[LWN Logo]

Date: Sat, 22 Apr 2000 14:38:09 +0200
From: Gael Duval <gduval@mandrakesoft.com>
To: security-announce@linux-mandrake.com
Subject: [Security Announce] latest updates: imwheel, gpm, openldap

Hi,

here is a resume of the recent security updates that have been posted
to our website. They are all available through FTP (mirrors list on
http://www.linux-mandrake.com/en/ftp.php3) or simply with the
MandrakeUpdate tool.

You will notice that this announce list has been renamed
"security-announce". It's read-only (I hope so!) and dedicated to
security updates notifications. If you have been subscribed by error
to this list or don't wan't to receive it anymore, before crying
please send:

	unsub security-announce

in the subject of a message to:

	sympa@linux-mandrake.com

Latest security updates (.i586.rpm is the binary package, .src.rpm is
the source package - md5sum is given for all packages):

* imwheel
---------

A security bug was found in imwheel; the bug can be exploited to
provide local users with root access. Version 0.9.8 fixes this
problem. Please upgrade (manually or with MandrakeUpdate) to:

Mandrake 7.0:

854fa68b384b28dbafeb298faeb67310  imwheel-0.9.8-1mdk.i586.rpm
f5d52736bacb9f4c2d40df8cedcdbecb  imwheel-0.9.8-1mdk.src.rpm

This bug doesn't affect older versions of Linux-Mandrake.

* gpm
-----

A security bug was found in gpm; the bug can be exploited to
provide local users with root access. Please upgrade to:

Mandrake 6.0:

84573040f5d23e11e62e921bb9db04df  gpm-1.19.1-3mdk.i586.rpm
613df6a46c236b6ac02acc56815362ac  gpm-1.19.1-3mdk.src.rpm

Mandrake 6.1:

b9935537b2b7fa56de2ae464fbeb4b6e  gpm-1.19.1-3mdk.i586.rpm
70daf482944c2c946645e149d968a648  gpm-1.19.1-3mdk.src.rpm

Mandrake 7.0:

5df3ff53026912b679d1810e88828ff7  gpm-1.19.1-2mdk.i586.rpm
1a5b168c186a52fac7c62ddeace5212c  gpm-1.19.1-2mdk.src.rpm

* openldpap:
-----------

Mandrake 7.0:

OpenLDAP follows symbolic links when creating files. The default
location for these files is /usr/tmp, which is a symlink to /tmp,
which in turn is a world-writable directory. Local users can destroy
the contents of any file on any mounted filesystem. Please upgrade to: 

e15137088145d315952586f1ad6330ef openldap-1.2.9-5mdk.i586.rpm
0807d4c34bf6cec47fede3cf7c2572c5 openldap-1.2.9-5mdk.src.rpm

This bug doesn't affect older versions of Linux-Mandrake.

--
< Gael DUVAL - gduval@mandrakesoft.com >
< http://www.mandrake.com >