Bugtraq mailing list archives
Re: FWD: Redhat advisory (RPM --upgrade/-U vs. --freshen/-F)
From: peterw () USA NET (Peter W)
Date: Tue, 4 Jan 2000 23:03:04 -0500
At 12:43pm Jan 4, 2000, Alfred Huger wrote:
Red Hat, Inc. Security Advisory
4. Solution: For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM.
By suggesting "-Uvh" instead of "-Fvh",[1] RHAT may put systems at risk. Case in point: the "usermode" package, noted in this announcement, says: "The usermode package contains several graphical tools for users: userinfo, usermount and userpasswd." ... etc. Admins who have no need for such GUI tools may have chosen not to install them in the first place. If you download this new package, verify it, and then install it with "-Uvh", you'll install a SUID root 'userhelper' app. Maybe they've fixed all the bugs this time, but if you didn't need the app (or the usermode package) before, you don't need it now. Use "-Fvh". Thanks to Don G. for pointing this out. -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems [1] Since at least version 2.5.3, the Red Hat 'rpm' tool --which has been used by non-Red Hat Linux distributions like Caldera and SuSE also-- provides an install option called --freshen (-F) which is preferred for upgrading packages. "freshen" will only install the newer package if an earlier version of that same package is already installed, whereas -U (--upgrade) will install the new .rpm package _regardless_ of whether you have an earlier version installed.
Current thread:
- PHP3 safe_mode and popen() Kristian Koehntopp (Jan 03)
- FWD: Redhat advisory Alfred Huger (Jan 04)
- Re: FWD: Redhat advisory (RPM --upgrade/-U vs. --freshen/-F) Peter W (Jan 04)
- Re: PHP3 safe_mode and popen() David TILLOY (Jan 04)
- Re: PHP3 safe_mode and popen() Thomas Köhler (Jan 05)
- CuteFTP saved password 'encryption' weakness Nick FitzGerald (Jan 05)
- Re: CuteFTP saved password 'encryption' weakness Brian Kifiak (Jan 05)
- Handspring Visor Network HotSync Security Hole Jay C Austad (Jan 05)
- Re: Handspring Visor Network HotSync Security Hole Jim Frost (Jan 06)
- Re: Handspring Visor Network HotSync Security Hole Chris Adams (Jan 07)
- Re: Handspring Visor Network HotSync Security Hole Jason Spence (Jan 06)
- Re: PHP3 safe_mode and popen() Kristian Koehntopp (Jan 06)
- FWD: Redhat advisory Alfred Huger (Jan 04)
- [rootshell] Security Bulletin #27 Kit Knox (Jan 04)