[rt-users] Perl Updates

Jesse jesse at fsck.com
Mon Sep 4 11:29:45 EDT 2000


It shouldn't hurt anything...


On Sun, Sep 03, 2000 at 08:17:33AM +1000, Frances Russell wrote:
> Is this going to be a problem for RT?
> 
> Summary from:
> 
> http://www.redhat.com/support/errata/RHSA-2000-048-03.html
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~
> Red Hat Linux Security Advisory 
> 
> 1. Topic:
> Updated perl and mailx package are now available which fix a 
> potential
> 
> 
> exploit made possible by incorrect assumptions made in suidperl. 
> 2. Problem description:
> Under certain conditions, suidperl will attempt to send mail to the 
> local
> 
> 
> superuser account using /bin/mail. A properly formatted exploit 
> script can
> 
> 
> use this facility, along with mailx's tendency to inherit settings from 
> the
> 
> 
> environment, to gain local root access.
> 
> 
> 
> 
> 
> This update changes suidperl's behavior to use syslog instead of 
> mail, and
> 
> 
> restricts the list of variables /bin/mail will read from the 
> environment. 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Frances Russell
> 
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
> 

-- 
jesse reed vincent --- root at eruditorum.org --- jesse at fsck.com 
pgp keyprint: 50 41 9C 03 D0 BC BC C8 2C B9 77 26 6F E1 EB 91
-------------------------------------------------------------
A REAL sysadmin challenge is "resurrect five dead mailserver while so ripped
to the gills on mdma that you can't focus on any given line of text for more 
than 10 seconds continuously."
					-Nathan Mehl





More information about the rt-users mailing list