From: Linux Mandrake Security Team <security@linux-mandrake.com> Subject: MDKSA-2001:055 - xinetd update Date: Mon, 11 Jun 2001 11:50:04 -0600 ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: xinetd Date: June 11th, 2001 Advisory ID: MDKSA-2001:055 Affected versions: 7.2, 8.0, Single Network Firewall 7.2 ______________________________________________________________________ Problem Description: A bug exists in xinetd as shipped with Mandrake Linux 8.0 dealing with TCP connections with the WAIT state that prevents linuxconf-web from working properly. As well, xinetd contains a security flaw in which it defaults to a umask of 0. This means that applications using the xinetd umask that do not set permissions themselves (like SWAT, a web configuration tool for Samba), will create world writable files. This update sets the default umask to 022. ______________________________________________________________________ References: ______________________________________________________________________ Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig package.rpm You can get the GPG public key of the Mandrake Linux Security Team at http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you. Linux-Mandrake 7.2: dcfddcde15315b6798d4303096eb41b6 7.2/RPMS/xinetd-2.1.8.9pre15-1.2mdk.i586.rpm 06f6fe56ea492d021538863f08c297ce 7.2/SRPMS/xinetd-2.1.8.9pre15-1.2mdk.src.rpm Mandrake Linux 8.0: b5e1f34214417502ca891bd3993a50c5 8.0/RPMS/xinetd-2.1.8.9pre15-1.1mdk.i586.rpm 683f1ce09c630432cf5cd876ef9f0f65 8.0/RPMS/xinetd-ipv6-2.1.8.9pre15-1.1mdk.i586.rpm e6902c3dd3b9c321f41d2bf95d260972 8.0/SRPMS/xinetd-2.1.8.9pre15-1.1mdk.src.rpm Single Network Firewall 7.2: dcfddcde15315b6798d4303096eb41b6 snf7.2/RPMS/xinetd-2.1.8.9pre15-1.2mdk.i586.rpm 06f6fe56ea492d021538863f08c297ce snf7.2/SRPMS/xinetd-2.1.8.9pre15-1.2mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): 3610 - linuxconf denial of service ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". You can download the updates directly from one of the mirror sites listed at: http://www.linux-mandrake.com/en/ftp.php3. Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them. Please be aware that sometimes it takes the mirrors a few hours to update. You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com ______________________________________________________________________ Mandrake Linux has two security-related mailing list services that anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open to anyone to discuss Mandrake Linux security specifically and Linux security in general. To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe from either list: http://www.linux-mandrake.com/en/flists.php3#security