dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


SOT Linux Advisories: sysstat, mozilla

Mar 23, 2004, 12:54 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated sysstat package for SOT Linux 2003
Advisory ID: SLSA-2004:10
Date: Tuesday, March 23, 2004
Product: SOT Linux 2003


1. Problem description

A bug was found in sysstat package post and trigger scripts, which used insecure temporary file names. A local attacker could overwrite system files using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0107 to this issue.

iostat -x should return all partitions on the system (up to a maximum of 1024).

sar should handle network device names with more than 8 characters properly.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/sysstat-4.0.7-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/sysstat-4.0.7-1.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/sysstat-4.0.7-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/sysstat-4.0.7-1.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/sysstat-4.0.7-1.i386.rpm fada2246769544becf222b53d7ca85f8
/Desktop/SRPMS/sysstat-4.0.7-1.src.rpm 9a1564c14f76ca84d80b7d682c2b803d
/Server/i386/sysstat-4.0.7-1.i386.rpm fada2246769544becf222b53d7ca85f8
/Server/SRPMS/sysstat-4.0.7-1.src.rpm 9a1564c14f76ca84d80b7d682c2b803d

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0107

Copyright(c) 2001-2003 SOT


You can view other update advisories for SOT Linux 2003 at: http://sotlinux.org/en/sotlinux/sa/index.php To unsubscribe, visit your account at https://www.sot.com/

SOT Linux Security Advisory

Subject: Updated mozilla package for SOT Linux 2003
Advisory ID: SLSA-2004:9
Date: Monday, March 22, 2004
Product: SOT Linux 2003


1. Problem description

Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.

A malicious website could gain access to a user's authentication credentials to a proxy server.

The updated packages are patched to correct these vulnerabilities.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/mozilla-1.2.1-4.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/mozilla-devel-1.2.1-4.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/mozilla-1.2.1-4.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/mozilla-1.2.1-4.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mozilla-devel-1.2.1-4.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/mozilla-1.2.1-4.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/mozilla-1.2.1-4.i386.rpm c6a51e302e2d81ff8700192a9d0059b4
/Desktop/i386/mozilla-devel-1.2.1-4.i386.rpm ccf3c8619f027854a3fd43a6ecfaf4dc
/Desktop/SRPMS/mozilla-1.2.1-4.src.rpm 421ba3c42923a8d277d20294cf709f5a
/Server/i386/mozilla-1.2.1-4.i386.rpm c6a51e302e2d81ff8700192a9d0059b4
/Server/i386/mozilla-devel-1.2.1-4.i386.rpm ccf3c8619f027854a3fd43a6ecfaf4dc
/Server/SRPMS/mozilla-1.2.1-4.src.rpm 421ba3c42923a8d277d20294cf709f5a

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0594
http://bugzilla.mozilla.org/show_bug.cgi?id=220122

Copyright(c) 2001-2003 SOT