At 12:43pm Jan 4, 2000, Alfred Huger wrote: > Red Hat, Inc. Security Advisory > 4. Solution: > > For each RPM for your particular architecture, run: > rpm -Uvh > where filename is the name of the RPM. By suggesting "-Uvh" instead of "-Fvh",[1] RHAT may put systems at risk. Case in point: the "usermode" package, noted in this announcement, says: "The usermode package contains several graphical tools for users: userinfo, usermount and userpasswd." ... etc. Admins who have no need for such GUI tools may have chosen not to install them in the first place. If you download this new package, verify it, and then install it with "-Uvh", you'll install a SUID root 'userhelper' app. Maybe they've fixed all the bugs this time, but if you didn't need the app (or the usermode package) before, you don't need it now. Use "-Fvh". Thanks to Don G. for pointing this out. -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems [1] Since at least version 2.5.3, the Red Hat 'rpm' tool --which has been used by non-Red Hat Linux distributions like Caldera and SuSE also-- provides an install option called --freshen (-F) which is preferred for upgrading packages. "freshen" will only install the newer package if an earlier version of that same package is already installed, whereas -U (--upgrade) will install the new .rpm package _regardless_ of whether you have an earlier version installed.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:27 PDT