[prev in list] [next in list] [prev in thread] [next in thread]
List: openpkg-cvs
Subject: [CVS] OpenPKG: openpkg-web/security OpenPKG-SA-0000-000-template.txt O...
From: "Ralf S. Engelschall" <rse () openpkg ! org>
Date: 2002-01-31 15:01:38
[Download RAW message or body]
OpenPKG CVS Repository
http://www.openpkg.org/cvsweb/cvsweb.cgi
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: rse@openpkg.org
Module: openpkg-web Date: 31-Jan-2002 16:01:38
Branch: HEAD Handle: 197001010100001012485698
Added files:
openpkg-web/security OpenPKG-SA-0000-000-template.txt
Removed files:
openpkg-web/security OpenPKG-SA-0000:000-template.txt
Log:
use dash instead of colon
Summary:
Revision Changes Path
1.1 +69 -0 openpkg-web/security/OpenPKG-SA-0000-000-template.txt
NONE +0 -69 openpkg-web/security/OpenPKG-SA-0000:000-template.txt
____________________________________________________________________________
Index: openpkg-web/security/OpenPKG-SA-0000-000-template.txt
============================================================
$ cvs update -p -r1.1 OpenPKG-SA-0000-000-template.txt
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002-xxx xx-xxx-2002
________________________________________________________________________
Package: foo
Vulnerability: local root exploit
OpenPKG Specific: no
Affected Releases: OpenPKG 1.0 OpenPKG 1.1
Affected Packages: foo-1.2.0-1.0.0 foo-1.4.0-1.1.0
Corrected Packages: foo-1.2.0-1.0.1 foo-1.4.0-1.1.1
Dependent Packages: bar-1.0.0-1.0.0 bar-1.0.0-1.1.0
Description:
According to ... [7] ...
We recommend that you upgrade the affected package immediately (see
Solution). Additionally, we recommend that you re-build and re-install
all dependent OpenPKG packages, too. [2]
Workaround:
Perform the following operations to temporarily workaround the
security problem:
# <prefix>/etc/rc foo stop
# <prefix>/bin/rpm -e foo
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [3][4] or a mirror
location, verify its integrity [1], build a corresponding binary RPM
from it and update your OpenPKG installation by applying the binary
RPM [2]. For the latest OpenPKG 1.1 release, perform the following
operations to permanently fix the security problem (for OpenPKG 1.0
adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.0/UPD
ftp> get foo-1.2.0-1.0.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig foo-1.2.1-1.0.1.src.rpm
$ <prefix>/bin/rpm --rebuild foo-1.2.1-1.0.1.src.rpm
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/foo-1.2.1-1.0.1.*.rpm
________________________________________________________________________
References:
[1] http://www.openpkg.org/security.html#signature
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] ftp://ftp.openpkg.org/release/1.0/UPD/
[4] ftp://ftp.openpkg.org/release/1.1/UPD/
[5] ftp://ftp.openpkg.org/release/1.0/UPD/foo-1.2.0-1.0.1.src.rpm
[6] ftp://ftp.openpkg.org/release/1.1/UPD/foo-1.4.0-1.1.1.src.rpm
[7] ... BugTraq ...
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic