[LWN Logo]
[Timeline]
Date: Mon, 9 Oct 2000 15:44:01 -0300
To: lwn@lwn.net, bugtraq@securityfocus.com, security-alert@linuxsecurity.com,
Subject: Conectiva Linux Security Announcement - tmpwatch
From: secure@conectiva.com.br

-----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
-----------------------------------------------------------------------

PACKAGE   : tmpwatch
SUMMARY   : tmpwatch local DoS
DATE      : 2000-10-09 15:43:00
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1

----------------------------------------------------------------------

DESCRIPTION
 Versions of the tmpwatch package as shipped with Conectiva Linux
 contain a vulnerability which could lead to a local DoS.
 These versions, though, are not vulnerable to the local root exploit
 published earlier because they do not have the fuser option, which
 appeared only in later versions.


SOLUTION
 All users should upgrade to the updated package.
 The updated package fixes the DoS and also introduces the fuser
 option, but using exec() instead of system() to avoid the local root
 vulnerability.
 
 Thanks do RedHat for providing a new version.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm


----------------------------------------------------------------------

All packages are signed with Conectiva's GPG key. The key can be 
obtained at http://www.conectiva.com.br/contato

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br