--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated perl-DBI package fixes security issue Advisory ID: FLSA:178989 Issue date: 2006-03-01 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0077 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated perl-DBI package that fixes a temporary file flaw in DBI::ProxyServer is now available. DBI is a database access Application Programming Interface (API) for the Perl programming language. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/perl-DBI-1.21-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-DBI-1.21-1.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/perl-DBI-1.32-5.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/perl-DBI-1.32-5.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/perl-DBI-1.37-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/perl-DBI-1.37-1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/perl-DBI-1.40-4.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/perl-DBI-1.40-4.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 847cb03e61abf1bbb965b2fa6e7c0f812e7edde1 redhat/7.3/updates/i386/perl-DBI-1.21-1.1.legacy.i386.rpm 7c0c13670d8da3620d6bdc0d24f96201ff3feee8 redhat/7.3/updates/SRPMS/perl-DBI-1.21-1.1.legacy.src.rpm 2e473b5822a019a10b7b9577f4de60933e75fecc redhat/9/updates/i386/perl-DBI-1.32-5.1.legacy.i386.rpm 19934b803bf33b0cc93466ae43e2ac14302ac0df redhat/9/updates/SRPMS/perl-DBI-1.32-5.1.legacy.src.rpm 50a02fd2d68f47d35f76bc690281253bbdf9a486 fedora/1/updates/i386/perl-DBI-1.37-1.1.legacy.i386.rpm 0018ffba083fd98b88a4bcec3383005ed32d5e6a fedora/1/updates/SRPMS/perl-DBI-1.37-1.1.legacy.src.rpm 69a623c7db409341705bfc125b5fd6f0c056af7b fedora/2/updates/i386/perl-DBI-1.40-4.1.legacy.i386.rpm 4443111b0e9137bd1624183b9d209b2cada204dd fedora/2/updates/SRPMS/perl-DBI-1.40-4.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0077 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature