Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Gentoo Linux Advisories: net-ftp/proftpd, media-video/mplayer

Sep 29, 2003, 19:51 (0 Talkback[s])

GENTOO LINUX SECURITY ANNOUNCEMENT 200309-16
PACKAGE : net-ftp/proftpd
SUMMARY : ASCII File Remote Compromise Vulnerability
DATE : 2003-09-28 00:37 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <proftpd-1.2.9_rc2
FIXED VERSION : =proftpd-1.2.9_rc2
GENTOO BUG ID : 29452
CVE : none that we are aware of at this time

SUMMARY:

ISS X-Force discovered a vulnerability that could be triggered when a specially crafted file is uploaded to a proftpd server.

Read the full advisory at:
http://www.proftpd.org/

SOLUTION:

It is recommended that all Gentoo Linux users who are running net-ftp/proftpd upgrade to proftpd-1.29_rc2 as follows

emerge sync
emerge '>=net-ftp/proftpd-1.2.9_rc2'
emerge clean


solar@gentoo.org
aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz

GENTOO LINUX SECURITY ANNOUNCEMENT 200309-15
PACKAGE : media-video/mplayer
SUMMARY : Buffer Overflow Vulnerability
DATE : 2003-09-27 21:37 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <=mplayer-0.91 =mplayer-1.0_pre1
FIXED VERSION : =mplayer-0.92 =mplayer-1.0_pre1-r1
GENTOO BUG ID : 29640
CVE : none that we are aware of at this time

SUMMARY:
A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header.

read the full advisory at:
http://www.mplayerhq.hu/homepage/design6/news.html

SOLUTION:

It is recommended that all Gentoo Linux users who are running media-video/mplayer upgrade to mplayer-0.92 as follows

emerge sync
emerge =media-video/mplayer-0.92
emerge clean

Additionally PaX users might want to /sbin/chpax -m /usr/bin/mplayer


solar@gentoo.org
aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz