Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 555
Alerts This Week
Warning Icon 1 555

Red Hat 6.x: RHSA-2000:012-05 Moderate: OpenLDAP Symlink Threat

red hat
Calendar Grey April 21, 2000
Dist Redhat Esm H88
Red Hat updated openldap packages to fix severe local user risks. Ensure best practices to secure your systems.
Local users can destroy the contents of any file on any mounted filesystem.

Solution

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

Administrators with existing databases should also move their NEXTID and *.dbb files from /usr/tmp to /var/lib/ldap, and verify that the 'directory' setting in /etc/openldap/slapd.conf is changed accordingly.

5. Bug IDs fixed ( for more info):

10714 - Insecure file creation using static files which follow symlinks.


6. Obsoleted by:

N/A

7. Conflicts with:

N/A

8. RPMs required:


Red Hat Linux 6.1:

intel:

alpha:

sparc:

sources:

Red Hat Linux 6.2:

intel:

alpha:

sparc:

sources:


9. Verification:

MD5 sum Package Name 058c4aa63710da7490f98da4b3cad53d 6.1/i386/openldap-1.2.9-6.i386.rpm 17fbdb33172a7884f56b4fc746b1b763 6.1/SRPMS/openldap-1.2.9-6.src.rpm 816fccd85990833f7c5dfb7f2dc6e0a1 6.1/sparc/openldap-1.2.9-6.sparc.rpm fa79c61565a72407db4695ef8468a482 6.2/alpha/openldap-1.2.9-6.alpha.rpm 816fccd85990833f7c5dfb7f2dc6e0a1 6.2/sparc/openldap-1.2.9-6.sparc.rpm 17fbdb33172a7884f56b4fc746b1b763 6.2/SRPMS/openldap-1.2.9-6.src.rpm 058c4aa63710da7490f98da4b3cad53d 6.2/i386/openldap-1.2.9-6.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security. Our key is available at:

You can verify each package with the following command: rpm --checksig

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg

Summary

References

Thanks also go to Stan Bubrouski for reporting this problem. Cristian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "How could this be a problem in a country where we have Intel and Microsoft?" --Al Gore on Y2K -----BEGIN PGP SIGNATURE-----Version: 2.6.2 iQCVAwUBOQCeJPGvxKXU9NkBAQFIAgP/fBO8WkawNk6qa2/1y3UO0o0t49xbBXPe KM6qBojNW8yWKdsfGGgVkgvby/1gH+uFxd49mFNMbG8GUNIxOw8r2MfaQXERnnFb IQ66mYSH5hesXw6wVnw0aIdnOMfd5BRpEZLXUnhrp+wf+IbtaQE6+g3MbmcoRSk4 jmsdnVhD6iQ=Yz4F -----END PGP SIGNATURE-----

Package List


Advisory ID: RHSA-2000:012-05
Issue date: 2000-04-13
Updated on: 2000-04-21
Product: Red Hat Linux
Keywords: openldap startup symlink overwrite denial
Cross references: N/A
:
New openldap packages are available which fix a security:
vulnerability in Red Hat Linux 6.1 and 6.2.:
:

Topic

Relevant Releases Architectures

Red Hat Linux 6.1 - i386 alpha sparc

Red Hat Linux 6.2 - i386 alpha sparc

Bugs Fixed

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.