[ic] Recent vulnerability and Interchange RPMs

[Jon Jensen]

Interchange users,

It appears that the RPM packages of Interchange are not vulnerable to the
remote file read problem reported last week. The RPM build process has
always moved the man pages from the 'doc' directory into /usr/share/man
and then deleted the doc directory. Therefore, unauthorized attempts to
serve static files would fail. This has been the case since for all
officially released Interchange RPM packages, from version 4.5.5 onward.

Also, since April 29, 2002, the RPM version of Interchange has started the
daemon in UNIX mode only by default, making any access attempts futile for
more recent RPM releases of Interchange in any case.

I discovered this while preparing an advisory for purchasers of the Red
Hat E-Commerce Suite, which uses a custom RPM version of Interchange and
thus is not vulnerable, and wanted to share it with the user community at 
large.

Jon