---

Conectiva Linux Security Announcement: Package: MAN

Date: Thu, 27 Jul 2000 11:24:04 -0300
From: Security secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: CONECTIVA LINUX SECURITY ANNOUNCEMENT – MAN


CONECTIVA LINUX SECURITY ANNOUNCEMENT


PACKAGE : man
SUMMARY : Insecure directory creation in /tmp
DATE    : 2000-07-27
AFFECTED CONECTIVA VERSIONS : 5.1

DESCRIPTION
This announcement is being re-released specifically for Conectiva
Linux 5.1.

Redhat has identified a problem with the man package which also
affects Conectiva Linux. Conectiva Linux versions prior to 5.1 have
already been patched.

The man package has a script called makewhatis that is run
weekly by the cron daemon as root. This script creates a directory
in /tmp and some files under it with predictable names, thus making
it possible for a local attacker to alter any file in the system
via symlink attacks.

SOLUTION
All users of Conectiva Linux 5.1 should upgrade. Conectiva Linux
versions prior to 5.1 have already been patched.

DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/man-1.5g-9cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/man-1.5g-9cl.src.rpm


All packages are signed with Conectiva’s PGP key. The key can be
obtained at
http://www.conectiva.com.br/conectiva/contato.html


subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br

unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis