At 12:43pm Jan 4, 2000, Alfred Huger wrote:
> Red Hat, Inc. Security Advisory
> 4. Solution:
>
> For each RPM for your particular architecture, run:
> rpm -Uvh
> where filename is the name of the RPM.
By suggesting "-Uvh" instead of "-Fvh",[1] RHAT may put systems at risk.
Case in point: the "usermode" package, noted in this announcement, says:
"The usermode package contains several graphical tools for users:
userinfo, usermount and userpasswd." ... etc.
Admins who have no need for such GUI tools may have chosen not to install
them in the first place. If you download this new package, verify it, and
then install it with "-Uvh", you'll install a SUID root 'userhelper' app.
Maybe they've fixed all the bugs this time, but if you didn't need the app
(or the usermode package) before, you don't need it now. Use "-Fvh".
Thanks to Don G. for pointing this out.
-Peter
http://www.bastille-linux.org/ : working towards more secure Linux systems
[1] Since at least version 2.5.3, the Red Hat 'rpm' tool --which has been
used by non-Red Hat Linux distributions like Caldera and SuSE also--
provides an install option called --freshen (-F) which is preferred for
upgrading packages. "freshen" will only install the newer package if an
earlier version of that same package is already installed, whereas -U
(--upgrade) will install the new .rpm package _regardless_ of whether you
have an earlier version installed.
Received on Jan 05 2000
Intro
