openSUSE Security Update: rpm: Fix security problem where we miss to clear the SUID/SGID bits during package updates. ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0627-1 Rating: low References: #536256 #558475 #572280 #610941 Cross-References: CVE-2010-2059 Affected Products: openSUSE 11.2 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update fixes the problem where RPM misses to clear the SUID/SGID bit of old files during package updates. (CVE-2010-2059) Also following bugs were fixed: - backport nosource/nopatch srpm tag generation fix - backport spurious tar message fix [bnc#558475] - do not use glibc for passwd/group lookups when --root is used [bnc#536256] - disable cpio md5 checking for repackaged rpms [bnc#572280] - fix endless loop when rpm database lock fails Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.2: zypper in -t patch rpm-2528 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.2 (i586 x86_64): rpm-4.7.1-6.8.1 rpm-devel-4.7.1-6.8.1 - openSUSE 11.2 (x86_64): rpm-32bit-4.7.1-6.8.1 References: http://support.novell.com/security/cve/CVE-2010-2059.html https://bugzilla.novell.com/536256 https://bugzilla.novell.com/558475 https://bugzilla.novell.com/572280 https://bugzilla.novell.com/610941