Conectiva Linux Security Announcement: Package: MANJul 27, 2000, 20:23 (0 Talkback[s])
Date: Thu, 27 Jul 2000 11:24:04 -0300
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : man SUMMARY : Insecure directory creation in /tmp DATE : 2000-07-27 AFFECTED CONECTIVA VERSIONS : 5.1DESCRIPTION
This announcement is being re-released specifically for Conectiva Linux 5.1.
Redhat has identified a problem with the man package which also affects Conectiva Linux. Conectiva Linux versions prior to 5.1 have already been patched.
The man package has a script called makewhatis that is run weekly by the cron daemon as root. This script creates a directory in /tmp and some files under it with predictable names, thus making it possible for a local attacker to alter any file in the system via symlink attacks.
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
DIRECT LINK TO THE SOURCE PACKAGES
All packages are signed with Conectiva's PGP key. The key can be
0 Talkback[s] (click to add your comment)