Linux Today: Linux News On Internet Time.

Linux-Mandrake Security Update Advisory: exmh update

Jan 26, 2001, 20:47 (0 Talkback[s])

Date: Fri, 26 Jan 2001 11:37:03 -0700
From: Linux Mandrake Security Team security@linux-mandrake.com
To: Linux Mandrake Security Announcements security-announce@linux-mandrake.com
Subject: [Security Announce] MDKSA-2001:015 - exmh update

                Linux-Mandrake Security Update Advisory

Package name:           exmh
Date:                   January 26th, 2001
Advisory ID:            MDKSA-2001:015

Affected versions:      6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1

Problem Description:

All versions of exmh prior to 2.3.1 use the /tmp directory for storing temporary files. This was done in an insecure manner as exmh did not check to ensure that nobody placed a symlink with the same name in /tmp in the meantime and thus was vulnerable to a symlink attack. This could lead to a malicious local user being able to overwrite any file writable by the user executing exmh. These updated versions of exmh now use /tmp/username unless TMPDIR or EXMHTMPDIR is set.

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Linux-Mandrake Security Team at
If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

Linux-Mandrake 6.0:
df41f52609427ea68a23cabec9e5ecdf 6.0/RPMS/exmh-2.0.2-8.1mdk.noarch.rpm
8a2a479d1ed9a982e97745d62cd22a31 6.0/SRPMS/exmh-2.0.2-8.1mdk.src.rpm

Linux-Mandrake 6.1:
2d5601696033fb25e51712f2d510467f 6.1/RPMS/exmh-2.0.3-8.1mdk.noarch.rpm
92ca9c194cc6114f75ba33041a425330 6.1/SRPMS/exmh-2.0.3-8.1mdk.src.rpm

Linux-Mandrake 7.0:
236ee27fb0498b1cc3c696d5d81c321f 7.0/RPMS/exmh-2.1.1-5.1mdk.noarch.rpm
58d6b7a0c0c95005c5f5d924d5edab19 7.0/SRPMS/exmh-2.1.1-5.1mdk.src.rpm

Linux-Mandrake 7.1:
a34c9cc91e5a5b365c7cdfe4565a29fd 7.1/RPMS/exmh-2.1.1-5.1mdk.noarch.rpm
58d6b7a0c0c95005c5f5d924d5edab19 7.1/SRPMS/exmh-2.1.1-5.1mdk.src.rpm

Linux-Mandrake 7.2:
efdd5d3fecc72805d1099693a6dfc7cb 7.2/RPMS/exmh-2.2-4.1mdk.noarch.rpm
1ac6b56522683d758aeda0e2c14fb7b6 7.2/SRPMS/exmh-2.2-4.1mdk.src.rpm

Corporate Server 1.0.1:
a34c9cc91e5a5b365c7cdfe4565a29fd 1.0.1/RPMS/exmh-2.1.1-5.1mdk.noarch.rpm
58d6b7a0c0c95005c5f5d924d5edab19 1.0.1/SRPMS/exmh-2.1.1-5.1mdk.src.rpm

To upgrade automatically, use <<MandrakeUpdate>>.

If you want to upgrade manually, download the updated package from one of our FTP server mirrors and uprade with "rpm -Uvh package_name".

You can download the updates directly from:

Or try one of the other mirrors listed at:


Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them.

Please be aware that sometimes it takes the mirrors a few hours to update, so if you want an immediate upgrade, please use one of the two above-listed mirrors.

You can view other security advisories for Linux-Mandrake at:


If you want to report vulnerabilities, please contact


Linux-Mandrake has two security-related mailing list services that anyone can subscribe to:


Linux-Mandrake's security announcements mailing list. Only announcements are sent to this list and it is read-only.


Linux-Mandrake's security discussion mailing list. This list is open to anyone to discuss Linux-Mandrake security specifically and Linux security in general.

To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe from either list: