From: Mandriva Security Team <security@mandriva.com.>
To: [email protected]Subject: MDKSA-2005:132 - Updated heartbeat packages fix temporary file vulnerabilities
Message-Id: <E1E2w4A-0001n7-1s@mercury.mandriva.com.>
Sender: QATeam User <qateam@mercury.mandriva.com.>
Date: Wed, 10 Aug 2005 13:16:42 -0600
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: heartbeat
Advisory ID: MDKSA-2005:132
Date: August 9th, 2005
Affected versions: Corporate 3.0
______________________________________________________________________
Problem Description:
Eric Romang discovered that Heartbeat would create temporary files with
predictable filenames. This could allow a local attacker to create
symbolic links in the temporary file directory pointing to a valid file
on the filesystem which could lead to the file being overwritten by the
rights of the user running the vulnerable script.
The updated packages have been patched to correct this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2231
______________________________________________________________________
Updated Packages:
Corporate 3.0:
988b71b1018f73f77a94f9ac4d736ad1 corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.i586.rpm
6afa9bcec600cba453e97cfb8910eb66 corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.i586.rpm
02d4854a8683c467debb9a56a44123ac corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.i586.rpm
23618a86f47b4289e9c85732569cfc1b corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.i586.rpm
c515a12308e088d3aa322de379040d0a corporate/3.0/RPMS/libheartbeat-pils0-1.2.3-2.1.C30mdk.i586.rpm
cd30d48b40ed4d9c4e2e86d6fcb0d9c9 corporate/3.0/RPMS/libheartbeat-pils0-devel-1.2.3-2.1.C30mdk.i586.rpm
cf2081419d50b42044a69de786b3e059 corporate/3.0/RPMS/libheartbeat-stonith0-1.2.3-2.1.C30mdk.i586.rpm
f2cef6941e6d635f1f21fe651e9646b4 corporate/3.0/RPMS/libheartbeat-stonith0-devel-1.2.3-2.1.C30mdk.i586.rpm
6da3d9489adc023b552116324c70f35a corporate/3.0/RPMS/libheartbeat0-1.2.3-2.1.C30mdk.i586.rpm
67f33aac7c08767c5b2df9fb71ad64aa corporate/3.0/RPMS/libheartbeat0-devel-1.2.3-2.1.C30mdk.i586.rpm
0f9dc2960afa29d70f57aff6573a0559 corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
1c1a953510c8d5a82c9d5774c12b915a x86_64/corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.x86_64.rpm
7c9f07341f2d7e9e68df078365c05334 x86_64/corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.x86_64.rpm
5cc9ef2dbf09da3b5bad12387b9d94a0 x86_64/corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.x86_64.rpm
972307d2bdf4396e2df0b4fd0c3f8007 x86_64/corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.x86_64.rpm
d2287fd3e7d1ce3cbabc8331f9f8bfea x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-1.2.3-2.1.C30mdk.x86_64.rpm
5e523b3319eb3519420b9f651f6c5c01 x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
e3276d0abb8c2c79287fe50bf6934a8a x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-1.2.3-2.1.C30mdk.x86_64.rpm
c636cc202c0ffdb8132bcfbb5d2ed142 x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
de2a839582b402dd63d9b435a956c103 x86_64/corporate/3.0/RPMS/lib64heartbeat0-1.2.3-2.1.C30mdk.x86_64.rpm
e05f6de07919d8dc994a83951ebf0794 x86_64/corporate/3.0/RPMS/lib64heartbeat0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
0f9dc2960afa29d70f57aff6573a0559 x86_64/corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFC+lKZmqjQ0CJFipgRAiCRAKCEiLCa1CtuxcbWTjlTXtITcgsqJwCgl7Qp
Inpxe+m9REv2u+kqZLGQIT8=
=G34L
-----END PGP SIGNATURE-----