Yellow Dog Linux Security Announcement
--------------------------------------

Package:	mgetty
Issue Date: 	September 13, 2000
Update Date: 	September 13, 2000
Priority:  	high
Advisory ID: 	YDU-20000913-4


1. Topic:

   The mgetty-sendfax package contains a security vulnerability.


2. Problem:

   "The faxrunq and faxrunqd commands supplied with the mgetty-sendfax package
   use a file named /var/spool/fax/outgoing/.lastrun to keep track of the date
   and time when the faxrunq command was last run. /var/tmp is a
   world-writable directory, and no check is made to ensure that .lastrun is
   not a symbolic link to another file. A malicious user can create a
   symbolic link named /var/spool/fax/outgoing/.lastrun which points to any
   file on a mounted filesystem, and that file's contents will be destroyed
   the next time faxrunq is run." (from Red Hat's errata advisory)


3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   mgetty onto your system:

   	yup update mgetty
   	yup update mgetty-sendfax
   	yup update mgetty-viewfax
   	yup update mgetty-voice

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   mgetty-1.1.22-1.6.x.ppc.rpm
   mgetty-sendfax-1.1.22-1.6.x.ppc.rpm
   mgetty-viewfax-1.1.22-1.6.x.ppc.rpm
   mgetty-voice-1.1.22-1.6.x.ppc.rpm

        rpm -Fvh mgetty-*-1.1.22-1.6.x.ppc.rpm


4. Verification

MD5 checksum				Package
--------------------------------	----------------------------
83e4028473750ca75a46f3fb190f6315  	SRPMS/mgetty-1.1.22-1.6.x.src.rpm
65e0d72a4881a9899339ecc9c0be0f66  	RPMS/mgetty-1.1.22-1.6.x.ppc.rpm
716955dd40e6f54fd7867269554129c5  	RPMS/mgetty-sendfax-1.1.22-1.6.x.ppc.rpm
b276dbf741fb5e00c12ec33de295573a  	RPMS/mgetty-viewfax-1.1.22-1.6.x.ppc.rpm
00b41bfbc5db9722a3305cfa78a2dce1  	RPMS/mgetty-voice-1.1.22-1.6.x.ppc.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml