drucken bookmarks versenden konfigurieren admin pdf Sicherheit: pmake ist setuid root installiert
| Name: |
pmake ist setuid root installiert
|
|
| ID: |
TLSA2001024 |
|
| Distribution: |
TurboLinux |
|
| Plattformen: |
Keine Angabe |
|
| Datum: |
Sa, 26. Mai 2001, 13:00 |
|
| Referenzen: |
Keine Angabe |
|
| Applikationen: |
pmake |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
____________________________________________________________________________________________
_
Turbolinux Security Announcement
Package: pmake
Vulnerable Packages: All Turbolinux versions previous to 2.1.35beta-2
Date: 05/24/2001 5:00 PDT
Affected Turbolinux platforms: TL 6.1 Workstation,
All Turbolinux versions
6.0.5 and earlier
Turbolinux Advisory ID#: TLSA2001024
____________________________________________________________________________________________
_
A security hole has been discovered in the package pmake. Please update
the packages in your installation as soon as possible.
____________________________________________________________________________________________
_
1. Problem Summary
In the Turbolinux platforms referenced above, the pmake binary is installed
setuid root.
2. Impact
A local user could run pmake with root privileges. This could lead to a
possibility
of an attacker exploiting vulnerabilities in other programs that pmake uses.
3. Solution
Update the packages from our ftp server by running the following
command:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/pmake-2.1.35beta-2.i386.rpm
pmake-customs-2.1.35beta-2.i386.rpm
The source RPM can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/pmake-2.1.35beta-2.src.rpm
**Note: You must rebuild and install the RPM if you choose to download
and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE
THE SECURITY HOLE.
*************************************IMPORTANT******************************************
*
In order for pmake to run properly, be sure to do the following:
-Open up a terminal prompt and login as "root".
-Go to /usr/lib/rpm and open the file called "macros".
-Look for the directive called "%_mandir". Its current setting
is:
%{_prefix}/man
Change it so that it reads:
%{_prefix}/share/man
****************************************************************************************
*
Please verify the MD5 checksums of the updates before you install:
MD5 sum Package Name
____________________________________________________________________________________________
_
06872bdb7868177cdf04169814a25f02 pmake-2.1.35beta-2.i386.rpm
c583682c3f2b3bd3d7854580b0e758e5 pmake-customs-2.1.35beta-2.i386.rpm
4cc72823376566879442057beb25cb33 pmake-2.1.35beta-2.src.rpm
____________________________________________________________________________________________
_
These packages are GPG signed by Turbolinux for security. Our key
is available here:
http://www.turbolinux.com/security/tlgpgkey.asc
To verify a package, use the following command:
rpm --checksig name_of_rpm
To examine only the md5sum, use the following command:
md5sum name_of_rpm
**Note: Checking GPG keys requires RPM 3.0 or higher.
_______________________________________________________________________________________________
_
You can find more updates on our ftp server:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
for TL6.x Workstation and Server security updates
Our webpage for security announcements:
http://www.turbolinux.com/security
If you want to report vulnerabilities, please contact:
security@turbolinux.com
_______________________________________________________________________________________________
_
Subscribe to the Turbolinux Security Mailing lists:
TL-security - A moderated list for discussing security issues
Turbolinux products.
Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security
TL-security-announce - An announce-only mailing list for security
updates and alerts.
Subscribe at:
http://www.turbolinux.com/mailman/listinfo/tl-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.10.0 - http://pgpenvelope.sourceforge.net/
iD8DBQE7DsmCcpw52/ZatwoRAtDkAJ9UOpJ7HlL9tatftFiqKGtUTAZWuwCcDw4Y
FlmQY9GJzOiSUe+Z+uYGOo0=
=2A9V
-----END PGP SIGNATURE-----
_______________________________________________
TL-Security-Announce mailing list
TL-Security-Announce@www.turbolinux.com
http://www.turbolinux.com/mailman/listinfo/tl-security-announce
|
|
|
|
