Yellow Dog Linux Security Announcement
--------------------------------------

Package:	xchat
Issue Date: 	September 13, 2000
Update Date: 	September 13, 2000
Priority: 	high
Advisory ID: 	YDU-20000913-1


1. Topic:

   A new xchat package fixes a potential security problem.


2. Problem:

   The Xchat program allows users to right-click on
   a URL from an IRC session and select "Open in Browser."
   Xchat passes the URL to /bin/sh so a malicious URL
   could execute arbitrary shell commands as the user
   running Xchat (Another reason not to IRC as root).


3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   the xchat onto your system:

   	yup update xchat

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   xchat-1.4.0-2.ppc.rpm

        rpm -Fvh xchat-1.4.0-2.ppc.rpm


4. Verification

MD5 checksum				Package
--------------------------------	----------------------------
b6e0e818149025a9148fcf8aead3f4bb        RPMS/xchat-1.4.0-2.ppc.rpm
6c7862460a4e1eb270715bf2768384ce        SRPMS/xchat-1.4.0-2.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml