Yellow Dog Linux Security Announcement
--------------------------------------

Package:	perl
Issue Date: 	August 10, 2000
Update Date: 	August 10, 2000
Priority: 	high
Advisory ID: 	YDU-20000810-1


1. Topic:

   The perl package has an exploit made possible 
   by incorrect assumptions made in suidperl. 


2. Problem:

   Under certain conditions, suidperl will attempt to send mail
   to the local superuser account using /bin/mail. An exploit script
   may use suidperl and mailx's tendency to inherit settings from the
   environment, to gain local root access.

   This update changes suidperl's behavior to use syslog instead of mail.


3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   the perl onto your system:

   	yup update perl

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   perl-5.00503-11.ppc.rpm

        rpm -Fvh perl-5.00503-11.ppc.rpm


4. Verification

MD5 checksum				Package
--------------------------------	----------------------------
1722c455f2c12ddc75b16c63a6f8e4d8	RPMS/perl-5.00503-11.ppc.rpm
f59acb8e8edcc816d99dfe239fe912a1  	SRPMS/perl-5.00503-11.src.rpm


If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml