Date: Tue, 16 Feb 1999 01:12:20 +0100
From: Wichert Akkerman <wichert@CS.LEIDENUNIV.NL>
To: BUGTRAQ@netspace.org
Subject: [SECURITY] New versions of cfengine fixes symlink attack

-----BEGIN PGP SIGNED MESSAGE-----

The maintainer of Debian GNU/Linux cfengine package found a error
in the way cfengine handles temporary files when it runs the tidy
action on homedirectories, which makes it suspectible to a symlink
attack. The author has been notified of the problem but has not
released a fix yet.

We recommend you upgrade your cfengine package immediately.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Debian GNU/Linux 2.0 alias hamm
- -------------------------------

  This version of Debian was released only for the Intel and the
  Motorola 680x0 architecture.

  Source archives:
    ftp://ftp.debian.org/debian/dists/stable/main/source/admin/cfengine_1.4.9.orig.tar.gz
          MD5 checksum: 9c952524f2ce0a3dae6728f63d28a3ce
    ftp://ftp.debian.org/debian/dists/stable/main/source/admin/cfengine_1.4.9-3.diff.gz
      MD5 checksum: 9de13ab36791319a846f5d50248b8ed5
    ftp://ftp.debian.org/debian/dists/stable/main/source/admin/cfengine_1.4.9-3.dsc
      MD5 checksum: 6d5f1d2c10ec0a0eeef07dd73244bb44

  Intel architecture:
    ftp://ftp.debian.org/debian/dists/stable/main/binary-i386/admin/cfengine_1.4.9-3_i386.deb
      MD5 checksum: c935781e39141fdcc5b3e3e7a1b5ac7b

  Motorola 680x0 architecture:
    ftp://ftp.debian.org/debian/dists/stable/main/binary-i386/admin/cfengine_1.4.9-3_m68k.deb
      MD5 checksum: 8628802255c66796f8acd3fe1844bb0b


For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- --
Debian GNU/Linux      .    Security Managers     .   security@debian.org
              debian-security-announce@lists.debian.org
  Christian Hudon     .     Wichert Akkerman     .     Martin Schulze
<chrish@debian.org>   .   <wakkerma@debian.org>  .   <joey@debian.org>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBNsi3eKjZR/ntlUftAQGr9gL/UW53toFW/wGR2XidybaqwVVUWAWOo/dd
U3w5QTSkRXIdrLQBnxtYDWvY7L9Re1nQDrVBekyTqlBb3smhgIP3kpjWC+U/wbhy
/3l3B8ifja39Wwktg4OhCEwfTM7D+SId
=Lfxs
-----END PGP SIGNATURE-----