RHSA-2008:0193-02 Important: lspp-eal4-config-ibm and capp-lspp-eal4-config-hp security update
Posted on: 04/01/2008 05:55 PM
A new update is available for Red Hat Enterprise Linux. Here the announcement:
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Important: lspp-eal4-config-ibm and capp-lspp-eal4-config-hp security update
Advisory ID: RHSA-2008:0193-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0193.html
Issue date: 2008-04-01
CVE Names: CVE-2008-0884
Updated lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages that
fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
The lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages contain
utilities and documentation for configuring a machine for the Controlled
Access Protection Profile, or the Labeled Security Protection Profile.
It was discovered that use of the "capp-lspp-config" script results in the
"/etc/pam.d/system-auth" file being set to world-writable. Authorized local
users who have limited privileges could then exploit this to gain
additional access, or to escalate their privileges. (CVE-2008-0884)
This issue only affects users who have installed either of these packages
from the Red Hat FTP site as their base system configuration kickstart
New deployments using the lspp-eal4-config-ibm or capp-lspp-eal4-config-hp
packages are advised to upgrade to these updated packages, which resolve
For systems already deployed, the following command can be run as root to
restore the permissions to a secure setting:
chmod 0644 /etc/pam.d/system-auth
This update is available via the Red Hat FTP site.
4. Bugs fixed (http://bugzilla.redhat.com/):
435442 - CVE-2008-0884 system-auth-ac is world-writable
The Red Hat security contact is lt;firstname.lastname@example.org;. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
-----END PGP SIGNATURE-----