BOSTON (01/27/2000) - Software maker Corel Corp. today confirmed it is battling a security hole in Corel Linux.
"There is, yes, a security hole," said Judith O'Brien, a spokesperson for Corel Linux.
The security hole applies only to Corel Update, a graphical user interface (GUI) that Corel has put on top of the Debian distribution of Corel Linux, according to O'Brien. The Debian distribution -- or version -- of Corel Linux is supported by a core of about 500 volunteer developers and is distinct from others for its emphasis on online updates. If a customer is using a version of Corel Linux that is strictly a Debian distribution, without the Corel Update GUI, the problem will not affect them, she said.
The hole lets users who have privileges to log on remotely to a server to replace the scripts running in Corel Update with scripts they created themselves, O'Brien said. However, users must have log-in privileges in order to take advantage of the bug, she said.
"It's not something that anybody can do," O'Brien said. "If you don't have an account, you can't do anything."
Corel was informed of the problem last week and will post a patch later today at http://linux.corel.com/, O'Brien said. Future versions of Corel Update will permit authorized users to substitute scripts, but the product will ship with that ability turned off as the default, she said.
Corel, in Ottawa, Canada, can be reached +1-613-728-8200 or at the Web at http://www.corel.com/.