-----BEGIN PGP SIGNED MESSAGE-----

CERT Vendor-Initiated Bulletin VB-95:10a
Original release date: December 18, 1995
Revised January 4, 1996 (additional FTP sites listed)

Topic:  Vulnerability in elm 2.4 PL 24
Source: Bill Pemberton, University of Virginia

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Bill
Pemberton, who is the coordinator of the group that maintains elm. Mr.
Pemberton urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.


========================REVISED FORWARDED TEXT STARTS HERE==================

I. Description


Elm will follow symlinks in /tmp when opening temp files.  All systems that
support symlinks are vulnerable.  

All versions of elm prior to 2.4 PL 25 are vulnerable, including elm 2.3.


II. Impact

Users on the system can create files in the directories of other elm users.

You can determine what version of elm you are running with the -v command line
option (run "elm -v").


III. Solution

Upgrade to elm 2.4 PL 25.  The patch to upgrade from elm 2.4 PL 24 to PL 25
is available at:

ftp://ftp.myxa.com/pub/elm/elm2.4.p25
MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83

The full distribution of elm 2.4 PL 25 is available at:

ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z
MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2


Here some alternative sites that have agreed to make elm available for
anonymous FTP. Not all have been verified. If you have difficulty reaching
a site, or if file is not there or has an incorrect checksum, please try
another site.


        Site                    Contact
        In the US/Canada:
        wuarchive.wustl.edu     chris@wugate.wustl.edu (Chris Myers)
        (128.252.135.4)
        /packages/mail/elm

        ftp.uu.net
        (137.39.1.9, 192.48.96.9)
        /networking/mail/elm

        In Europe:
        ftp.cs.ruu.nl           Edwin Kremer, edwin@cs.ruu.nl
        (131.211.80.17)
        /pub/ELM-2.4

        ftp.th-darmstadt.de     ftpadmin@ftp.th-darmstadt.de
        (130.83.55.75)
        /pub/networking/mail/elm

        ftp.th-darmstadt.de     ftpadmin@ftp.th-darmstadt.de
        (130.83.55.75)
        pub/networking/mail/elm

        In the UK:
        ftp.ecs.soton.ac.uk     T.Chown@ecs.soton.ac.uk (bitnet)
        (152.78.64.201)         T.Chown@uk.ac.soton.ecs (JANET)
        /pub/elm

        ftp.demon.co.uk         Cliff Stanford, cliff@demon.co.uk
        (158.152.1.65)
        /pub/unix/mail/elm

        src.doc.ic.ac.uk        L.McLoughlin@doc.ic.ac.uk
        (146.169.2.10)
        computing/mail/elm


        In Australia:
        ftp.adelaide.edu.au     Mark Prior, mrp@itd.adelaide.edu.au
        (129.127.40.3)
        /pub/mailers

        In Taiwan:
        NCTUCCCA.edu.tw         Huang, Chih-Hsien hch@NCTUCCCA.edu.tw
        (140.111.3.21)
        /packages/mail/elm


- - -- 
Bill Pemberton                           wfp5p@virginia.edu
ITC/Unix Systems                         flash@virginia.edu
University of Virginia                   uunet!virginia!wfp5p


=========================REVISED FORWARDED TEXT ENDS HERE=====================

CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous 
FTP from info.cert.org. 

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA


CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMaMu/3VP+x0t4w7BAQHkWgP/SWGqjIwnjhLaCBYyzZyCb3nz4HSSzMiI
1g56PVnqsZ3VUDNdVnxX75JXQWq3h1A/bG/V0MJUF2+kf4muC4r6Q/+i3+mS/32v
Wz4JUIXDf9fhBk88nR/ise2KktMVMZYwzdC86d2WLlfocHfaoOH02CNiSdpMZZ33
e9ch86/kpDk=
=CCkb
-----END PGP SIGNATURE-----