Date: Thu, 17 Aug 2000 15:59:27 -0300 To: lwn@lwn.net, bugtraq@securityfocus.com, security-alert@linuxsecurity.com Subject: Conectiva Linux Security Announcement - xlockmore From: secure@conectiva.com.br ----------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT ----------------------------------------------------------------------- PACKAGE : xlockmore SUMMARY : Local exploit DATE : 2000-08-17 14:43:00 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1 ---------------------------------------------------------------------- DESCRIPTION Xlock is a screensaver with locking capabilities. It is a SUID root program, but drops its privileges as soon as possible, but the encrypted user passwords remain in memory. A format bug exists in the processing of the -d command line option that could allow an attacker to read these encrypted passwords. SOLUTION All users should upgrade to the new package. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ecomm/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ecomm/SRPMS/xlockmore-4.17-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferrgraf/i386/xlockmore-4.17-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferrgraf/SRPMS/xlockmore-4.17-1cl.src.rpm ---------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br