Yellow Dog Linux Security Announcement
--------------------------------------

Package:	uucp		
Issue Date: 	January 27, 2002	
Priority:	high		
Advisory ID: 	YDU-20020127-10


1. 	Topic:

	uuxqt in the uucp package contains a security problem that has
	been fixed with these updates packages.


2. 	Problem:

	uuxqt in Taylor UUCP package does not properly remove dangerous long
        options, which allows local users to gain uid and gid uucp privileges by
        calling uux and specifying an alternate configuration file with the
        --config option

	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2001-0873 to this issue.


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update uucp

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
		rpm -Fvh uucp-1.06.1-31.7.1.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
d3e4711d55f79e97371213e6fe948646  ppc/uucp-1.06.1-31.7.1.ppc.rpm
7a115048fafa351450370aad1121a348  SRPMS/uucp-1.06.1-31.7.1.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml