An utempter update for Fedora Core 1 has been released
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-108
2004-04-21
---------------------------------------------------------------------
Name : utempter
Version : 0.5.5
Release : 3.FC1.0
Summary : A privileged helper for utmp/wtmp updates.
Description :
Utempter is a utility which allows some non-privileged programs to have required root access without compromising system security. Utempter accomplishes this feat by acting as a buffer between root and the programs.
---------------------------------------------------------------------
Update Information:
Topic:
An updated utempter package that fixes a potential symlink vulnerability is now available.
Problem Description:
Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges.
Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink.
Users should upgrade to this new version of utempter, which fixes this vulnerability.
---------------------------------------------------------------------
* Tue Apr 20 2004 Mike A. Harris mharris@redhat.com 0.5.5-4
- Build 0.5.5-1 version as 0.5.5-1.2.1EL.0 for RHEL 2.1 erratum
- Build 0.5.5-1 version as 0.5.5-1.3EL.0 for RHEL 3 erratum
- Build 0.5.5-1 version as 0.5.5-2.RHL9.0 for RHL 9 erratum
- Build 0.5.5-1 version as 0.5.5-3.FC1.0 for Fedora Core 1 erratum
- Build 0.5.5-1 version as 0.5.5-4 for Fedora Core 2 development head
* Mon Apr 19 2004 Mike A. Harris mharris@redhat.com 0.5.5-1
- [SECURITY] Fix CAN-2004-0233 utempter directory traversal symlink attack
issue for immediate erratum release.
- Build all-arch test package 0.5.5-1 in dist-fc2-scratch
* Mon Feb 23 2004 Mike A. Harris mharris@redhat.com 0.5.4-1
- Rewrote post install script to be a bit cleaner and rebuilt in rawhide to pick up twaugh's chown change
- Added 'srpm-x' target to Makefile for package maintainer SRPM building
* Mon Feb 23 2004 Tim Waugh twaugh@redhat.com
- Use ':' instead of '.' as separator for chown.
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
f7183d6339a8bdaa5b42a55b9bf1915a SRPMS/utempter-0.5.5-3.FC1.0.src.rpm
6d211a469244cd656fcff3464d00e3e0 i386/utempter-0.5.5-3.FC1.0.i386.rpm
86e078c46a04eceb0c5e05f6a428214d i386/debug/utempter-debuginfo-0.5.5-3.FC1.0.i386.rpm
f5946681eddc62e62296e64b29f176a8 x86_64/utempter-0.5.5-3.FC1.0.x86_64.rpm
fbd974095834794b31aa89aa50d14d90 x86_64/debug/utempter-debuginfo-0.5.5-3.FC1.0.x86_64.rpm
This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-108
2004-04-21
---------------------------------------------------------------------
Name : utempter
Version : 0.5.5
Release : 3.FC1.0
Summary : A privileged helper for utmp/wtmp updates.
Description :
Utempter is a utility which allows some non-privileged programs to have required root access without compromising system security. Utempter accomplishes this feat by acting as a buffer between root and the programs.
---------------------------------------------------------------------
Update Information:
Topic:
An updated utempter package that fixes a potential symlink vulnerability is now available.
Problem Description:
Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges.
Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink.
Users should upgrade to this new version of utempter, which fixes this vulnerability.
---------------------------------------------------------------------
* Tue Apr 20 2004 Mike A. Harris mharris@redhat.com 0.5.5-4
- Build 0.5.5-1 version as 0.5.5-1.2.1EL.0 for RHEL 2.1 erratum
- Build 0.5.5-1 version as 0.5.5-1.3EL.0 for RHEL 3 erratum
- Build 0.5.5-1 version as 0.5.5-2.RHL9.0 for RHL 9 erratum
- Build 0.5.5-1 version as 0.5.5-3.FC1.0 for Fedora Core 1 erratum
- Build 0.5.5-1 version as 0.5.5-4 for Fedora Core 2 development head
* Mon Apr 19 2004 Mike A. Harris mharris@redhat.com 0.5.5-1
- [SECURITY] Fix CAN-2004-0233 utempter directory traversal symlink attack
issue for immediate erratum release.
- Build all-arch test package 0.5.5-1 in dist-fc2-scratch
* Mon Feb 23 2004 Mike A. Harris mharris@redhat.com 0.5.4-1
- Rewrote post install script to be a bit cleaner and rebuilt in rawhide to pick up twaugh's chown change
- Added 'srpm-x' target to Makefile for package maintainer SRPM building
* Mon Feb 23 2004 Tim Waugh twaugh@redhat.com
- Use ':' instead of '.' as separator for chown.
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
f7183d6339a8bdaa5b42a55b9bf1915a SRPMS/utempter-0.5.5-3.FC1.0.src.rpm
6d211a469244cd656fcff3464d00e3e0 i386/utempter-0.5.5-3.FC1.0.i386.rpm
86e078c46a04eceb0c5e05f6a428214d i386/debug/utempter-debuginfo-0.5.5-3.FC1.0.i386.rpm
f5946681eddc62e62296e64b29f176a8 x86_64/utempter-0.5.5-3.FC1.0.x86_64.rpm
fbd974095834794b31aa89aa50d14d90 x86_64/debug/utempter-debuginfo-0.5.5-3.FC1.0.x86_64.rpm
This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.