Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


SOT Linux Advisories: wu-ftpd, fileutils

Oct 28, 2003, 23:25 (1 Talkback[s])

SOT Linux Security Advisory

Subject: Updated wu-ftpd package for SOT Linux 2003
Advisory ID: SLSA-2003:48
Date: Tuesday, October 28, 2003
Product: SOT Linux 2003

1. Problem description

The wu-ftpd package contains the wu-ftpd FTP (File Transfer Protocol) server daemon.

A stack buffer overflow may allow remote attackers to gain root privileges and execute arbitrary code on a vulnerable system.

It is highly recommended to all users of wu-ftpd to upgrade to this erratum package, which contain a security patch and is not vulnerable to this issue.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/wu-ftpd-2.8.0-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/wu-ftpd-2.8.0-2.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Server/i386/wu-ftpd-2.8.0-2.i386.rpm dd443bfa3cea5b34c7c0af84b66eb7ff
/Server/SRPMS/wu-ftpd-2.8.0-2.src.rpm ffb63467e19e320811f504d565ead8a2

5. References

http://www.securitylab.ru/40947.html

Copyright(c) 2001-2003 SOT


SOT Linux Security Advisory

Subject: Updated fileutils package for SOT Linux 2003
Advisory ID: SLSA-2003:49
Date: Tuesday, October 28, 2003
Product: SOT Linux 2003

1. Problem description

The fileutils package contains several basic system utilities. One of these utilities is the "ls" program, used to list information about files and directories.
Georgi Guninski discovered[1] a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by calling it with the parameters "-w X -C" (where X is an arbitrary large number). This vulnerability is remotely exploitable in scenarios where remote applications allow an user to call ls without filtering the supplied parameters. An example of such scenario is the use of the wu-ftpd FTP server.
The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0854[2] to this issue. Additionally, this update fixes an integer overflow in ls which seems non-exploitable. The overflow occurs in the usage of the "-w" parameter under the same circumstances of the aforementioned memory starvation vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0853[3] to this issue.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/fileutils-4.1-8.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/fileutils-4.1-8.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/fileutils-4.1-8.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/fileutils-4.1-8.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/fileutils-4.1-8.i386.rpm 473d747e3f2f397ebac2f977c4625e90
/Desktop/SRPMS/fileutils-4.1-8.src.rpm 4f7b8e7e84e1fc23af6a9798c68903da
/Server/i386/fileutils-4.1-8.i386.rpm 473d747e3f2f397ebac2f977c4625e90
/Server/SRPMS/fileutils-4.1-8.src.rpm 4f7b8e7e84e1fc23af6a9798c68903da

5. References

http://www.guninski.com/binls.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0854
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0853

Copyright(c) 2001-2003 SOT