COMMAND

    openldap

SYSTEMS AFFECTED

    RedHat Linux 6.1, 6.2, TurboLinux 6.0.2 and earlier (OpenLDAP 1.2.9 and earlier)

PROBLEM

    Following  is  based  on  Red  Hat  Security  Advisory.   OpenLDAP
    follows symbolic links when creating files.  The default  location
    for these files is /usr/tmp, which is a symlink to /tmp, which  in
    turn is a world-writable directory.   Local users can destroy  the
    contents of any file on any mounted filesystem.

SOLUTION

    Administrators with  existing databases  should move  their NEXTID
    and *.dbb files  from /usr/tmp to  /var/lib/ldap, and verify  that
    the  'directory'  setting  in  /etc/openldap/slapd.conf is changed
    accordingly.

    RPMs required:

      Red Hat Linux 6.1:
        intel: ftp://updates.redhat.com/6.1/i386/openldap-1.2.9-6.i386.rpm
        alpha: ftp://updates.redhat.com/6.1/alpha/openldap-1.2.9-6.alpha.rpm
        sparc: ftp://updates.redhat.com/6.1/sparc/openldap-1.2.9-6.sparc.rpm
      sources: ftp://updates.redhat.com/6.1/SRPMS/openldap-1.2.9-6.src.rpm

      Red Hat Linux 6.2:
        intel: ftp://updates.redhat.com/6.2/i386/openldap-1.2.9-6.i386.rpm
        alpha: ftp://updates.redhat.com/6.2/alpha/openldap-1.2.9-6.alpha.rpm
        sparc: ftp://updates.redhat.com/6.2/sparc/openldap-1.2.9-6.sparc.rpm
      sources: ftp://updates.redhat.com/6.2/SRPMS/openldap-1.2.9-6.src.rpm

    For Turbo Linux:

        rpm -Fvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-1.2.10-1.i386.rpm
        rpm -Fvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-devel-1.2.10-1.i386.rpm
        rpm -Fvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-libs-1.2.10-1.i386.rpm
        rpm -Fvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-server-1.2.10-1.i386.rpm

    The source rpm can be downloaded here:

        ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/openldap-1.2.10-1.src.rpm