We should look at legacy exposure to this flaw. -- Jesse Keating RHCE MCSE (geek.j2solutions.net) Fedora Legacy Team (www.fedora.us/wiki/FedoraLegacy) Mondo DevTeam (www.mondorescue.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating
--- Begin Message ---
- To: fedora-test-list@xxxxxxxxxx
- Subject: [SECURITY] Fedora Core 1 Testing Update: slocate-2.7-4
- From: Bill Nottingham <notting@xxxxxxxxxx>
- Date: Wed, 21 Jan 2004 15:25:51 -0500
- Delivered-to: hosting@j2solutions.net
- Reply-to: fedora-test-list@xxxxxxxxxx
- Sender: fedora-test-list-admin@xxxxxxxxxx
- User-agent: Mutt/1.5.5.1i
--------------------------------------------------------------------- Fedora Test Update Notification FEDORA-2004-059 2004-01-21 --------------------------------------------------------------------- Name : slocate Version : 2.7 Release : 4 Summary : Finds files on a system via a central database. Description : Slocate is a security-enhanced version of locate. Just like locate, slocate searches through a central database (which is updated nightly) for files which match a given pattern. Slocate allows you to quickly find files anywhere on your system. --------------------------------------------------------------------- Update Information: Patrik Hornik discovered a vulnerability in Slocate versions up to and including 2.7 where a carefully crafted database could overflow a heap-based buffer. A local user could exploit this vulnerability to gain "slocate" group privileges and then read the entire slocate database. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0848 to this issue. Users of Slocate should upgrade to these packages which contain a patch from Kevin Lindsay which causes slocate to drop privileges before reading a user-supplied database. --------------------------------------------------------------------- * Wed Jan 21 2004 Mark Cox <mjc@xxxxxxxxxx> - drop privs for non slocate gid databases (CAN-2003-0848) - update to 2.7 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/1/ 48a9f6409ede89470dbeb9c9be3bbb42 SRPMS/slocate-2.7-4.src.rpm 5cecdaa91d6f26d0285592620d13ac9d i386/slocate-2.7-4.i386.rpm b4e7fab0377000fabdd136dbe99a8cea i386/debug/slocate-debuginfo-2.7-4.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. You may need to edit your up2date channels configuration. Within /etc/sysconfig/rhn/sources enable the following line: yum updates-testing http://fedora.redhat.com/updates/testing/fedora-core-1 --------------------------------------------------------------------- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-test-list
--- End Message ---
Attachment:
pgp00226.pgp
Description: signature
