[linux-security] redhat4.1 º|¸Éªº¬}¬}
小段段
※ [本文轉錄自 PowerOp 信箱]
作者: tu...@tuan.m6.ntu.edu.tw (Yi-Shi Tuan)
標題: [linux-security] Missing bugfixes in redhat4.1 (fwd)
時間: Fri Feb 14 18:19:00 1997
Forwarded message:
From linux-secur...@redhat.com Mon Feb 10 15:08:30 1997
Resent-Date: 10 Feb 1997 07:00:19 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From linux-secur...@redhat.com Mon Feb 10 02:00:07 1997
From: Savochkin Andrey Vladimirovich <s...@shade.msu.ru>
Message-Id: <1997020913...@shade.msu.ru>
To: redhat...@redhat.com
Date: Sun, 9 Feb 1997 16:15:11 +0300 (MSK)
Cc: linux-s...@redhat.com
Reply-To: s...@msu.ru
Content-Type: text
Resent-Message-ID: <"szhfe3.0.XK6.tTi_o"@mail2.redhat.com>
Resent-From: linux-s...@redhat.com
X-Mailing-List: <linux-s...@redhat.com> archive/latest/154
X-Loop: linux-s...@redhat.com
Precedence: list
Resent-Sender: linux-secur...@redhat.com
Subject: [linux-security] Missing bugfixes in redhat4.1
After installing redhat4.1 I found that a few serious bug fixes
announced in Jan 97 was not included in the distribution.
First of them -- a SERIOUS SECURITY BUG in wu-ftpd allowing
any user gain a root acces to files. Patch was posted in redhat-announce
list and included in wu-ftpd-2.4.2b11-9.
Second: a bug in wu-ftpd -- ftpd doesn't perform any log for real user
and ignores corresponding lines in ftpaccess configuration file.
Patch was posted in redhat-devel.
These two patches are placed in
ftp://shade.msu.ru/pub/linux/utils/wu-ftpd-2.4.2-secure+log.patch
Third: a bug in cracklib, which in certain conditions forces pam_unix_passwd
module to cause segmentation fault instead of authentication (in lucky case)
and performs random memory operations in other cases.
This bu also can be used in attempts to break system security
because one of affected program (passwd) is root-setuid.
Patch was posted in redhat-announce list and can be obtained from
ftp://shade.msu.ru/pub/linux/libs/cracklib25_small.bugfix.patch
Andrey V.
Savochkin
--
Origin: 陽光沙灘電機分站 freebsd.ee.ntu.edu.tw (140.112.19.123)