MDKSA-2005:132 - Updated heartbeat packages fix temporary file vulnerabilities

From: Mandriva Security Team (security_at_mandriva.com)
Date: 08/10/05

  • Next message: Mandriva Security Team: "MDKSA-2005:133 - Updated netpbm packages fix temporary file vulnerabilities"
    To: bugtraq@securityfocus.com
    Date: Wed, 10 Aug 2005 13:16:42 -0600
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                    Mandriva Linux Security Update Advisory
     _______________________________________________________________________

     Package name: heartbeat
     Advisory ID: MDKSA-2005:132
     Date: August 9th, 2005

     Affected versions: Corporate 3.0
     ______________________________________________________________________

     Problem Description:

     Eric Romang discovered that Heartbeat would create temporary files with
     predictable filenames. This could allow a local attacker to create
     symbolic links in the temporary file directory pointing to a valid file
     on the filesystem which could lead to the file being overwritten by the
     rights of the user running the vulnerable script.
     
     The updated packages have been patched to correct this problem.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2231
     ______________________________________________________________________

     Updated Packages:
      
     Corporate 3.0:
     988b71b1018f73f77a94f9ac4d736ad1 corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.i586.rpm
     6afa9bcec600cba453e97cfb8910eb66 corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.i586.rpm
     02d4854a8683c467debb9a56a44123ac corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.i586.rpm
     23618a86f47b4289e9c85732569cfc1b corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.i586.rpm
     c515a12308e088d3aa322de379040d0a corporate/3.0/RPMS/libheartbeat-pils0-1.2.3-2.1.C30mdk.i586.rpm
     cd30d48b40ed4d9c4e2e86d6fcb0d9c9 corporate/3.0/RPMS/libheartbeat-pils0-devel-1.2.3-2.1.C30mdk.i586.rpm
     cf2081419d50b42044a69de786b3e059 corporate/3.0/RPMS/libheartbeat-stonith0-1.2.3-2.1.C30mdk.i586.rpm
     f2cef6941e6d635f1f21fe651e9646b4 corporate/3.0/RPMS/libheartbeat-stonith0-devel-1.2.3-2.1.C30mdk.i586.rpm
     6da3d9489adc023b552116324c70f35a corporate/3.0/RPMS/libheartbeat0-1.2.3-2.1.C30mdk.i586.rpm
     67f33aac7c08767c5b2df9fb71ad64aa corporate/3.0/RPMS/libheartbeat0-devel-1.2.3-2.1.C30mdk.i586.rpm
     0f9dc2960afa29d70f57aff6573a0559 corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm

     Corporate 3.0/X86_64:
     1c1a953510c8d5a82c9d5774c12b915a x86_64/corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.x86_64.rpm
     7c9f07341f2d7e9e68df078365c05334 x86_64/corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.x86_64.rpm
     5cc9ef2dbf09da3b5bad12387b9d94a0 x86_64/corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.x86_64.rpm
     972307d2bdf4396e2df0b4fd0c3f8007 x86_64/corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.x86_64.rpm
     d2287fd3e7d1ce3cbabc8331f9f8bfea x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-1.2.3-2.1.C30mdk.x86_64.rpm
     5e523b3319eb3519420b9f651f6c5c01 x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
     e3276d0abb8c2c79287fe50bf6934a8a x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-1.2.3-2.1.C30mdk.x86_64.rpm
     c636cc202c0ffdb8132bcfbb5d2ed142 x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
     de2a839582b402dd63d9b435a956c103 x86_64/corporate/3.0/RPMS/lib64heartbeat0-1.2.3-2.1.C30mdk.x86_64.rpm
     e05f6de07919d8dc994a83951ebf0794 x86_64/corporate/3.0/RPMS/lib64heartbeat0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
     0f9dc2960afa29d70f57aff6573a0559 x86_64/corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandriva for security. You can obtain the
     GPG public key of the Mandriva Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandriva Linux at:

      http://www.mandriva.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_(at)_mandriva.com
     _______________________________________________________________________

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFC+lKZmqjQ0CJFipgRAiCRAKCEiLCa1CtuxcbWTjlTXtITcgsqJwCgl7Qp
    Inpxe+m9REv2u+kqZLGQIT8=
    =G34L
    -----END PGP SIGNATURE-----


  • Next message: Mandriva Security Team: "MDKSA-2005:133 - Updated netpbm packages fix temporary file vulnerabilities"

    Relevant Pages