<<< Date Index >>>     <<< Thread Index >>>

MDKSA-2005:132 - Updated heartbeat packages fix temporary file vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           heartbeat
 Advisory ID:            MDKSA-2005:132
 Date:                   August 9th, 2005

 Affected versions:      Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Eric Romang discovered that Heartbeat would create temporary files with
 predictable filenames.  This could allow a local attacker to create
 symbolic links in the temporary file directory pointing to a valid file
 on the filesystem which could lead to the file being overwritten by the
 rights of the user running the vulnerable script.
 
 The updated packages have been patched to correct this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2231
 ______________________________________________________________________

 Updated Packages:
  
 Corporate 3.0:
 988b71b1018f73f77a94f9ac4d736ad1  
corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.i586.rpm
 6afa9bcec600cba453e97cfb8910eb66  
corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.i586.rpm
 02d4854a8683c467debb9a56a44123ac  
corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.i586.rpm
 23618a86f47b4289e9c85732569cfc1b  
corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.i586.rpm
 c515a12308e088d3aa322de379040d0a  
corporate/3.0/RPMS/libheartbeat-pils0-1.2.3-2.1.C30mdk.i586.rpm
 cd30d48b40ed4d9c4e2e86d6fcb0d9c9  
corporate/3.0/RPMS/libheartbeat-pils0-devel-1.2.3-2.1.C30mdk.i586.rpm
 cf2081419d50b42044a69de786b3e059  
corporate/3.0/RPMS/libheartbeat-stonith0-1.2.3-2.1.C30mdk.i586.rpm
 f2cef6941e6d635f1f21fe651e9646b4  
corporate/3.0/RPMS/libheartbeat-stonith0-devel-1.2.3-2.1.C30mdk.i586.rpm
 6da3d9489adc023b552116324c70f35a  
corporate/3.0/RPMS/libheartbeat0-1.2.3-2.1.C30mdk.i586.rpm
 67f33aac7c08767c5b2df9fb71ad64aa  
corporate/3.0/RPMS/libheartbeat0-devel-1.2.3-2.1.C30mdk.i586.rpm
 0f9dc2960afa29d70f57aff6573a0559  
corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 1c1a953510c8d5a82c9d5774c12b915a  
x86_64/corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.x86_64.rpm
 7c9f07341f2d7e9e68df078365c05334  
x86_64/corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.x86_64.rpm
 5cc9ef2dbf09da3b5bad12387b9d94a0  
x86_64/corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.x86_64.rpm
 972307d2bdf4396e2df0b4fd0c3f8007  
x86_64/corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.x86_64.rpm
 d2287fd3e7d1ce3cbabc8331f9f8bfea  
x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-1.2.3-2.1.C30mdk.x86_64.rpm
 5e523b3319eb3519420b9f651f6c5c01  
x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
 e3276d0abb8c2c79287fe50bf6934a8a  
x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-1.2.3-2.1.C30mdk.x86_64.rpm
 c636cc202c0ffdb8132bcfbb5d2ed142  
x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
 de2a839582b402dd63d9b435a956c103  
x86_64/corporate/3.0/RPMS/lib64heartbeat0-1.2.3-2.1.C30mdk.x86_64.rpm
 e05f6de07919d8dc994a83951ebf0794  
x86_64/corporate/3.0/RPMS/lib64heartbeat0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
 0f9dc2960afa29d70f57aff6573a0559  
x86_64/corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC+lKZmqjQ0CJFipgRAiCRAKCEiLCa1CtuxcbWTjlTXtITcgsqJwCgl7Qp
Inpxe+m9REv2u+kqZLGQIT8=
=G34L
-----END PGP SIGNATURE-----