Yellow Dog Linux Security Announcement -------------------------------------- Package: openldap Issue Date: May 02, 2000 Update Date: May 02, 2000 Priority: high Advisory ID: YDU-2000502-2 1. Topic: The OpenLDAP program has a security vulnerability which can allow local users to destroy critical file. 2. Problem: OpenLDAP follows symbolic links when creating files. The default location for these files is /usr/tmp which is linked to /tmp. /tmp is a world-writable directory, therefore local users can destroy any file on any mounted filesystem. 3. Solution: a) Updating via yup... We suggest that you use the Yellow Dog Update Program (yup) to keep your system up-to-date. The following command will automatically retrieve and install the fixed version of man onto your system: yup update openldap b) Updating manually... The update can also be retrieved manually from our ftp site below along with the rpm command that should be used to install the update. ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/ openldap-1.2.9-6.ppc.rpm rpm -Fvh openldap-1.2.9-6.ppc.rpm Administrators with existing databases should also move their NEXTID and *.dbb files from /usr/tmp to /var/lib/ldap, and verify that the 'directory' setting in /etc/openldap/slapd.conf is changed accordingly. 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 653d224a5f8071019d6f1c133e23cad4 RPMS/openldap-1.2.9-6.ppc.rpm bd67b599f128b81a36a0b12964b86d2d RPMS/openldap-devel-1.2.9-6.ppc.rpm 0138dcd59341910e51b894792a99ffe5 SRPMS/openldap-1.2.9-6.src.rpm All updates are signed by Terra Soft Solutions, Inc. with our GPG key which is available at: http://www.yellowdoglinux.com/resources/public_key.shtml You can verify each package with the following command: rpm --checksig filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of yup, the Yellow Dog Update Program, see http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml