Caldera Affected

Notified:  June 07, 2000 Updated: June 15, 2001

Status

Affected

Vendor Statement

Caldera reports the vulnerability of Caldera Linux to this flaw at http://www.caldera.com/support/security/advisories/CSSA-2000-021.0.txt.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Affected

Notified:  July 27, 2000 Updated: June 15, 2001

Status

Affected

Vendor Statement

CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : man SUMMARY : Insecure directory creation in /tmp DATE : 2000-07-27 AFFECTED CONECTIVA VERSIONS : 5.1 DESCRIPTION This announcement is being re-released specifically for Conectiva Linux 5.1. Redhat has identified a problem with the man package which also affects Conectiva Linux. Conectiva Linux versions prior to 5.1 have already been patched. The man package has a script called makewhatis that is run weekly by the cron daemon as root. This script creates a directory in /tmp and some files under it with predictable names, thus making it possible for a local attacker to alter any file in the system via symlink attacks. SOLUTION All users of Conectiva Linux 5.1 should upgrade. Conectiva Linux versions prior to 5.1 have already been patched. DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/man-1.5g-9cl.i386.rpm DIRECT LINK TO THE SOURCE PACKAGES ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/man-1.5g-9cl.src.rpm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Affected

Notified:  July 07, 2000 Updated: June 15, 2001

Status

Affected

Vendor Statement

MandrakeSoft reports the vulnerability of Linux-Mandrake to this flaw at http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-015.php3?dis=6.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

RedHat Affected

Updated:  June 15, 2001

Status

Affected

Vendor Statement

Red Hat reports their vulnerability to this flaw at http://www.redhat.com/support/errata/RHSA-2000-041-02.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.