Important: redhat-idm-console security update

Advisory:	RHSA-2008:0191-3
Type:	Security Advisory
Severity:	Important
Issued on:	2008-03-19
Last updated on:	2008-03-19
Affected Products:	Red Hat Directory Server v8 EL4 Red Hat Directory Server v8 EL5
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2008-0889

Details

Updated redhat-idm-console packages that fix a security issue are now
available for Red Hat Directory Server 8.0.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The redhat-idm-console contains a Java based remote management console used
for managing Red Hat Administration Server and Red Hat Directory Server.

When running on Red Hat Enterprise Linux, Red Hat Directory Server 8.0 used
insecure permissions on the redhat-idm-console startup script. Local users
could modify this script and run arbitrary code with the privileges of the
user running Red Hat Management Console (CVE-2008-0889).

Red Hat would like to thank Doncho N. Gunchev for reporting this issue.

All redhat-idm-console users are advised to update to these erratum
packages which contain a fix to correct this issue.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Directory Server v8 EL4

SRPMS:
redhat-idm-console-1.0.0-22.el4idm.src.rpm File outdated by: RHEA-2009:0455	`1e68994fc7b61122982b6127bb6aa884`
redhat-idm-console-1.0.0-22.el4idm.src.rpm File outdated by: RHEA-2009:0455	`1e68994fc7b61122982b6127bb6aa884`

IA-32:
redhat-idm-console-1.0.0-22.el4idm.i386.rpm File outdated by: RHEA-2009:0455	`e8cc0ab887afbe2064d28980c634f0ec`
redhat-idm-console-1.0.0-22.el4idm.i386.rpm File outdated by: RHEA-2009:0455	`e8cc0ab887afbe2064d28980c634f0ec`

x86_64:
redhat-idm-console-1.0.0-22.el4idm.x86_64.rpm File outdated by: RHEA-2009:0455	`a02d4d024b720c634e51fbc5c3cf344b`
redhat-idm-console-1.0.0-22.el4idm.x86_64.rpm File outdated by: RHEA-2009:0455	`a02d4d024b720c634e51fbc5c3cf344b`

Red Hat Directory Server v8 EL5

SRPMS:
redhat-idm-console-1.0.0-17.el5idm.src.rpm File outdated by: RHEA-2009:0455	`391cd74a09fb9b2d0d504167bec4c529`

IA-32:
redhat-idm-console-1.0.0-17.el5idm.i386.rpm File outdated by: RHEA-2009:0455	`d8d4da1d72694de4f184040a5d877479`

x86_64:
redhat-idm-console-1.0.0-17.el5idm.x86_64.rpm File outdated by: RHEA-2009:0455	`8f005a17ff8faea7f31748391d1b68e1`

(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

436107 - CVE-2008-0889 directory server: insecure permissions on fedora/redhat-idm-console

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0889
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/