Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections: Developer - High Performance - Infrastructure - IT Management - Security - Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs

Partner Sites
JustLinux.com
Linux Planet
PHPBuilder
Technology Jobs

Top White Papers

Current Newswire:

More on LinuxToday

Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume

Conectiva Linux Announcement: ethereal

Apr 25, 2002, 18:51 (0 Talkback[s]) 

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : ethereal
SUMMARY   : Packet handling vulnerabilities
DATE      : 2002-04-25 14:21:00
ID        : CLA-2002:474
RELEVANT
RELEASES  : 5.0, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 Ethereal is a powerful network traffic analyzer with an intuitive
 interface.
 
 This update addresses two vulnerabilities stated in ethereal's home
 page:
 
 1.SNMP and LDAP string handling[1]
 The PROTOS[2] test suite developed by the Oulu University Secure
 Programming Group found some flaws in SNMP and LDAP protocols support
 in ethereal. It may be possible to crash or execute arbitrary code in
 the ethereal's context (ethereal is usually run by root) by injecting
 crafted packets in the network or convincing someone to open a trace
 file with such packets.
 
 2.ASN.1 zero-length g_malloc[3]
 Due to improper string parsing in ASN.1 routines, it is possible to
 crash ethereal by inserting malformed packets in the wire or by
 opening a trace file with such packets inside. SNMP, LDAP, COPS and
 Kerberos parsers use the ASN routines to handle traffic.
 
 There's also a third vulnerability reported in ethereal's home page
 related to zlib's double free bug, which have been addressed already
 by our zlib's advisory[4] some time ago.


SOLUTION
 All ethereal users should do the upgrade.

 REFERENCES:
 1.http://www.ethereal.com/appnotes/enpa-sa-00001.html
 2.http://www.ee.oulu.fi/research/ouspg/protos
 3.http://www.ethereal.com/appnotes/enpa-sa-00003.html
 4.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000469&idioma=en


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/i386/ethereal-0.9.3-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/ethereal-0.9.3-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/ethereal-0.9.3-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/ethereal-0.9.3-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ethereal-0.9.3-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/ethereal-0.9.3-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ethereal-0.9.3-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ethereal-0.9.3-1U70_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br/6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------