message.
To get more information on either list, send a message to
"info [listname]" in the body of the message.
Optionally, you can use the web interface to subscribe to or
unsubscribe from either list: