Red Hat Linux 5.0 Errata

  • Package: NFS

    Updated: 19-Apr-1999

    Problem:

    • (19-Apr-1999)Please update to the latest

      Same as before. We are moving NFS Updates to the top of the list and also updating it to the latest version. If you have an older version installed, please update.

    • (03-Jan-1999)Security Fix -- Risk High

      Due to many reports of continued security breaches from NFS, we are moving the NFS update to the top of the list to make sure people update to it if they have not already.

    Solution:

  • Package: procmail

    Updated: 16-Apr-1999

    Problem:

    • (16-Apr-1999):Security Fix

      Potential security problems have been identified in all the procmail packages shipped with Red Hat Linux. Currently Red Hat is not aware of any exploits built on these vulnerabilities.

      Red Hat would like to thank the members of the Bugtraq list for reporting these problems and the authors of procmail for quickly providing an update.

      Users of Red Hat Linux are recommended to upgrade to the new packages available under updates directory on our ftp site:

    Solution:

  • Package: lpr

    Updated: 16-Apr-1999

    Problem:

    • (16-Apr-1999) Security Fix:

      Security vulnerabilities have been found in the versions of lpr that ship with Red Hat Linux. Thanks go to the Linux Security Audit team for discovering the vulnerability. It is recommended that all users of Red Hat Linux upgrade to the new packages.

    • (23-Apr-1998) Security Fix:

      More buffer overflows have been found in lpr 0.30 as released on Saturday. As these flaws may allow users to gain root access to the local system, Red Hat, Inc. recommends that all users upgrade to lpr 0.31 immediately.

      Thanks to Niall Smart for finding this problem.

    • (18-Apr-1998) Security Fix:

      A major security problem has been found in all versions of lpr shipped with Red Hat Linux. Version 0.30 of lpr fixes this and is now available. Red Hat, Inc. encourages all users of Red Hat to upgrade to this new version immediately.

    Solution:

  • Package: XFree86

    Updated: (01-Apr-1999)

    Problem:

    • (01-Apr-1999) Security Fix:

      Security vulnerabilities have been identified in the XFree86 packages that ship with Red Hat Linux. This security problem can allow local users to get write access to directories that they are otherwise not able to write to.

      Red Hat would like to thank the members of the BUGTRAQ mailing list, the members of the Linux Security Audit team, and others. All users of Red Hat Linux are encouraged to upgrade to the new packages immediately. As always, these packages have been signed with the Red Hat PGP key.

    • (22-Jan-1999)

      New RPMs for XFree86 3.3.3.1 (X11) are available for Red Hat Linux 4.2 and 5.x on all platforms. This new release is primarily a bugfix release. It corrects problems with a few drivers (especially the 3D Labs slowdown problem), fixes Russian KOI8 font support, and fixes the font server xfs, which was inadvertently broken in our release of XFree86 3.3.3. Please see the official release notes at http://www.xfree86.org/#news for further information.

    Solution:

    In some circumstances, you may be required to add --force and/or --nodeps to the rpm command line options to insure a proper upgrade. Add these options if the command line given gives an error. Also as with all newer RPM packages you will need to upgrade to the latest RPM before installing these packages.

  • Package: pine

    Updated: (01-Apr-1999)

    Problem:

    • (01-Apr-1999):Security Fix

      An problem in the mime handling code could allow a remote user to execute certain commands on a local system.

      Red Hat would like to thank the members of the BUGTRAQ mailing list, the members of the Linux Security Audit team, and others. All users of Red Hat Linux are encouraged to upgrade to the new packages immediately. As always, these packages have been signed with the Red Hat PGP key.

    • (18-Dec-1997) pine locks when sending out a message after you invoke the alternate editor to compose a message.
    • (30-Dec-1997) Fixes window resizing problems (neither pine, nor pico were resizing properly
    • (08-Feb-1998) Corrects problems using external filters.

    Solution:

  • Package: mutt

    Updated: (01-Apr-1999)

    Problem:

    • (01-Apr-1999):Security Fix

      An problem in the mime handling code could allow a remote user to execute certain commands on a local system.

      Red Hat would like to thank the members of the BUGTRAQ mailing list, the members of the Linux Security Audit team, and others. All users of Red Hat Linux are encouraged to upgrade to the new packages immediately. As always, these packages have been signed with the Red Hat PGP key.

    Solution:

  • Package: zgv

    Updated: 01-Apr-1999

    Problem:

    • (01-Apr-1999):Security Fix
      Local users could gain root access.

      Red Hat would like to thank the members of the BUGTRAQ mailing list, the members of the Linux Security Audit team, and others. All users of Red Hat Linux are encouraged to upgrade to the new packages immediately. As always, these packages have been signed with the Red Hat PGP key.

    Solution:

  • Package: Sysklogd

    Updated: 01-Apr-1999

    Problem:

    • (01-Apr-1999):Security Fix

      An overflow in the parsing code could lead to crashes of the system logger.

      Red Hat would like to thank the members of the BUGTRAQ mailing list, the members of the Linux Security Audit team, and others. All users of Red Hat Linux are encouraged to upgrade to the new packages immediately. As always, these packages have been signed with the Red Hat PGP key.

    Solution:

    Further Instructions

    Once you have downloaded the sysklogd package for your architecture, you will need to do the following as root: 

    
    rpm -Uvh sysklogd*rpm

    /etc/rc.d/init.d/syslog restart
  • Package: Kernel

    Updated: 19-Feb-1999

    Problem:

    • (19-Jan-1999):Updated RPM's
      Updated page to reflect new RPM's on ftp site.
    • (03-Jan-1999):New Drivers

      Red Hat has further patched the standard 2.0.36 kernel with updated drivers for the Adaptec 7xxx cards, NCR scsi, 3com 905B, and some other patches.

    • (08-Dec-1998):Security Fix

      Users will need to upgrade to the latest kernel using the instructions found here

      Important: You need to make sure you have the latest initscripts and SysVinit packages.

    Solution:

  • Package: wu-ftpd

    Updated: 09-Feb-1999

    Problem:

    • (09-Feb-1999):Security Fix

      A security vulnerability has been identified in all versions of the wu-ftpd server binary shipped with Red Hat Linux. For more information, see http://www.netect.com/advisory_0209.html

      New packages are available, and all users of Red Hat Linux are encouraged to upgrade to the new wu-ftpd releases immediately. As always, these packages have been signed with the Red Hat PGP key.

    Solution:

  • Package: minicom

    Updated: 02-Jun-1998

    Problem:

    • (O9-Feb-1999) Security Fix:

      Current minicom packages have permissions set to allow all users to access a modem on a system. This update fixes this problem limiting users to those listed in the minicom configuration file.

      New packages are available for the supported versions of Red Hat Linux. All users of Red Hat Linux are encouraged to upgrade to the new minicom releases immediately. As always, these packages have been signed with the Red Hat PGP key.

    • (02-Jun-1998) Security Fix:

      Buffer overflows have been found in the minicom package. Red Hat suggests all users upgrade to a new minicom version immediately.

    Solution:

  • Package: FVWM2

    Updated: 19-Jan-1999

    Problem:

    • (19-Jan-1999):Notice
      Users who update to the latest XFree86 also need to update to the latest FVWM2 rpms for AnotherLevel (Red Hat default window manager) to work.

    Solution:

  • Package: pam

    Updated: 02-Jan-1998

    Problem:

    • (02-Jan-1998)Security Fix:

      1. Risk level: SMALL

        The default configuration as shipped with the supported releases of Red Hat Linux is not vulnerable to this problem.

      2. Description

        A race condition that can be exploited under some particular scenarios has been identified in all versions of the Linux-PAM library shipped with all versions of Red Hat Linux. The vulnerability is exhibited in the pam_unix_passwd.so module included in Red Hat Linux, but *not* used by either of the 4.2 or 5.x releases. Red Hat Linux uses the pam_pwdb.so module for performing PAM authentication.

        You are at risk if you enabled pam_unix_passwd.so and are using it instead of the pam_pwdb.so module. An exploit occurs when an user with a umask setting of 0 is trying to change the login password.

        As of this release there are no known exploits of this security problem.

    Solution:

  • Package: Netscape

    Updated: 22-Dec--1998

    Problem:

    • (22-Dec-1998) Security Update:

      Various security vulnerabilities have been found in versions of Netscape Navigator and Communicator as shipped with Red Hat Linux. More information on the security vulnerabilities is available at Netscape

      It is recommended that users of Red Hat Linux upgrade to the new packages available on our FTP site:

    • (30-Aug-1998) Security Update:

      Updated versions of Netscape compiled with glibc libraries are available for download. These fix minor security problems with Java class libraries.

    • (26-Jan-1998) Ok, this isn't really an errata, more of an add-on. Since it's freely distributed, here are the Netscape RPM's built for the 5.0 release.

    Solution:

  • Package: FTP client

    Updated: 22-Dec-1998

    Problem:

    • (22-Dec-1998):Security

      A security vulnerability has been identified in all versions of the ftp client binary shipped with Red Hat Linux. An exploit for this vulnerability would have to rely on getting the user to connect using passive mode to a server running a ftp daemon under the attacker's control. As of this release time there are no known exploits of this security problem.

      All users of Red Hat Linux are encouraged to upgrade to the new package releases immediately. As always, these packages have been signed with the Red Hat PGP key.

    Solution:

    Further Instructions

    Once you have downloaded the NetKit package for your architecture, you will need to do the following as root: 

    
    rpm -Uvh ftp-0.10-4*rpm
  • Package: samba

    Updated: 17-Nov-1998

    Problem:

    • (17-Nov-1998) Security Fix:

      Following our announcement yesterday about new samba packages being available for our 5.2 release we have received reports that samba packages available for older releases of Red Hat Linux might be vulnerable as well.

      As a result of this concern we are making available new samba packages for all supported releases of Red Hat Linux. We apologize for not doing so yesterday, when we tried to address a specific reported vulnerability.

      Once again we express our thanks to Andrew Tridgell and the Samba team for their assistance in addressing this problem.

    • (14-Jul-1998) Security Fix:

      Serious security problems have been found in all versions of Samba shipped with Red Hat Linux. All users of samba should upgrade to the latest version, and restart samba with: /etc/rc.d/init.d/smb stop; /etc/rc.d/init.d/smb start as soon as possible.

    Solution:

    Further Instructions

    Once you have downloaded the samba package for your architecture, you will need to do the following as root: 

    
    rpm -Uvh samba*rpm

    /etc/rc.d/init.d/smb restart
  • Package: libc

    Updated: 13-Nov-1998

    Problem:

    • (13-Nov-1998) Security Fix:

      A buffer overflow has been identified in all versions of the libc 5 packages shipped with Red Hat Linux. The most affected systems are those that are libc 5 based (Red Hat Linux 4.2 and older). Only the Intel is affected in 5.x.

      The Red Hat Linux 5.x releases are glibc (libc 6) based, and Red Hat does not ship any binaries linked against libc 5 that might be used for compromising the system's security. However, Red Hat Linux 5.x releases do include for backwards compatibility a package containg a vulnerable library.

      Users of Red Hat Linux are recommended to upgrade to the new packages available under updates directory on our ftp site:

    • (31-Dec-1997) Updates fixing many problems have been added.

    Solution:

  • Package: svgalib

    Updated: 06-Nov-1998

    Problem:

    • (06-Nov-1998) Security Fix:

      svgalib has been found to leak file descriptors to /dev/mem. Red Hat would like to thank the users of the BUGTRAQ security list for identifying the problem and Kevin Vajk for providing a fix. Users of Red Hat Linux are recommended to upgrade to the new packages available under the updates directory on our ftp site: To upgrade this package use the rpm command: rpm -Uvh svgalib-1.2.13-6

    • (27-Jun-1997) Security Fix:

      Minor security problems have been found by the Linux Security Auditing group in svgalib which allow users to make the console unuseable.

    • (25-Mar-1998)Security Fix:

      /tmp exploits have been discovered in this package. As usual, the package has been PGP signed with the Red Hat PGP key.

    Solution:

  • Package: cyrix

    Updated: 27-Oct-1998

    Problem:

    • (27-Oct-1998) Changes on FTP site cause this errata to need to be changed. Users need to get the gcc/egcs from the 5.1 or upgrade to the 5.1 release.
    • (29-Dec-1997) Fixes problems involving sig 11 during compiling on older Cyrix chips.
    • (05-Dec-1997) Cyrix processors may have sig 11 and other problems.

    Solution:

    • Intel: This again is _not_ an official update. It has been tested in the lab that the 5.1 gcc/egcs combinations get around the Cyrix problem that people were having. Another fix is to use the normal 5.0 gcc without any optimizations.
  • Package: rpm

    Updated: 23-Sep-1998

    Problem:

    • (23-Sep-1998): Several small cosmetic fixes have been found to get the 2.5.3 version of RPM to work as older versions did. Users will need to do the following as root:
      1. several symbolic links will need to be made for glint and similar programs to work.
        
        cd /usr/lib
        ln -s rpm/rpmrc ./rpmrc
        ln -s rpm/rpmpopt ./rpmpopt
      2. In addition, users on older Red Hat systems (5.0, 4.2, ...) who wish to use rpm to recompile programs from src rpm's will need to insure that the file /usr/lib/rpm/rpmrc contains correct paths for the compression programs gzip and bzip2. The two lines in /usr/lib/rpm/rpmrc that tell rpm the location of these programs are typically 
        
        gzipbin:        /bin/gzip
        bzip2bin:       /usr/bin/bzip2
    • (10-Sep-1998): A newer version of RPM will be needed to upgrade security packages from now on. This version of rpm fixes various problems that were found in the previous version.
    • (02-Jul-1998)

      RPM reports problems with failed trigger scripts

    • (28-May-1998) A newer version of RPM is needed to be able to upgrade security releases from now on.

    • (31-Dec-1997)Security Fix: This fixes problems with RPM's --setperms option setting improper permissions on files.
    • (08-Jan-1998)Many fixes such as the ftp fix have been added.

    Solution:

  • Package: bash

    Updated: 09-Sep-1998

    Problem:

    • (09-Sep-1998) Security Fix:

      A security vulnerability has been identified in all versions of bash shipped with Red Hat Linux. Details on the nature of the bug have been posted recently to the BUGTRAQ security list.

      The bug is not immediately exploitable - it will require that a user with shell account on one machine create a carefully constructed directory structure and then wait for somebody else with a root account to cd into that directory.

      Red Hat would like to thank Joao Manuel Carolino , Fiji , and Razvan Dragomirescu for identifying this bug and Wichert Akkerman for providing an idea of a fix.

    Solution:

  • Package: xscreensaver

    Updated: 29-Aug-1998

    Problem:

    • (29-Aug-1998) This update fixes problems with core dumps in the xlyap function of xscreensaver. Thanks to the many people reporting this on the redhat list.
    • (10-Jun-1998) Security Fix:

      Various, minor security problems were found in this package. Thanks to Jamie Zawinski for fixing this.

    Solution:

  • Package: apache

    Updated: 11-Aug-1998

    Problem:

    • (11-Aug-1998)Security Fix:

      A denial-of-service attack against the Apache web server has been found which lets remote sites disable your web server. This attack does not let remote users gain any sort of access to your computer, nor does it let local users gain any special access.

      Red Hat recommends upgrading apache on systems which are functioning as Internet servers. 

      	rpm -Uvh apache-1.2.6-5*rpm	 
        /etc/rc.d/init.d/httpd stop
        /etc/rc.d/init.d/httpd start
    • (07-Jan-1998)Security Fix:

      Some potentially serious security flaws have been found in apache. While there problems do not allow any compromises by remote users, they do allow local users to gain access to the UID which apache is running as. Under all versions of Red Hat Linux, this is the user 'nobody', which greatly minimizes the impact of these problems.

    • (31-Dec-1997)Security Fix:

      A denial-of-service attack against apache http servers was recentely discovered. This fixes the problem for 5.0.

    Solution:

  • Package: REAL

    Updated: 30-Jul-1998

    Problem:

    • (30-Jul-1998)Security Fix:

      This update fixes the following problems:

      • UDP security exploit
      • Proxy host string in the Preferences dialog box has a bug where the first host in the comma separated list is ignored.
    • (05-Apr-1998) This release is the Gold 5.0 player for Real Media. It fixes many bugs found in the previous beta clients. It also has no expiration date.

    • (14-Dec-1998) These new packages fix bugs in pnserver and rvplayer and extend the licenses until 30-APR-98. a new update should be available before then.

    Solution:

    • Note:

      • Since the pnserver package and rvplayer package share some common libs, you will need to upgrade both packages if you have them both installed.
      • Due to the fact that you may have 1 of 3 different RPM's on your system, the instructions for upgrading are rather complex. Please bear with us.

    • Server package

      NOTE: If you have both the client and the server installed, you must upgrade the server first. There are shared libraries between these two packages and the libraries contained in the server package will not work for the client.

      Depending on which PNserver RPM's you have installed on your system, you will need to do one of the following.

      If you have the pnserver-5.0-10.i386.rpm, then you will need to download:
      pnserver-5.0-11.i386.rpm.rhmask
      and
      pnserver-5.0.1-2.i386.rpm.rh50.rhmask to /tmp.

      You must copy the original pnserver-5.0-10.i386.rpm from the first CD and pnserver-docs-5.0-10.i386.rpm to /tmp and then issue the following commands while you are in /tmp: 

                cd /tmp
          rhmask pnserver-5.0-10.i386.rpm pnserver-5.0-11.i386.rpm.rhmask
          rhmask pnserver-5.0-11.i386.rpm pnserver-5.0.1-2.i386.rpm.rh50.rhmask

      That will create the pnserver-5.0.1-2.i386.rpm package which can be installed by the following command: 

                rpm -Uvh --force pnserver-5.0.1-2.i386.rpm

      If you already have the the pnserver-5.0-11.i386.rpm on your machine, then you will only need to download the rhmasked RPM pnserver-5.0.1-2.i386.rpm.rh50.rhmask to /tmp.

      Copy the pnserver-5.0-11.i386.rpm package to /tmp.[The rpm should be located on the first Red Hat cdrom] From the /tmp directory, issue the following commands to create the new package: 

      cd /tmp
rhmask pnserver-5.0-11.i386.rpm pnserver-5.0.1-2.i386.rpm.rh50.rhmask

      That will create the pnserver-5.0.1-2.i386.rpm package which can be installed by the following command: 

                 rpm -Uvh --force pnserver-5.0.1-2.i386.rpm
    • Client package

      The Real Video player upgrades are available in rhmask-ed RPM . We have created these rhmask-ed images to comply with our license agreement with Real Networks. There are several updated rhmask files, and depending on what rpm you currently have installed you will need to download 1-2 rpms per package.

      To determine which rvplayer and pnserver RPM's you have you will need to check your cdrom or see if you have a previous version that you un-rhmasked earlier.

      If you have rvplayer-5.0b2-4.i386.rpm then get:

      rvplayer-5.0-2.i386.rpm.rhmask-4
      and
      rvplayer-5.0-3.i386.rpm.rh50.rhmask

      If you have rvplayer-5.0b2-5.i386.rpm then you need to download:

      rvplayer-5.0-2.i386.rpm.rhmask-5
      and
      rvplayer-5.0-3.i386.rpm.rh50.rhmask

      If you already have rvplayer-5.0-1.i386.rpm then you will only need to get:

      rvplayer-5.0-3.i386.rpm.rh50.rhmask

      Place the rhmask files in /tmp. You must also copy the rvplayer rpm package that you have to the /tmp directory. [The rvplayer rpm will be on the first Red Hat cdrom.]

      To create the new rvplayer package from rvplayer-5.0b2-4.i386.rpm, issue the following in /tmp: 

       
rhmask rvplayer-5.0b2-4.i386.rpm rvplayer-5.0-2.i386.rpm.rhmask-4
rhmask rvplayer-5.0-2.i386.rpm rvplayer-5.0-3.i386.rpm.rh50.rhmask

      To create the new rvplayer package from rvplayer-5.0b2-5.i386.rpm, issue the following in /tmp: 

       
rhmask rvplayer-5.0b2-5.i386.rpm rvplayer-5.0-2.i386.rpm.rhmask-5
rhmask rvplayer-5.0-2.i386.rpm rvplayer-5.0-3.i386.rpm.rh50.rhmask

      To create the new rvplayer package from rvplayer-5.0-2.i386.rpm, issue the following in /tmp: 

       
rhmask rvplayer-5.0-2.i386.rpm rvplayer-5.0-3.i386.rpm.rh50.rhmask

      The rvplayer-5.0-3 rpm can then be installed with the following command:

       
rpm -Uvh --force rvplayer-5.0-3.i386.rpm
  • Package: SysVinit

    Updated: 30-Jul-1998

    Problem:

    • (30-Jul-1998)Security Fix:

      Update corrects a root-usable overflow in SysVInit allowed securelevels to be subverted.

    Solution:

  • Package: mutt

    Updated: 30-Jul-1998

    Problem:

    • (30-Jul-1998)Security Fix:

      Fixes buffer overflow problems found by BugTraq people that can cause mutt to crash and possibly execute intruder's code.

    Solution:

  • Package: ncurses

    Updated: 24-Jul-1998

    Problem:

    • (24-Jul-1998) Security Fix:

      Potential security problems have been identified in all versions of ncurses packages shipped with Red Hat Linux. Users of Red Hat Linux are recommended to upgrade to the new packages available under updates directory on our ftp site:

    • (10-Dec-1997) This fixes the screen size problems seen in ncftp (among others).
    • (31-Dec-1997)

      Fixes same problem as above, however, now built properly on the alpha as well.

    Solution:

  • Package: imap

    Updated: 24-Jul-1998

    Problem:

    • (24-Jul-1998) Security Fix: This version fixes buffer overflow problems found by the Linux Security Audit group in the imap daemon.
    • (12-Dec-1997) Some users reported imapd segfaulting on some inboxes. The latest versioni of imap sources fix this problem for the the test cases we have access to.

    Solution:

  • Package: initscripts

    Updated: 23-Jul-1998

    Problem:

    • (23-Jul-1998)

      This newer version fixes module issues when booting with loaders other than LILO, i.e. linload, syslinux, grub, chos, and problems with module dependencies.

      NOTE: This version of initscripts is intended for more recent, 2.0.34 and 2.0.35, kernels. Please see the 5.0 Intel errata for the newest kernel.

    • (10-Mar-1998) Security Fix: The initscripts package has various temporary file creation race conditions. These bugs allow local users to create at least denial of service conditions and may allow local users to gain root access to affected systems. All systems with local users that do not have the root password should have these fixes applied. The fixes are available for Red Hat Linux 5.0. As always, these packages have been signed with the Red Hat PGP key.
    • (30-Dec-1997) /proc gets mounted properly with this package. The package initscripts-3.25 had a bug that caused problems with some clone network device configurations. This also fixes the extremely slow tar extractions (a specific case of general user and group lookname brokeness)

    Solution:

    • Intel: Upgrade to initscripts-3.67-1.i386.rpm
    • Alpha: Upgrade to initscripts-3.67-1.alpha.rpm
    • Package: glibc

      Updated: 23-Jul-1998

      Problem:

      • (23-Jul-1998)

        Many fixes, including but not limited to: RPC security patches, timezone fixes (yes BRU should work!!!), environment security fixes, lots of paranoia and exploit-prevention enhancements, fixed threading, resolver code security fixes

      • (28-May-1998) A general updated version of glibc is now required to remain compatible with current and future security updates.

      • (18-Apr-1998) Security Fix:

        A bug in glibc has been discovered that allows for a denial of service attack in ftpd. The following packages correct this problem and all users of Red Hat Linux 5.0 using ftpd should upgrade. As always, these packages have been signed with the Red Hat PGP key.

      • (01-Apr-1998) New glibc packages are available now on the ftp site. These new packages fix (finally!) the problems in the dynamic loader code. Applications compiled for glibc using a lot of shared objects should now work reliably under glibc. Also various fixes to the sigprocmask handlers are in place.

      • (20-Mar-1998) The new glibc packages fix problems in the NIS client and a series of bugs in the dynamic loader code.

        This update requires that the texinfo package also be upgraded.

      • (10-Mar-1998) There is a small problem with the portmap rpm that came with 5.0 in the %post section of the install that messes up the initscript. To avoid this problem, add the --noscripts option to upgrade the package, as in: 
                        rpm -Uvh --noscripts portmap-4.0-8.i386.rpm

      • (17-Dec-1997)Security Fix: Some security problems have been found in glibc's resolver and portmap code.

      • (22-Dec-1997) When using NIS, groups with more than one key in the group file couldn't log into the system. This was a result of glibc

      • (20-Jan-1997) NIS stuff and other misc problems fixed. The vast majority of users only need the first two, but you need to upgrade to amd-920824upl102-11 and portmap-4.0-8 at the same time, or those services will stop working.

      • (28-Jan-1997) Updated version.

      Solution:

    • Package: libtermcap

      Updated: 02-Jul-1998

      Problem:

      • (02-Jul-1998) Security Fix:

        Security problems have been found that allow local users to gain root access. All Red Hat users should upgrade.

      Solution:

    • Package: dosemu

      Updated: 02-Jul-1998

      Problem:

      • (02-Jul-1998) Security Fix:

        Various security holes have been found that allow root access. All Red Hat users that use Dosemu, should upgrade.

      Solution:

    • Package: bind

      Updated: 30-Apr-1998

      Problem:

      • (30-Jun-1998) Security Fix:

        Various problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      • (09-Apr-1998) Security Fix:

        Major security problems have been found in all versions of bind which affect Red Hat Linux on all platforms. All users running bind hould upgrade as soon as possible. After upgrading to the new package, you must restart bind. To do so, issue the following: 

                        /etc/rc.d/init.d/named stop
                /etc/rc.d/init.d/named start

        Thanks to CERT and the ISC for their handling of this problem (CA-98.05).

      Solution:

    • Package: tin

      Updated: 30-Jun-1998

      Problem:

      • (30-Jun-1998) Security Fix:

        Various problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      Solution:

    • Package: slang

      Updated: 30-Jun-1998

      Problem:

      • (30-Jun-1998) Security Fix:

        Various problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      Solution:

    • Package: metamail

      Updated: 30-Jun-1998

      Problem:

      • (30-Jun-1998) Security Fix:

        More problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      • (23-Jun-1998) Security Fix:

        Various problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      • (01-Jun-1998) Security Fix:

        The metamail package has security problems. Thanks to Chris Evans for finding this problem.

      Solution:

    • Package: mailx

      Updated: 30-Jun-1998

      Problem:

      • (30-Jun-1998) Security Fix:

        More problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      • (23-Jun-1998) Security Fix:

        Various problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      • (12-Jun-1998) Security Fix:

        /tmp races have been found in the mailx package. All users of Red Hat Linux should upgrade this package.

      Solution:

    • Package: elm

      Updated: 23-Jun-1998

      Problem:

      • (23-Jun-1998) Security Fix:

        Various problems have been found by the Linux Security Auditing Team. All Red Hat users should upgrade.

      • (26-Jan-1998)Security Fix:

        Filter commands have been removed for buffer overflows. Procmail should be used in place of the filter option.

      Solution:

    • Package: findutils

      Updated: 10-Jun-1998

      Problem:

      • (10-Jun-1998) Security Fix:

        Various, minor security problems were found in this package. Thanks to Kevin Vajk and Emmanuel Galanos for helping out with these.

      • (09-Mar-1998) Security Fix: The findutils package has various temporary file creation race conditions. These bugs allow local users to create at least denial of service conditions and may allow local users to gain root access to affected systems. All systems with local users that do not have the root password should have these fixes applied. The fixes are available for Red Hat Linux 5.0. As always, these packages have been signed with the Red Hat PGP key.

      Solution:

    • Package: dhcp

      Updated: 02-Jun-1998

      Problem:

      • (02-Jun-1998) Security Fix:

        A new version of the ISC dhcp daemon is now available, which fixes many security concerns. Users of Red Hat 5.0 with the package called dhcpd should upgrade to the new release immediately. After upgrading, be sure to restart the dhcp daemon with the following command: 

                /etc/rc.d/init.d/dhcpd restart

        Thanks to Chris Evans for pointing out these problems and to the ISC for the fix.

      Solution:

    • Package: dhcpcd

      Updated: 01-Jun-1998

      Problem:

      • (01-Jun-1998) Security Fix:

        The dhcpcd package has security problems. Thanks to Chris Evans for finding this problem. After upgrading, you must either reboot your machine or restart the daemon: 

                /etc/rc.d/init.d/network restart

      Solution:

    • Package: bootp

      Updated: 01-Jun-1998

      Problem:

      • (01-Jun-1998) Security Fix:

        The bootp package has security problems. Thanks to Chris Evans for finding this problem.

      Solution:

    • Package: upgrade failure

      Updated: 20-Apr-1998

      Problem:

      • (08-Dec-1997) Upgrading of systems fail in the "Updating Packages" stage. Users that have a working 4.x system will sometimes get a strange error in which the install fails and exits.

      Solution:

      • The first thing to do is login as root and mount the Red Hat Linux 5.0 CD-ROM on the current system. For most users this is done simply by typing:
                
                mount /mnt/cdrom
        If this doesn't work, you may want to view the /etc/fstab for more information on where your CD-ROM is mounted. The next thing to do is enter the RPM directory on the Red Hat Linux 5.0 CD: 
                
                cd /mnt/cdrom/RedHat/RPMS
        Then run the RPM upgrade command like so: 
                
                rpm -Uvh rpm-2.4.10-1glibc.i386.rpm
        If it won't let you upgrade RPM make sure to use the force and nodeps flags: 
        
                rpm -Uvh --nodeps --force rpm-2.4.10-1glibc.i386.rpm
        After doing this there should only be one step left before you reboot and start the upgrade process. This is to rebuild the rpm database which is done by: 
                
                rpm --rebuilddb
        This should be the last step and should allow you to upgrade normally.
    • Package: ypbind

      Updated: 18-Apr-1998

      Problem:

      • (18-Apr-1998)

        This updated package corrects some problems when connecting to a non-Linux NIS server. Connecting now works on Alpha as well.

        These packages have been signed with the Red Hat PGP key.

      • (26-Jan-1998)

        Fixes numerous problems with ypservices.

      Solution:

    • Package: procps

      Updated: 17-Apr-1998

      Problem:

      • (17-Apr-1998) Security Fix:

        A file creation and corruption bug in XConsole included in procps-X11 versions 1.2.6 and earlier has been found. An exploit which causes a Denial of Service condition preventing anyone other than root from logging into the computer has been found, and others may well be found.

        Red Hat, Inc. strongly recommends that you upgrade. Thanks to Alan Iwi for finding the bug.

      Solution:

    • Package: ncpfs,smbfs

      Updated: 13-Apr-1998

      Problem:

      • (13-Apr-1998) Permissions problems when mounting ncp and smb volumes.

      Solution:

    • Package: lynx

      Updated: 01-Apr-1998

      Problem:

      • (01-Apr-1998) Security Fix:

        Security problems have been found in lynx which allows remote web sites to cause lynx to do unwise things. Red Hat suggests all users of Red Hat Linux upgrade to the new release of lynx.

      Solution:

    • Package: kbd

      Updated: 25-Mar-1998

      Problem:

      • (25-Mar-1998) Security Fix:

        /tmp exploits have been found in this package. The new packages have been signed with Red Hat's PGP key.

      Solution:

    • Package: mkinitrd

      Updated: 24-Mar-1998

      Problem:

      • (24-Mar-1998) Problems were discovered in the original version of mkinitrd shipped with 5.0. The problem is the inability to handle some modules that require complex option lines.

      Solution:

    • Package: mh

      Updated: 21-Mar-1998

      Problem:

      • (21-Mar-1998) Security Fix: Buffer overflows have been found in msgchk as included with the mh package in all versions of Red Hat. These overflows allow all users to gain root access to systems with them installed, and are distinct from the problems found in earlier versions of mh.

        If you do not need the mh package, the easiest fix for this problem is to:

        rpm -e mh
        If you do need it, fixes are available for users of Red Hat 5.0. As always, these packages have been signed with the Red Hat PGP key.

      • (20-Jan-1998) Buffer overflows that allow users to gain root access.

      Solution:

    • Package: ncftp

      Updated: 20-Mar-1998

      Problem:

      • (20-Mar-1998) Security Fix: All versions of ncftp packages for Red Hat Linux have /tmp symlink attacks. New packages are available for Red Hat 5.0 which fix these problems. All users of Red Hat Linux are encouraged to upgrade to the new ncftp releases immediately. As always, these packages have been signed with the Red Hat PGP key.

        Thanks to the contributors of BUGTRAQ for finding and fixing this bug.

      Solution:

    • Package: perl

      Updated: 10-Mar-1998

      Problem:

      • (10-Mar-1998) Fixes a seg fault condition when using POSIX's strftime() function. This was missed in yesterday's release. :(

      • (09-Mar-1998) Security Fix: All versions of perl for Red Hat Linux have /tmp symlink attacks. New packages are available for Red Hat 5.0 which fix these problems.

        The updates have been PGP signed with the Red Hat public key to ensure their authenticity.

      • (05-Dec-1997) Various /var/tmp paths remain in Config.pm, breaking installs of 3rd party modules.

      Solution:

    • Package: textutils

      Updated: 09-Mar-1998

      Problem:

      • (09-Mar-1998) Security Fix: The textutils package has various temporary file creation race conditions. These bugs allow local users to create at least denial of service conditions and may allow local users to gain root access to affected systems. All systems with local users that do not have the root password should have these fixes applied. The fixes are available for Red Hat Linux 4.2. As always, these packages have been signed with the Red Hat PGP key.

      Solution:

    • Package: bru

      Updated: 05-Feb-1998

      Problem:

      • (31-Dec-1997) These new packages fix a bug in BRU2000 that did not allow the -Xi option to be passed.

      • (05-Feb-1998) For people who are in the "GB" timezone (the UK), you may need to set your timezone to "GMT+0" as a temporary fix for some current BRU problems.

      Solution:

      • These upgrades are available in rhmask-ed RPM . We have created these rhmask-ed images to update BRU Here is how to use them:

        1. Get the following files listed below and place them in /tmp:

          Intel: Upgrade to:
          BRU2000-15.0P-2.i386.rpm.rhmask
          BRU2000-X11-15.0P-2.i386.rpm.rhmask

          Alpha:Upgrade to:
          BRU2000-15.0P-2.alpha.rpm.rhmask
          BRU2000-X11-15.0P-2.alpha.rpm.rhmask

        2. Make sure the rhmask utility is installed on your system: 
          rpm -q rhmask
          If rhmask is installed, you should see a message similar to the following: 
          rhmask-1.0-2
          If it's not already installed, place the CD in the CD-ROM and install it: 
          mount /mnt/cdrom 
cd /mnt/cdrom/RedHat/RPMS 
rpm -Uvh rhmask-1.0-2.*.rpm

        3. Locate your original BRU2000 packages on the CD: 
          ls -l /mnt/cdrom/RedHat/RPMS/BRU2000*.rpm

        4. Now unmask the BRU2000 upgrades: 
          cd /tmp
cp /mnt/cdrom/RedHat/RPMS/BRU2000*.rpm . 
rhmask BRU2000-15.0P-1.*.rpm BRU2000-15.0P-2.*.rpm.rhmask
rhmask BRU2000-X11-15.0P-1.*.rpm BRU2000-X11-15.0P-2.*.rpm.rhmask

        5. The packages can now be installed: 
          cd /tmp 
rpm -Uvh BRU2000-15.0P-2.*.rpm
    • Package: gzip

      Updated: 28-Jan-1998

      Problem:

      • (28-Jan-1998)The executable gzexe , part of the gzip package, uses files in /tmp withh very predictable names. This can allow users to destroy contents of files on your system. As most systems do not use gzexe, this is potentially not a problem. However, Red Hat reccomends upgrading to the new versions to avoid future problems.

      Solution:

    • Package: ppp

      Updated: 26-Jan-1998

      Problem:

      • (26-Jan-1998) Properly pamified (works with shadow). Also fixes problems setting routes.

      Solution:

    • Package: tmpwatch

      Updated: 26-Jan-1998

      Problem:

      • (13-Jan-1998) Fixes --test and /etc/cron.daily/tmpwatch is no longer empty.
      • (26-Jan-1998)Now runs automatically (the script was empty). and honors --test flag.

      Solution:

    • Package: gated

      Updated: 19-Jan-1998

      Problem:

      • (19-Jan-1998) Many bugfixes for OSPF area selection problems and IFF_LOOPBACK flag problems fixed.

      Solution:

    • Package: quota

      Updated: 13-Jan-1998

      Problem:

      • (13-Jan-1998) Now includes rpc.rquotad which was missing.

      Solution:

    • Package: mars-nwe

      Updated: 13-Jan-1998

      Problem:

      • (13-Jan-1998) Problems of stopping and starting of init script fixed.

      Solution:

    • Package: dump

      Updated: 31-Dec-1997

      Problem:

      • (31-Dec-1997) Works properly with partitions > 2 gigs.

      Solution:

    • Package: shadow-utils

      Updated: 31-Dec-1997

      Problem:

      • (31-Dec-1997) Fixes a problem with useradd core dumping on commands like:

        useradd -G wheel -d /home/newuser -n newuser

        The -G wheel previously broke things.

      Solution:

    • Package: trn

      Updated: 30-Dec-1997

      Problem:

      • (30-Dec-1997) Fixes the problem with ctrl-z not suspending

      Solution:

    • Package: ircii

      Updated: 30-Dec-1997

      Problem:

      • (30-Dec-1997) Fixes the problem with ctrl-z not suspending

      Solution:

    • Package: util-linux

      Updated: 29-Dec-1997

      Problem:

      • (05-Dec-1997) vipw seg faults. This causes /etc/ptmp around, which breaks both chfn and chsh. Remove this file if is exists

      • (22-Dec-1997) Fixes bugs in chfn which let users create bad /etc/passwd files.

      • (29-Dec-1997) Fixes problems with more not suspending with ctrl-z

      Solution:

    • Package: fstool

      Updated: 17-Dec-1997

      Problem:

      • (17-Dec-1997) fstool has several problems, including improperly removing partitions it cannot find on the system. In particular, a few users have reported that it has been unable to find partitions containing swap space.

      Solution:

      • The cabaret program is meant as a replacement for fstool, and does not suffer from several of its problems. Simply remove the fstool program and use cabaret instead: 
                        rpm -e fstool

                /usr/sbin/cabaret
    • Package: usernet

      Updated: 17-Dec-1997

      Problem:

      • (17-Dec-1997) Usernet would hang when manipulating PPP connections.

      Solution:

    • Package: ramdisk.img

      Updated: 17-Dec-1997

      Problem:

      • (17-Dec-1997) IDE devices on the second IDE chain were not recognized. Use of this ramdisk image fixes this problem.

      Solution:

    • Package: vixie-cron

      Updated: 12-Dec-1997

      Problem:

      • (12-Dec-1997) A patch was added to prevent exploits of the code, disposing unsafe code portions from the sources.

      Solution:

    • Package: joe

      Updated: 12-Dec-1997

      Problem:

      • (12-Dec-1997) A resize problem when run in terminals which weren't 80x25 in size (either xterm or non-standard Linux consoles) affected joe.

      Solution:

    • Package: mouseconfig

      Updated: 10-Dec-1997

      Problem:

      • (10-Dec-1997) Serial mouse autorpobing remembers proper port

      Solution:

    • Package: gtk

      Updated: 10-Dec-1997

      Problem:

      • (10-Dec-1997) Various gtk applications dump core when no DISPLAY is set.

      Solution:

    • Package: clock off

      Updated: 10-Dec-1997

      Problem:

      • (10-Dec-1997) Time problems occur in libc5 applications. They must either be recompiled or have the below fix applied.

      Solution:

      • Create the proper link by executing this command. 
                  ln -s /usr/share/zoneinfo /usr/lib/zoneinfo
    • Package: kaffe

      Updated: 10-Dec-1997

      Problem:

      • (10-Dec-1997) This includes the kaffe binary (oops), as well as some more shared libraries which are missing. It won't work without Sun's classes.zip Java runtime library however, which we are not allowed to distribute.

      Solution:

    • Problem: window manager failure

      Updated: 08-Dec-1997

      Problem:

      • (08-Dec-1997) The window manager will not start after upgrading to Red Hat 5.0

      Solution:

      • Due to a bug in previous releases of RedHat Linux, the problem most likely is the .Xclients file in the user's home directory. This file was installed in every user's home directory when a user was added to the system.
        You will need to delete the .Xclients file: 
                        rm -f ~/.Xclients
        If you want to use the fvwm2 window manager with a different configuration, please note that fvwm2 will not read a configuration from the command line if you invoke it with 
                        fvwm2 -f "command"
        You will need to edit the ~/.Xclients file and change that to 
                        fvwm2 -cmd "command"
        If you use (or want to use) a totally different window manager, you will need to exec it from your .Xclients file. Customized .Xclients files which don't rely on fvwm2 or fvwm95 window managers are not affected by this compatibility problem.
    • Package: tcp_wrappers-7.6-2

      Updated: 05-Dec-1997

      Problem:

      • (05-Dec-1997) setenv in /etc/hosts.allow doesn't work.

      Solution:

    • Package: LinuxThreads

      Updated: 05-Dec-1997

      Problem:

      • (05-Dec-1997) When upgrading to 5.0, the new GLibC contains threads natively. The "LinuxThreads" package is no longer needed for threads to work properly.

      Solution:

      • When upgrading, remove the "linuxthreads" package
        using the command: rpm -e linuxthreads as superuser.
    • Package: autofs-0.3.14-2

      Updated: 05-Dec-1997

      Problem:

      • (03-Dec-1997) autofs-0.3.14-1 does not work when NIS services are enabled; it logs messages saying undefined symbol: yperr_string.

      Solution:

    • Package: ld.so

      Updated: 03-Dec-1997

      Problem:

      • (03-Dec-1997) Many libc5 apps do not work.

      Solution:

    • Package: transfig

      Updated: 03-Dec-1997

      Problem:

      • (03-Dec-1997) XFig cannot export PostScript.

      Solution: