Red Hat alert: Updated mailman packages are available.

Posted by dave on May 24, 2000 12:24 PM EDT
Mailing list
Mail this story
Print this story

New mailman packages are available which close security holes present in earlier versions of mailman.

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          Updated mailman packages are available.
Advisory ID:       RHSA-2000:030-01
Issue date:        2000-05-24
Updated on:        2000-05-24
Product:           Red Hat Secure Web Server
Keywords:          N/A
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

New mailman packages are available which close security holes present
in earlier versions of mailman.

2. Relevant releases/architectures:

Red Hat Secure Web Server 3.0 - i386
Red Hat Secure Web Server 3.1 - i386 alpha sparc
Red Hat Secure Web Server 3.2 - i386

3. Problem description:

New mailman packages are available which close security holes present
in earlier versions of mailman.  All sites using the mailman mailing
list management software should upgrade.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

N/A

6. RPMs required:

Red Hat Secure Web Server 3.2:

intel:
ftp://ftp.redhat.com/pub/redhat/updates/secureweb/3.2/i386/mailman-2.0beta2-1.i386.rpm

sources:
ftp://ftp.redhat.com/pub/redhat/updates/secureweb/3.2/SRPMS/mailman-2.0beta2-1.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
4515cf682bfb0c4a87c9ac6def8d5ec7  3.2/SRPMS/mailman-2.0beta2-1.src.rpm
ccaf8e103c609bfa7769dfff4cf7f532  3.2/i386/mailman-2.0beta2-1.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:

N/A




-- 
         To unsubscribe: mail [e-mail:redhat-watch-list-request@redhat.com] with 
                       "unsubscribe" as the Subject.



>From [e-mail:mail@mail.redhat.com] May 11:11:14 2000  -0400
Received: (qmail 8003 invoked from network); 31 May 2000 15:11:14 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 31 May 2000 15:11:14 -0000
Received: from lacrosse.corp.redhat.com (root@lacrosse.corp.redhat.com [207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id LAA26548;
	Wed, 31 May 2000 11:11:14 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id LAA04305;
	Wed, 31 May 2000 11:11:13 -0400
Message-Id: <200005311511.LAA04305@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:005-05] New majordomo packages available
Content-transfer-encoding: 8bit
Approved: [e-mail:ewt@redhat.com]
To: [e-mail:redhat-watch-list@redhat.com]
From: [e-mail:bugzilla@redhat.com]
Cc: [e-mail:linux-security@redhat.com]
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Wed, 31 May 2000 11:11 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          New majordomo packages available
Advisory ID:       RHSA-2000:005-05
Issue date:        2000-01-20
Updated on:        2000-05-31
Product:           Red Hat Powertools
Keywords:          majordomo
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

New majordomo packages are available to fix local security problems in majordomo.

2. Relevant releases/architectures:

Red Hat Powertools 6.1 - i386 alpha sparc

3. Problem description:

A vulnerability in /usr/lib/majordomo/resend and /usr/lib/majordomo/wrapper will allow execution of arbitrary commands with elevated privileges.

It is recommended that all users of Red Hat Linux using the majordomo package upgrade to the fixed package, which will resolve the vulnerability in /usr/lib/majordomo/resend.  To secure /usr/lib/majodomo/wrapper, please read the solution section below.

Once an official patch has been released by the majordomo maintainers, we will release an updated package which will fix both vulnerabilities.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

Once the package is installed, become "root" and execute this command:

chmod o-x /usr/lib/majordomo/wrapper

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

N/A

6. RPMs required:

Red Hat Powertools 6.1:

intel:
ftp://ftp.redhat.com/redhat/updates/powertools/6.1/i386/majordomo-1.94.5-2.i386.rpm

alpha:
ftp://ftp.redhat.com/redhat/updates/powertools/6.1/alpha/majordomo-1.94.5-2.alpha.rpm

sparc:
ftp://ftp.redhat.com/redhat/updates/powertools/6.1/sparc/majordomo-1.94.5-2.sparc.rpm

sources:
ftp://ftp.redhat.com/redhat/updates/powertools/6.1/SRPMS/majordomo-1.94.5-2.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
ad994a1742d90a593b8ecfbf52634cd7  6.1/SRPMS/majordomo-1.94.5-2.src.rpm
8c829a13c2229060c899ffdc7e7db38c  6.1/alpha/majordomo-1.94.5-2.alpha.rpm
f0e22f364abcbe4c217f2b8eb180037d  6.1/i386/majordomo-1.94.5-2.i386.rpm
89e327c6c92acc97db34e541f34c0c67  6.1/sparc/majordomo-1.94.5-2.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:

Thanks to Brock Tellier at [e-mail:btellier@USA.NET] for noting the vulnerability in resend, to Shevek at [e-mail:shevek@anarres.org] and Olaf Kirch at [e-mail:okir@monad.swb.de] for noting the vulnerability in the wrapper.




>From [e-mail:mail@mail.redhat.com] Jun 11:04:35 2000  -0400
Received: (qmail 16714 invoked from network); 7 Jun 2000 15:04:37 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 7 Jun 2000 15:04:37 -0000
Received: from lacrosse.corp.redhat.com (lacrosse.corp.redhat.com [207.175.42.154])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id LAA10113;
	Wed, 7 Jun 2000 11:04:35 -0400
Received: from localhost (porkchop.redhat.com [207.175.42.68])
	by lacrosse.corp.redhat.com (8.9.3/8.9.3) with SMTP id LAA10284;
	Wed, 7 Jun 2000 11:04:33 -0400
Message-Id: <200006071504.LAA10284@lacrosse.corp.redhat.com>
Subject: [RHSA-2000:032-02] kdelibs vulnerability for suid-root KDE applications
Content-transfer-encoding: 8bit
Approved: [e-mail:ewt@redhat.com]
To: [e-mail:redhat-watch-list@redhat.com]
From: [e-mail:bugzilla@redhat.com]
Cc: [e-mail:linux-security@redhat.com]
Content-type: text/plain; charset="iso-8859-1"
Mime-version: 1.0
Date: Wed, 7 Jun 2000 11:04 -0400

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          kdelibs vulnerability for suid-root KDE applications
Advisory ID:       RHSA-2000:032-02
Issue date:        2000-06-07
Updated on:        2000-06-07
Product:           Red Hat Powertools
Keywords:          N/A
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

In kdelibs 1.1.2 there are security issues for some applications when they are run suid root.

2. Relevant releases/architectures:

Red Hat Powertools 6.0 - i386
Red Hat Powertools 6.1 - i386
Red Hat Powertools 6.2 - i386

3. Problem description:

In kdelibs 1.1.2, there are security issues with the way some applications perform when they are run suid root. The only application vulnerable is kwintv from Powertools. With our PAM configuration, the suid bit for kwintv is not necessary.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

N/A

6. RPMs required:

Red Hat Powertools 6.2:

intel:
ftp://ftp.redhat.com/redhat/updates/powertools/6.2/i386/kwintv-0.7.5-2.i386.rpm

sources:
ftp://ftp.redhat.com/redhat/updates/powertools/6.2/SRPMS/kwintv-0.7.5-2.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
3757f47ebfcec111e6a63167873653ee  6.2/SRPMS/kwintv-0.7.5-2.src.rpm
72e10bb7dfb96a7c655a7f3db79d47a1  6.2/i386/kwintv-0.7.5-2.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:

N/A

  Nav
» Read more about: Story Type: Security; Groups: Red Hat

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.