[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] [Announcement] New fou4s release - 0.11.2



Fou4s (Fast OnlineUpdate for SuSE) is an alternative implementation of YOU 
(YaST Online Update) and is aimed at admin users that want updates as 
painless and automated as possible. But it can also be useful for desktop 
users. I've used it to update mozilla, gnome, kde and rpms from 
packman.links2linux.org as well. 
See http://fou4s.gaugusch.at/ for more information.

Now the bad part :-)
Lars Ellenberg has found a potential security problem that is fixed in
this release: RPM pre/postinstall scripts were executed with a group
writable umask and GID fou4s. Although no unprivileged user should be
member of group fou4s (it is thought for administrators who want to run
fou4s with a non-root rights, and not for normal users), I recommend to
check your machines and fix broken permissions. Please note, that group 
fou4s has NO members with the default settings!

The commands below are an example for checking. I exclude /var because
according to my tests it is not affected by the bug. You can also only
exclude /var/cache/fou4s and /var/log/fou4s.log, if you want to be sure.

# check files
find / -group fou4s  | grep -v '^/var/' | xargs ls -la
# fix rights, if you are satisfied with above results
find / -group fou4s  | grep -v '^/var/' | xargs chmod g-w
# fix owner - don't fix before fixing rights or no match is found there!!
find / -group fou4s  | grep -v '^/var/' | xargs chgrp root

Martin Köhling has also found a potential problem. Versions of fou4s 
before 0.11.0 didn't recognise the latest kdebase3-SuSE update because of 
a slightly different formatting of the update description file. Fou4s 
0.11.0 and newer automatically find the missed update, so you are 
encouraged to get the latest version. (Try fou4s --auto --checkfou4s).

Apart from the above, this release contains mostly bugfixes for the 
--export and --host options.  
German and French information texts (--language=german) are now shown
correctly (Unicode decoding, thanks to Matthias Andree for this!). Some
non-SuSE packages that caused update problems because of different arch
(e.g. i386 instead of i586) also work now.

kind regards,
Markus Gaugusch


-- 
__________________    /"\ 
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                      / \

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here