Yellow Dog Linux Security Announcement -------------------------------------- Package: LPRng Issue Date: Jun 02,2003 Priority: medium Advisory ID: YDU-20030602-5 1. Topic: Updated LPRng packages are available. 2. Problem: "LPRng is a print spooler. LPRng includes a program, psbanner, that can be used to produce Postscript banner pages to separate print jobs. A vulnerability has been found in psbanner, which creates a temporary file with a known filename in an insecure manner. An attacker could create a symbolic link and cause arbitrary files to be written as the 'lp' user. Users that have configured LPRng to use psbanner should install these updated packages, which contain a patch so that psbanner does not create the temporary file." (From Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install LPRng b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] Yellow Dog Linux 3.0 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/ ppc/LPRng-3.8.19-3.1.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- [Yellow Dog Linux 3.0] ae0b1cd31023ce2b42654e2dbca10013 SRPMS/LPRng-3.8.19-3.1.src.rpm 97991a6beef564b6720b5d63d7b70a3d ppc/LPRng-3.8.19-3.1.ppc.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: md5sum 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml