 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 8 Sep 2010 15:39:57 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Synopsis: Moderate: rpm security update
Issue date: 2010-09-07
CVE Names: CVE-2005-4889 CVE-2010-2059
It was discovered that RPM did not remove setuid and setgid bits set on
binaries when upgrading or removing packages. A local attacker able to
create hard links to binaries could use this flaw to keep those binaries
on the system, at a specific version level and with the setuid or setgid
bit set, even if the package providing them was upgraded or removed by a
system administrator. This could have security implications if a package
was upgraded or removed because of a security flaw in a setuid or setgid
program. (CVE-2005-4889, CVE-2010-2059)
SL 4.x
SRPMS:
rpm-4.3.3-33_nonptl.el4_8.1.src.rpm
i386:
popt-1.9.1-33_nonptl.el4_8.1.i386.rpm
rpm-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-build-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-devel-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-libs-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-python-4.3.3-33_nonptl.el4_8.1.i386.rpm
x86_64:
popt-1.9.1-33_nonptl.el4_8.1.i386.rpm
popt-1.9.1-33_nonptl.el4_8.1.x86_64.rpm
rpm-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-build-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-devel-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-libs-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-libs-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-python-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|
