openSUSE Security Update: rpm: Fix security problem where we miss to clear the SUID/SGID bits during package updates. ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0428-1 Rating: low References: #536256 #610941 Cross-References: CVE-2010-2059 Affected Products: openSUSE 11.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update fixes the problem where RPM misses to clear the SUID/SGID bit of old files during package updates. (CVE-2010-2059) Also the following bug was fixed: do not use glibc for passwd/group lookups when --root is used [bnc#536256] Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.0: zypper in -t patch popt-2527 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.0 (i586 ppc src x86_64): rpm-4.4.2-199.3 - openSUSE 11.0 (i586 ppc x86_64): popt-1.7-427.3 popt-devel-1.7-427.3 rpm-devel-4.4.2-199.3 - openSUSE 11.0 (x86_64): popt-32bit-1.7-427.3 - openSUSE 11.0 (ppc): popt-64bit-1.7-427.3 References: http://support.novell.com/security/cve/CVE-2010-2059.html https://bugzilla.novell.com/536256 https://bugzilla.novell.com/610941