Yellow Dog Linux Security Announcement
--------------------------------------

Package:	LPRng	
Issue Date: 	July 25, 2001
Priority:	high		
Advisory ID: 	YDU-20010725-7


1. 	Topic:

	LPRng has a group membership-related security problem.
	

2. 	Problem:

	"LPRng fails to drop supplemental group membership at init time, though it
	does properly setuid and setgid. The result is that LPRng, and its
	children, maintain any supplemental groups that the process starting LPRng
	had at the time it started LPRng. This is a security risk."
	(from Red Hat's security advisory)


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update LPRng 

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.0/ppc/RPMS/
		rpm -Fvh LPRng-3.7.4-23b.ppc.rpm 


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
bb5cfad23bafddd8dfcc3f80561ba8da  SRPMS/LPRng-3.7.4-23b.src.rpm
a47f62a22b80db2dcb5b8a5ba300f9e4  ppc/RPMS/LPRng-3.7.4-23b.ppc.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml