.------------------------------------------------. |**** Project Independence Security Advisory ****| `-----------* ID: PISA-05-JAN-00-001 *-----------' Issued by: David Webster Issue Date: 05-Jan-2000 Overview: Potential security hole in all PISA/RHSA bug fixes Affected: potentially all those who installed previous bug fixes References: See http://independence.seul.org/security/ for previous advisories -=-=-==-=-=- Detailed Problem Description: Project Independence has been suggesting to users that they install the updated files with the command 'rpm -Uvh ', which causes the package shown in filename to be upgraded or installed. If the rpm contains more than one program (e.g. the usermode package refered to in PISA-05-JAN-00-000) then all the programs will be installed using with the -U option, even if they were not on the system before. In the case of hte usermode package, one of those programs is a SUID - 'userhelper' this introduces a suid file that possibly wasn't already on the machine. Solution: Use 'rpm -Fvh ' instead of -Uvh, as the -F (--freshen) only installs the update if an earlier version was already on the machine. Project Independence Linux would like to apologise to it's users for this error, and would like to thank Don G. and Peter for bringing this to our attention. This security advisory, and all future ones should be signed by me, David Webster (aka cognition), with key ID: 45 FA C2 83 Which is avaliable from: [http://www.cognite.net/pgp.html], and most good pgp key servers. An archive of these messages can be currently be found on: http://independence.seul.org/security/ A process of automatic retrival is being worked on. .---------------------------------------------------. | And problems regarding this, or future advisories | | should be emailed to me: | `---------------------------------------------------'