Mon Aug 12 17:21:17 2002 ICDEVGROUP announces the release of Interchange 4.8.6 as of today, August 12, 2002. Details are at http://www.icdevgroup.org/ and download is available at: http://www.icdevgroup.org/cgi-bin/ic/download.html This is a mandatory update that solves a serious security problem where an attacker can read arbitrary files on a system hosting Interchange. Any files readable by the UID running Interchange can be read, though they cannot be written. If you cannot for some reason update immediately, please do immediately implemement the workaround described in this message: http://www.icdevgroup.org/pipermail/interchange-users/2002-August/024350.html It is as simple as removing or renaming the "doc" directory in your Interchange or Minivend software root directory. If you are not running in INET mode or you have firewalled any IC INET ports, you are not vulnerable, but it would be wise to remove that directory anyway. RPM and Debian installs should not be vulnerable, but you should check for the existence of that directory anyway and remove it if it is present. Details about the changes made in this release of Interchange can be found in the WHATSNEW: http://ftp.icdevgroup.org/interchange/WHATSNEW -- Mike Heins Perusion -- Expert Interchange Consulting http://www.perusion.com/ phone +1.513.523.7621