OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Trustix Security Advisory - perl and mailx
From: Oystein Viggen (oysteiviTRUSTIX.COM)
Date: Mon Aug 14 2000 - 07:56:43 CDT


Hi

We have now made availible updated perl and mailx packages that fix a
local security hole. The hole is the same as announced by Red Hat and
others earlier.

Exploit code for this hole is "in the wild" so all people running
Trustix Secure Linux, especially on systems with untrusted local users,
should upgrade. The hole affects both release 1.0x and 1.1 - Users of
1.0x should use the updates from the 1.1 directory.

The update is a simple port/snarf of Red Hat's updates and thus changes
the behaviour of suidperl to use syslog instead of mail and restricts
the list of variables /bin/mail will read from the environment.

MD5 sums can be found in the files named MD5SUM in each directory.

i386 RPMs:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/mailx-8.1.1-16.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/perl-5.00503-10tr.i586.rpm

src RPMs:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/mailx-8.1.1-16.src.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/perl-5.00503-10tr.src.rpm

The files can also be downloaded through http or rsync. See the download
and mirroring pages on http://www.trustix.net for more details.

New ISO images and trees with the updated rpm files will be made
availible shortly.

Oystein

--
TSL developer