From secure@CONECTIVA.COM.BR Fri Nov 24 01:56:21 2000 From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 23 Nov 2000 13:50:36 -0200 Subject: [BUGTRAQ] [CLSA-2000:341] Conectiva Linux Security Announcement - tcsh -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - ----------------------------------------------------------------------- PACKAGE : tcsh SUMMARY : Insecure temporary file creation DATE : 2000-11-23 13:50:00 ID : CLSA-2000:341 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1 - ---------------------------------------------------------------------- DESCRIPTION When using in-here documents (via the "<<" redirect), tcsh creates a temporary file in an insecure manner that could allow a symlink attack to overwrite arbitrary files. SOLUTION It is recommended that all tcsh users upgrade to the latest package. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tcsh-6.08.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/tcsh-6.08.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tcsh-6.08.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/tcsh-6.08.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tcsh-6.09.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/tcsh-6.09.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tcsh-6.09.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/tcsh-6.09.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tcsh-6.09.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/tcsh-6.09.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tcsh-6.09.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/tcsh-6.09.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tcsh-6.09.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tcsh-6.09.00-7cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tcsh-6.09.00-7cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tcsh-6.09.00-7cl.i386.rpm - ---------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato - ----------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.conectiva.com.br/suporte/atualizacoes - ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6HTzL42jd0JmAcZARAuJsAKDg5KU+gcolCdVXgDYwHSKHePpyygCg2gGb Ury+45EJrIzOWyxWFmn4sO8= =PSCc -----END PGP SIGNATURE-----