[ic] Interchange 4.8.6 released

Mike Heins interchange-users@icdevgroup.org
Mon Aug 12 17:14:02 2002


ICDEVGROUP announces the release of Interchange 4.8.6 as of today,
August 12, 2002. Details are at

    http://www.icdevgroup.org/

and download is available at:

    http://www.icdevgroup.org/cgi-bin/ic/download.html

This is a mandatory update that solves a serious security problem
where an attacker can read arbitrary files on a system hosting
Interchange. Any files readable by the UID running Interchange
can be read, though they cannot be written.

If you cannot for some reason update immediately, please do
immediately implemement the workaround described in this
message:
 
    http://www.icdevgroup.org/pipermail/interchange-users/2002-August/024350.html

It is as simple as removing or renaming the "doc" directory in your
Interchange or Minivend software root directory. If you are not running
in INET mode or you have firewalled any IC INET ports, you are not
vulnerable, but it would be wise to remove that directory anyway.

RPM and Debian installs should not be vulnerable, but you should check
for the existence of that directory anyway and remove it if it is
present.

Details about the changes made in this release of Interchange
can be found in the WHATSNEW:

    http://ftp.icdevgroup.org/interchange/WHATSNEW

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.513.523.7621      <mike@perusion.com>

Few blame themselves until they have exhausted all other possibilities.
 -- anonymous