Conectiva Linux Security Announcement - tcsh

Dec 10, 2000, 23:54 (0 Talkback[s])

Date: Fri, 8 Dec 2000 16:07:14 -0200
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [CLA-2000:354] Conectiva Linux Security Announcement - tcsh

---

CONECTIVA LINUX SECURITY ANNOUNCEMENT

---

PACKAGE   : tcsh
SUMMARY   : Insecure temporary file creation
DATE      : 2000-12-08 16:06:00
ID        : CLA-2000:354
RELEVANT
RELEASES  : 6.0

---

DESCRIPTION
(This is a specific update for Conectiva Linux 6.0, previous versions were already updated.) When using in-here documents (via the "<<" redirect), tcsh creates a temporary file in an insecure manner that could allow a symlink attack to overwrite arbitrary files.

SOLUTION
It is recommended that all tcsh users upgrade to the latest package.

DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SPMS/tcsh-6.10.00-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcsh-6.10.00-1cl.i386.rpm

ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades:
- add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

---

All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato