Login
Newsletter
Werbung

Sicherheit: Unsichere Verwendung von /tmp in INN
Aktuelle Meldungen Distributionen
Name: Unsichere Verwendung von /tmp in INN
ID: CSSA-2001-001.0
Distribution: Caldera
Plattformen: Caldera eDesktop 2.4, Caldera Desktop 2.3, Caldera eServer 2.3.1
Datum: Mi, 17. Januar 2001, 12:00
Referenzen: Keine Angabe
Applikationen: INN

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera Systems, Inc. Security Advisory

Subject: temp file problems in inn
Advisory number: CSSA-2001-001.0
Issue date: 2001 January, 11
Cross reference:
______________________________________________________________________________


1. Problem Description

INN uses a temporary directory for several operations. Those
operations use it in a unsecure manner, which would allow an
attacker to gain access to the 'news' user. Since INN is not
supposed to work in a public temporary directory, please use
the described workaround to change the temp directory to a
news private one.


2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All released inn packages


OpenLinux eServer 2.3.1 All released inn packages
and OpenLinux eBuilder

OpenLinux eDesktop 2.4 All released inn packages


3. Solution

Workaround:

Edit /etc/news/inn.conf, change the line
pathtmp: /var/tmp
to read
pathtmp: /var/run/news

After this, restart INN by running as root:

/etc/rc.d/init.d/news stop
/etc/rc.d/init.d/news start


4. OpenLinux Desktop 2.3

No fixed packages released, see workaround above.

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

No fixed packages released, see workaround above.

6. OpenLinux eDesktop 2.4

No fixed packages released, see workaround above.

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 8673.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

Caldera Systems, Inc. wishes to thank the Team at Immunix, Greg KH
at Wirex and Solar Designer for drawing our attention, and their
cooperation.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6X3hx18sy83A/qfwRAg20AKCTUcuEhv34ap/5FdmjCla9/8ZFEwCgxCMl
WtA3Ghi1CPyEvYbE4IS5Clw=
=NSte
-----END PGP SIGNATURE-----
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung