-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		several problems in xemacs
Advisory number: 	CSSA-2000-011.0
Issue date: 		2000 May, 18
Cross reference:        
______________________________________________________________________________


1. Problem Description

   Under some circumstances, users are able to snoop on
   other users' keystrokes. This is a serious problems if
   you use modules that require e.g. input of passwords,
   such as MailCrypt.

   Temporary files are created insecurely.  
   
 
2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        All packages previous to
                                xemacs-21.1.10-4

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       xemacs-21.1.10-4

   OpenLinux eDesktop 2.4	All packages previous to
                                xemacs-21.1.10-4

3. Solution

   Workaround:

   None.

   The proper solution is to upgrade to the fixed packages.

4. OpenLinux Desktop 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderaystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

       2d2ae22fe27647ed7745f02a53cf0f72  RPMS/xemacs-base-21.1.10-4.i386.rpm
       41a2decd82536379e9402469d65a3f4e  RPMS/xemacs-emacs-link-21.1.10-4.i386.rpm
       54c0058ad71e61a3bd1c484af262366e  RPMS/xemacs-icons-21.1.10-4.i386.rpm
       ec19e0280324b8fe5defcdc3d33ef081  RPMS/xemacs-lispsource-21.1.10-4.i386.rpm
       9f86fb8bcb88d8c74049a56390a22b33  RPMS/xemacs-mule-21.1.10-4.i386.rpm
       13e350cf1c5153c7184d8913a1d85230  RPMS/xemacs-packages-21.1.10-4.i386.rpm
       b14202812d6b7fc64d036d0ad0047be7  SRPMS/xemacs-21.1.10-4.src.rpm
	
   4.3 Installing Fixed Packages

       First delete parts of the old xemacs packages:

          rpm -e xemacs-auctex
          rpm -e xemacs-calc
          rpm -e xemacs-emul
          rpm -e xemacs-mailnews
          rpm -e xemacs-modes
          rpm -e xemacs-sgmldocs
          rpm -e xemacs-www

       Upgrade the affected packages with the following commands:

          rpm -F --force --nodeps xemacs-*.i386.rpm


5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderaystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       aa00dacc5c309da3535a0288f1f114e8  RPMS/xemacs-base-21.1.10-4.i386.rpm
       ff552f8c3610d243d78c2d8608739d02  RPMS/xemacs-emacs-link-21.1.10-4.i386.rpm
       2fa3499e4b51f6305a0fae18f0124ca1  RPMS/xemacs-icons-21.1.10-4.i386.rpm
       aa4b05a5be8e429feeb69685964bd417  RPMS/xemacs-lispsource-21.1.10-4.i386.rpm
       ba9adfb1e749425b1a17566bd09816cb  RPMS/xemacs-mule-21.1.10-4.i386.rpm
       5786ba6bfed07f06164d4cb30089892c  RPMS/xemacs-packages-21.1.10-4.i386.rpm
       ee02cf1a63d9f754bfe219206725fe20  SRPMS/xemacs-21.1.10-4.src.rpm

       
   5.3 Installing Fixed Packages

       First delete parts of the old xemacs packages:

          rpm -e xemacs-auctex
          rpm -e xemacs-calc
          rpm -e xemacs-emul
          rpm -e xemacs-mailnews
          rpm -e xemacs-modes
          rpm -e xemacs-sgmldocs
          rpm -e xemacs-www

       Upgrade the affected packages with the following commands:

	  rpm -F --force --nodeps xemacs-*.i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderaystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

	0597c7843fce75a95b6fe5362418bec4  RPMS/xemacs-base-21.1.10-4.i386.rpm
	1075f3f257212c2180c8aeee2e330339  RPMS/xemacs-emacs-link-21.1.10-4.i386.rpm
	cca7c5bbff10c8fd66a7b9524a8b4646  RPMS/xemacs-icons-21.1.10-4.i386.rpm
	9cf1566c157f0acfe243f99131c660a8  RPMS/xemacs-lispsource-21.1.10-4.i386.rpm
	253fb7d5aee0b25dad2d0cb2eef122be  RPMS/xemacs-mule-21.1.10-4.i386.rpm
	adb96e41b347b0e2998a9318884f85ad  RPMS/xemacs-packages-21.1.10-4.i386.rpm
	b2d86fa715c832b63604107ab1b5abbb  SRPMS/xemacs-21.1.10-4.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -F xemacs-*.i386.rpm
   
7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 6061
   
8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjklCkcACgkQ18sy83A/qfy58QCfZE91+owOyoCg1C2glqA2ypS5
o5UAnRy88LUk7RoSrFVbd2q54wXWy72+
=zP+x
-----END PGP SIGNATURE-----