CERT Vendor-Initiated Bulletin VB-95:10 - Vulnerability in elm 2.4
CERT Vendor-Initiated Bulletin VB-95:10 December 18, 1995 Topic: Vulnerability in elm 2.4 PL 24 Source: Bill Pemberton, University of Virginia To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Bill Pemberton, who is the coordinator of the group that maintains elm. Mr. Pemberton urges you to act on this information as soon as possible. His contact information is included in the forwarded text below; please contact him if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ I. Description Elm will follow symlinks in /tmp when opening temp files. All systems that support symlinks are vulnerable. II. Impact Users on the system can create files in the directories of other elm users. You can determine what version of elm you are running with the -v command line option (run "elm -v"). III. Solution Upgrade to elm 2.4 PL 25. The patch to upgrade from elm 2.4 PL 24 to PL 25 is available at: ftp://ftp.myxa.com/pub/elm/elm2.4.p25 MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83 The full distribution of elm 2.4 PL 25 is available at: ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2 IV. Contact information Bill Pemberton wfp5p@virginia.edu ITC/Unix Systems flash@virginia.edu University of Virginia uunet!virginia!wfp5p =========================FORWARDED TEXT ENDS HERE============================= CERT publications, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University. CERT Vendor-Initiated Bulletin VB-95:10 December 18, 1995 Topic: Vulnerability in elm 2.4 PL 24 Source: Bill Pemberton, University of Virginia To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Bill Pemberton, who is the coordinator of the group that maintains elm. Mr. Pemberton urges you to act on this information as soon as possible. His contact information is included in the forwarded text below; please contact him if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ I. Description Elm will follow symlinks in /tmp when opening temp files. All systems that support symlinks are vulnerable. II. Impact Users on the system can create files in the directories of other elm users. You can determine what version of elm you are running with the -v command line option (run "elm -v"). III. Solution Upgrade to elm 2.4 PL 25. The patch to upgrade from elm 2.4 PL 24 to PL 25 is available at: ftp://ftp.myxa.com/pub/elm/elm2.4.p25 MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83 The full distribution of elm 2.4 PL 25 is available at: ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2 IV. Contact information Bill Pemberton wfp5p@virginia.edu ITC/Unix Systems flash@virginia.edu University of Virginia uunet!virginia!wfp5p =========================FORWARDED TEXT ENDS HERE============================= CERT publications, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University.
participants (1)
-
CERT Bulletin