CERT Vendor-Initiated Bulletin VB-95:10 - Vulnerability in elm 2.4

• Previous message (by thread): Pacific Bell NAP Upgrade
• Next message (by thread): Not to beat a dead horse
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CERT Vendor-Initiated Bulletin VB-95:10
December 18, 1995

Topic:  Vulnerability in elm 2.4 PL 24
Source: Bill Pemberton, University of Virginia

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Bill
Pemberton, who is the coordinator of the group that maintains elm. Mr.
Pemberton urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.


========================FORWARDED TEXT STARTS HERE============================

I. Description

Elm will follow symlinks in /tmp when opening temp files. All systems that
support symlinks are vulnerable.


II. Impact

Users on the system can create files in the directories of other elm users.

You can determine what version of elm you are running with the -v command line
option (run "elm -v").


III. Solution

Upgrade to elm 2.4 PL 25. The patch to upgrade from elm 2.4 PL 24 to PL 25
is available at:

     ftp://ftp.myxa.com/pub/elm/elm2.4.p25
     MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83

The full distribution of elm 2.4 PL 25 is available at:

     ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z
     MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2


IV. Contact information

Bill Pemberton                           wfp5p at virginia.edu
ITC/Unix Systems                         flash at virginia.edu
University of Virginia                   uunet!virginia!wfp5p

=========================FORWARDED TEXT ENDS HERE=============================


CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous 
FTP from info.cert.org. 

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet email: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA


CERT is a service mark of Carnegie Mellon University.
CERT Vendor-Initiated Bulletin VB-95:10
December 18, 1995

Topic:  Vulnerability in elm 2.4 PL 24
Source: Bill Pemberton, University of Virginia

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Bill
Pemberton, who is the coordinator of the group that maintains elm. Mr.
Pemberton urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.


========================FORWARDED TEXT STARTS HERE============================

I. Description

Elm will follow symlinks in /tmp when opening temp files. All systems that
support symlinks are vulnerable.


II. Impact

Users on the system can create files in the directories of other elm users.

You can determine what version of elm you are running with the -v command line
option (run "elm -v").


III. Solution

Upgrade to elm 2.4 PL 25. The patch to upgrade from elm 2.4 PL 24 to PL 25
is available at:

     ftp://ftp.myxa.com/pub/elm/elm2.4.p25
     MD5 (elm2.4.p25) = 5ec93595c7573be4d0cb4ce7097b6e83

The full distribution of elm 2.4 PL 25 is available at:

     ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z
     MD5 (elm2.4.tar.Z) = e5bdc4492a4931402c57ac9a8cf111b2


IV. Contact information

Bill Pemberton                           wfp5p at virginia.edu
ITC/Unix Systems                         flash at virginia.edu
University of Virginia                   uunet!virginia!wfp5p

=========================FORWARDED TEXT ENDS HERE=============================


CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous 
FTP from info.cert.org. 

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet email: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA


CERT is a service mark of Carnegie Mellon University.

• Previous message (by thread): Pacific Bell NAP Upgrade
• Next message (by thread): Not to beat a dead horse
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]