Date: Wed, 31 May 2000 17:32:23 -0300 From: Sergio Bruder <bruder@conectiva.com.br> To: lwn@lwn.net Subject: [atualizacoes-anuncio] 2000-05-25 ----- Forwarded message from atualizacoes@conectiva.com.br ----- Date: Thu, 25 May 2000 17:35:06 -0300 From: atualizacoes@conectiva.com.br To: atualizacoes-anuncio@bazar.conectiva.com.br Subject: [atualizacoes-anuncio] 2000-05-25 -------------------------------------------------------------------------- PACKAGE : openldap Resume : Default configuration of package openldap is insecure Date : 2000-05-25 Conectiva Versions : 4.1, 4.2, 5.0 DESCRIPTION The default configuration of the package openldap uses the /usr/tmp directory to put the LDAP database. This diretory it's a link to /var/tmp, wich does have a+r pemissions. It's possible to any user create in the directory a link to any file in the system. Openldap follow symbolic links, and if this link have the same name of the file that openldap creates, its will follow the link and overwrites the file. SOLUTION The solution is to use another diretory to put the LDAP database. Conectiva sugests the directory /var/lib/ldap. This can be made modifying the "diretory" directive in the /etc/openldap/slapd.conf file or updating the package up to the 1.2.10-3cl version. RPM PACKAGES i386/openldap-1.2.10-3cl.i386.rpm i386/openldap-devel-1.2.10-3cl.i386.rpm DONWLOAD ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1 ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2 ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0 DIRECT REFERENCE TO THE PACKAGES ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/openldap-1.2.10-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/openldap-devel-1.2.10-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/openldap-1.2.10-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/openldap-devel-1.2.10-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openldap-1.2.10-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openldap-devel-1.2.10-3cl.i386.rpm For security reasons, all the packages listed here are signed with the Conectiva's PGP key. You can get this key at http://www.conectiva.com.br/conectiva/contato.html -- Sergio D. Bruder bruder@conectiva.com.br, sergio@bruder.net ------------------------------------------ http://www.conectiva.com.br http://sergio.bruder.net http://pontobr.org