OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman
From: secureCONECTIVA.COM.BR
Date: Wed Aug 02 2000 - 15:11:48 CDT


----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
----------------------------------------------------------------------

PACKAGE : mailman
SUMMARY : Obtaining mailman user privilieges
DATE : 2000-08-02
AFFECTED CONECTIVA VERSIONS : 4.1, 4.2, 5.0 and 5.1

DESCRIPTION
The wrapper program supplied with the mailman package has a format
bug which could be exploited to obtain the privileges of the mailman
user. This user has read and write access to all files of the
mailman package.
Note that this vulnerability can only be exploited by local users with
shell access.

SOLUTION
All mailman users should upgrade to the package listed below. Besides
the security fix, this version also fixes a problem with the authorization
cookie used for the admin pages.

DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/mailman-2.0beta5-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/mailman-2.0beta5-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/mailman-2.0beta5-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/mailman-2.0beta5-1cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/mailman-2.0beta5-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/mailman-2.0beta5-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/mailman-2.0beta5-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/mailman-2.0beta5-1cl.src.rpm

----------------------------------------------------------------------

All packages are signed with Conectiva's PGP key. The key can be obtained at
http://www.conectiva.com.br/conectiva/contato.html

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribebazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribebazar.conectiva.com.br