Synopsis:	Moderate: rpm security update
Issue date:	2010-09-07
CVE Names:	CVE-2005-4889 CVE-2010-2059

It was discovered that RPM did not remove setuid and setgid bits set on
binaries when upgrading or removing packages. A local attacker able to
create hard links to binaries could use this flaw to keep those binaries 
on the system, at a specific version level and with the setuid or setgid 
bit set, even if the package providing them was upgraded or removed by a 
system administrator. This could have security implications if a package 
was upgraded or removed because of a security flaw in a setuid or setgid
program. (CVE-2005-4889, CVE-2010-2059)

SL 4.x

     SRPMS:
rpm-4.3.3-33_nonptl.el4_8.1.src.rpm
     i386:
popt-1.9.1-33_nonptl.el4_8.1.i386.rpm
rpm-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-build-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-devel-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-libs-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-python-4.3.3-33_nonptl.el4_8.1.i386.rpm

     x86_64:
popt-1.9.1-33_nonptl.el4_8.1.i386.rpm
popt-1.9.1-33_nonptl.el4_8.1.x86_64.rpm
rpm-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-build-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-devel-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-libs-4.3.3-33_nonptl.el4_8.1.i386.rpm
rpm-libs-4.3.3-33_nonptl.el4_8.1.x86_64.rpm
rpm-python-4.3.3-33_nonptl.el4_8.1.x86_64.rpm

-Connie Sieh
-Troy Dawson