1. Topic:
The ypserv package, which contains the ypserv NIS server and the yppasswdd password-change server, has been discovered to have security holes.

2. Problem description:
With ypserv, local administrators in the NIS domain could possibly inject password tables. In rpc.yppasswdd, userscould change GECOS and login shells of other users, and there is a buffer overflow in the md5 hash generation.

It is recommended that all users of the ypserv package upgrade to the new packages.

3. Bug IDs fixed: (see bugzilla for more information)

4. Relevant releases/architectures:
Red Hat Linux 6.1, all architectures

5. Obsoleted by:
None

6. Conflicts with:
None

7. RPMs required:

Intel:

Alpha:

SPARC:

Source:

8. Solution:
For each RPM for your particular architecture, run:

rpm -Uvh filename

where filename is the name of the RPM.

9. Verification:

 MD5 sum                           Package Name

 -------------------------------------------------------------------------
c1a566b7535bb51e25d9c1743f822682  ypserv-1.3.9-1.i386.rpm
a8f5a82d450ddb2b42068537859c18ae  ypserv-1.3.9-1.alpha.rpm
6759503c9cc688bcd1902f6511ecc60a  ypserv-1.3.9-1.sparc.rpm
f7e8b5a241c4e873822c83be2f0cf566  ypserv-1.3.9-1.src.rpm

 

You can verify each package with the following command: rpm --checksig filename

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename

Note that you need RPM >= 3.0 to check GnuPG keys.

10. References:
This email address is being protected from spambots. You need JavaScript enabled to view it.