Errata: Champion Server v1.1

As always, all update packages are signed with our PGP key. The md5sum for each update package is also available at the bottom of this page. See below for more information.

January 04, 2000: usermode
January 04, 2000: pam
November 10, 1999: bind
October 27, 1999: ypserv
October 27, 1999: lpr
October 21, 1999: wu-ftpd
October 19, 1999: lpr
October 18, 1999: rsh
October 18, 1999: lpr
October 13, 1999: pam
October 1, 1999: mutt
September 26, 1999: proftpd, beroftpd
September 15, 1999: lynx
September 13, 1999: mars-nwe
September 2, 1999: pam, passwd
September 2, 1999: inn
September 1, 1999: am-utils
August 27, 1999: vixie-cron
August 29, 1999: proftpd, wu-ftpd, beroftpd
August 19, 1999: telnet
August 17, 1999: libtermcap
August 17, 1999: WindowMaker
August 17, 1999: pump

Package: usermode
Date: January 04, 2000
A security bug was found in userhelper; the bug can be exploited to provide local users with root access.

A newer version of SysVinit is required to install this update.

Please also upgrade to pam-0.68-10 which fixes a similar security problem.

Thanks to for finding this bug.

Urgency: HIGH
Solution: rpm -Uvh

Package: bind
Date: November 10, 1999
The Internet Software Consortium have announced the discovery of six bugs which result in vulnerabilities of varying levels of severity in BIND (Berkeley Internet Name Domain).

For more information about the particular bugs found, see ISC's security announcement.

Based upon ISC's findings, Terra Soft strongly recommends that all users of bind upgrade to the new version as soon as possible.

Urgency: HIGH
Solution: rpm -Uvh

Package: ypserv
Date: October 27, 1999
With ypserv, local administrators in the NIS domain could possibly inject password tables. In rpc.yppasswdd, users could change GECOS and login shells of other users, and there is a buffer overflow in the md5 hash generation.

All Yellow Dog users that are using ypserv should upgrade to this errata update.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: rsh
Date: October 18, 1999
Due to a PAM misconfiguration of rsh (remote shell), rlogin allows you to log in, even if /etc/nologin exists.

Champion Server ships with most services (/etc/inetd.conf), including rsh and rlogin, disabled for enhanced system sercurity. This upgrade is not necessary if you do not use rsh/rlogin.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: lpr
Date: October 18, 1999
Updated: October 27, 1999
There are two problems in the lpr and lpd programs. By exploiting a race between the access check and the actual file opening, it is potentially possible to have lpr read a file as root that the user does not have access to. Also, the lpd program would blindly open queue files as root; by use of the '-s' flag to lpr, it was possible to have lpd print files that the user could not access.

Thanks go to Tymm Twillman for pointing out these vulnerabilities.

Update (10-19-99): The errata update released previously to fix a security vulnerability contained a bug with remote printing. The new update is only required if you are having problems with remote printing.

Update (10-27-99): The original security patch broke some aspects of printing. New errata RPMs are available which fix the problem.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: mutt
Date: October 1, 1999
A buffer overflow was discovered in the text/enriched handler which may be exploited by an attacker suitably-formatted e-mail messages.

Versions of mutt 0.95.6 and lower are vulnerable. Yellow Dog Champion server 1.0 and 1.1 ship with versions which are effected.

Thanks to the Mutt team for releasing an update for this problem.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: lynx
Date: September 15, 1999
A security problem has been discovered in the lynx web browser program.

When lynx calls external programs for protocols (e.g. telnet), the location is passed unchecked. This can be used to activate commandline parameters. For example, this reference <A HREF="telnet://-n.rhosts">click me</A> would activate the tracefile options on the telnet client. The result of this would be that the .rhosts file in the current directory would be created or overwritten.

Depending on the external programs called by lynx, files can be created or truncated or remote commands could be executed (if ssh or rsh were configured in lynx).

The Yellow Dog Security Team advises that all users with lynx installed upgrade to this fixed version. You can check if you have lynx installed by running:

rpm -qi lynx

Urgency: MEDIUM
Solution: rpm -Uvh

Package: mars-nwe
Date: September 13, 1999
Buffer overflows are present in the mars_nwe package. Since the code is possible if users create carefully designed directories and/or bindery objects.

A sample exploit has been made available.

Thanks go to Przemyslaw Frasunek ( and Babcia Padlina Ltd. for noting the problem and providing a patch.

The Yellow Dog Security Team advises that all people with mars-nwe installed upgrade to this fixed version. You can check if you have mars-nwe installed by running:

rpm -qi mars-nwe

Urgency: MEDIUM
Solution: rpm -Uvh

Packages: pam, passwd
Date: September 2, 1999
Updated: January 04, 2000
The pam and passwd packages that ships with Yellow Dog Linux have a bug in the MD5 code which shows up on big endian systems such as PowerPC which causes sulogin and other programs (such as ssh) to report that your password is incorrect when it is actually correct. sulogin is program which is run when your system is forced to a shell if a file system is damaged. Previously, entering the correct root password did not allow you to access your system and repair the filesystem.

These updates fix the MD5 big endian problem. To allow sulogin (and ssh) to work, you'll need to reset your password(s).

Update: Under some network configurations PAM (Pluggable Authentication Modules) will fail to lock access to disabled NIS accounts. This problem only affects users that have upgraded to the September 2, 1999 update of the PAM package and are using NIS (Network Information Service).

Update (01/04/00): A new version of PAM is available to fix potential security problems similar to that found in the usermode package.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: inn
Date: September 2, 1999
INN versions 2.2 and earlier have a buffer overflow-related security condition in the inews program.

inews is a program used to inject new postings into the news system. It is used by many news reading programs and scripts. The default installation is with inews setgid to the news group and world executable. It's possible that exploiting the buffer overflow could give the attacker news group priviledges, which could possible be extended to root access.

Note that this chain of elevation of privileges is theoretical rather than actual; the ability of an attacker to do this indicates bugs in other portions of INN. However, given the degree to which INN trusts the news user and news group, it's not unlikely that such bugs exist.

No case of this being exploited has been shown yet.

If you run a news server with no local readers (i.e. all your clients are remote) then you can remove the setgid-bit on inews.

chmod 0550 inews

The rnews program, used to feed news via uucp, is setuid to the uucp user. No buffer overflow problems have been found in rnews, but if you don't run uucp on your machine, then we recommend disabiling the setuid bit on rnews:

chown news rnews chgrp news rnews chmod 0550 rnews

Thanks go to the members of the BUGTRAQ mailing list for bringing this issue to our attention.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: am-utils
Date: September 1, 1999
An explotable buffer overflow security problem in the amd daemon which is part of the am-utils package has been fixed. This problem is being actively exploted on the Internet and can be used to gain root access on machines running amd.

Thanks to Erez Zadok, the maintainer of am-utils for his assistance in resolving this problem.

We recommend that all Yellow Dog users upgrade to this fixed version of am-utils.

Urgency: HIGH
Solution: rpm -Uvh

Package: vixie-cron
Date: August 27, 1999
By creating a crontab that runs with a specially formatted 'MAILTO' environment variable, it is possible for local users to overflow a fixed-length buffer in the cron daemon's cron_popen() function. Since the cron daemon runs as root, it would be theoretcially possible for local users to use this buffer overflow to gain root privilege.

To the best of our knowledge, no known exploits exist at this time.

Also, it was possible to use specially formatted 'MAILTO' environment variables to send commands to sendmail.

Urgency: MEDIUM
Solution: rpm -Uvh

Packages: proftpd, wu-ftpd, beroftpd
Date: August 29, 1999
Updated: October 21, 1999
Due to insufficient bounds checking on directory name lengths which can be supplied by users, it is possible to overwrite the static memory space of the proftpd daemon while it is executing under certain configurations. By having the ability to create directories and supplying carefully designed directory names to the proftpd, users may gain privileged access. This vulnerability may allow local & remote users to gain root privileges.

Thanks goes out to the wu-ftpd development group and the members of BugTraq for discovering and fixing this problem.

proftpd is the default FTP server installed with Yellow Dog Linux. You only need to upgrade it unless you have manually installed either wu-ftpd or beroftpd from the extras directory.

FTP service is not turned on by default when YDL is installed. If you did not activate the FTP service, this upgrade is not required. We still do suggest that the upgrade is made to maintain a secure system if you choose to activate FTP serving in the future.

Update: The ProFTPD Developement Group has discovered and corrected more potential security problems in proftpd. Therefore, we've released the latest version, proftpd-1.2.0pre7. The Yellow Dog Security Team advises that all people that have proftpd installed upgrade to this version.

You can check if you have proftpd installed by running:

rpm -qi proftpd

We've also released an updated version of beroftpd which should now have pam support. This update is only necessary if you have beroftpd installed.

Update (10-21-99): Several new security vulnerabilities have been discovered in wu-ftpd and derived ftp daemons. Remote and local intruders may be able exploit these vulnerabilities to execute arbitrary code as the user running the ftpd daemon, usually root. Remote and local intruders who can connect to the FTP server can also cause the server to consume excessive amounts of memory, preventing normal system operation. If intruders can create files on the system, they may be able exploit this vulnerability to execute arbitrary code as the user running the ftpd daemon, usually root.

wu-ftpd is not the default FTP daemon shipped with Yellow Dog Linux but since it is included in the "Extras", we're making this update available. Terra Soft recommends that users who chose to run wu-ftpd apply this upgrade as soon as possible.

Urgency: HIGH
Solution: rpm -Uvh



Be sure to restart inetd once you have upgraded your ftp server. You can do this by executing the following as root: /etc/rc.d/init.d/inet restart

Package: telnet
Date: August 19, 1999
in.telnetd attempts to negotiate a compatible terminal type between the local and remote host. By setting the TERM environment variable before connecting, a remote user could cause the system telnetd to open files it should not. Depending on the TERM setting used, this could lead to denial of service attacks.

Thanks go to Michal Zalewski and the Linux Security Audit team for noting this vulnerability.

Urgency: HIGH
Solution: rpm -Uvh

Package: libtermcap
Date: August 17, 1999
A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Thanks go to Kevin Vajk and the Linux Security Audit team for noting and providing a fix for this vulnerability.

Urgency: MEDIUM
Solution: rpm -Uvh

Package: WindowMaker
Date: August 17, 1999
Updated: August 19, 1999
The version of Window Maker that ships with Champion Server 1.1 has a small typo in the WMRootMenu defaults file. This typo caused Window Maker to not function properly.

Update: We've provided an updated Window Maker RPM. Please be sure to remove the GNUStep/ directory in your home directory (if it is present). Once you've upgraded to the new RPM, rerun: /usr/X11R6/bin/wmaker.inst

Urgency: MEDIUM
Solution: rpm -Uvh

Package: pump
Date: August 17, 1999
DHCP did not work with some @Home and RoadRunner (and potentially other) servers. Some (broken) servers did not return server address properly; in these cases, pump now reuses the broadcast address. There was a security hole with the potential for a remote root exploit in certain configurations where DHCP is used on public networks

Yellow Dog users are encouraged to upgrade to the new version of pump below. Kudos to Red Hat for discovering this problem.

Urgency: MEDIUM
Solution: rpm -Uvh

Here are the md5 checksums of the update packages, please verify these before installing the new packages by running: md5sum <file>

199f36daa1e44fcb2a86163d719cce19 RPMS/SysVinit-2.77-2.ppc.rpm
f9e404623f76af77e22986f01d39108a RPMS/usermode-1.16-1.ppc.rpm
1dc6769f1585de74b4f147543f4b9aed RPMS/pam-0.68-10.ppc.rpm
be0a7d6f81e96fda3c5e19c710c4647a RPMS/bind-8.2.2p3-1a.ppc.rpm
39ae72c82387094cfce49e4c8702b56b RPMS/bind-devel-8.2.2p3-1a.ppc.rpm
2557d3ed1f8a7d8b29a95e01b751c371 RPMS/bind-utils-8.2.2p3-1a.ppc.rpm
fa2254f50b3bf77a104ece3e4c93a2d3 RPMS/ypserv-1.3.9-1a.ppc.rpm
af084f3dd2e084a7a9c44b3b6865a96d RPMS/lpr-0.46-1a.ppc.rpm
d732fa291f563eea7ce0ba36e6c705e8 RPMS/rsh-0.10-28a.ppc.rpm
90f53dcd18a6bd0ba7774f8a8d1fbc35 RPMS/mutt-0.95.7us-1a.ppc.rpm
c696e64bf55e282b4ae9576a1a486b44 RPMS/lynx-2.8.3pre9-1.ppc.rpm
625555b3be788a00a4d7429ea254183a RPMS/mars-nwe-0.99pl17-4.ppc.rpm
bbbda3f96de08fe88b3fa134ba6c9e18 RPMS/passwd-0.60-1.ppc.rpm
db707dae6df795052069df6f95312b62 RPMS/inews-2.2.1-1.ppc.rpm
52945314b2ecab334ddb8453e64db21a RPMS/inn-2.2.1-1.ppc.rpm
fa5b8da8b382be47992736602c1feebc RPMS/inn-devel-2.2.1-1.ppc.rpm
65d78d00632fb71e41eb136746f99b24 RPMS/am-utils-6.0.1s11-1a.ppc.rpm
d6542f9df01b2e70bad4c5de49700b8b RPMS/proftpd-1.2.0pre7-1a.ppc.rpm
e9bb6dd4e2f418e9053b2e89144503d6 extras/RPMS/wu-ftpd-2.6.0-1a.ppc.rpm
1429fe3b1740ffd8df329086e18d0989 extras/RPMS/beroftpd-1.3.4-2a.ppc.rpm
07858e94894e4b6e2d3429fa7e8b18e0 RPMS/vixie-cron-3.0.1-38.ppc.rpm
05a26abaf824aeba440f9848cfdc1959 RPMS/telnet-0.10-29.ppc.rpm
b589c9125c7c383b24bae3a788e68250 RPMS/libtermcap-2.0.8-15.ppc.rpm
f1bcb15aa8ebc59a39ca8997bdf3743b RPMS/libtermcap-devel-2.0.8-15.ppc.rpm
fc74152f0475cb7014fe0baa58ae01b1 RPMS/WindowMaker-0.53.0-2b.ppc.rpm
a30c5de6ade31d27cb653e7892015d94 RPMS/pump-0.7.0-1.ppc.rpm

          Copyright ® 1999-2010. Fixstars Corporation. All rights reserved. Fixstars Corporation