OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Caldera Support Info (sup-infoLOCUTUS4.CALDERASYSTEMS.COM)
Date: Mon Jan 15 2001 - 18:11:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________
                       Caldera Systems, Inc. Security Advisory

    Subject: temp file problems in inn
    Advisory number: CSSA-2001-001.0
    Issue date: 2001 January, 11
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

       INN uses a temporary directory for several operations. Those
       operations use it in a unsecure manner, which would allow an
       attacker to gain access to the 'news' user. Since INN is not
       supposed to work in a public temporary directory, please use
       the described workaround to change the temp directory to a
       news private one.

    2. Vulnerable Versions

       System Package
       -----------------------------------------------------------
       OpenLinux Desktop 2.3 All released inn packages
                                       

       OpenLinux eServer 2.3.1 All released inn packages
       and OpenLinux eBuilder

       OpenLinux eDesktop 2.4 All released inn packages

    3. Solution

       Workaround:

       Edit /etc/news/inn.conf, change the line
            pathtmp: /var/tmp
       to read
            pathtmp: /var/run/news

       After this, restart INN by running as root:

            /etc/rc.d/init.d/news stop
            /etc/rc.d/init.d/news start

    4. OpenLinux Desktop 2.3

       No fixed packages released, see workaround above.

    5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

       No fixed packages released, see workaround above.

    6. OpenLinux eDesktop 2.4

       No fixed packages released, see workaround above.

    7. References

       This and other Caldera security resources are located at:

       http://www.calderasystems.com/support/security/index.html

       This security fix closes Caldera's internal Problem Report 8673.

    8. Disclaimer

       Caldera Systems, Inc. is not responsible for the misuse of any of the
       information we provide on this website and/or through our security
       advisories. Our advisories are a service to our customers intended to
       promote secure installation and use of Caldera OpenLinux.

    9. Acknowledgements

       Caldera Systems, Inc. wishes to thank the Team at Immunix, Greg KH
       at Wirex and Solar Designer for drawing our attention, and their
       cooperation.

    ______________________________________________________________________________
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.1 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6X3hx18sy83A/qfwRAg20AKCTUcuEhv34ap/5FdmjCla9/8ZFEwCgxCMl
    WtA3Ghi1CPyEvYbE4IS5Clw=
    =NSte
    -----END PGP SIGNATURE-----