- -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : fetchmail SUMMARY : Remote vulnerability DATE : 2002-12-16 18:38:00 ID : CLA-2002:554 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Fetchmail is a popular mail retrieval and forwarding utility. Stefan Esser discovered[1] a buffer overflow vulnerability in fetchmail versions prior to 6.1.3 (inclusive) that can be exploited remotelly with the use of specially crafted mail messages. By exploiting this the attacker can crash fetchmail or execute arbitrary code with the privileges of the user running it. The updated packages listed in this announcement include a fix for this problem. SOLUTION All fetchmail users should upgrade. IMPORTANT: if fetchmail is running as a daemon, it will have to be restarted in order to run the new version. REFERENCES: 1.http://security.e-matters.de/advisories/052002.html UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-5.9.12-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmailconf-5.9.12-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-doc-5.9.12-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/fetchmail-5.9.12-1U60_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-5.9.12-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmailconf-5.9.12-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-doc-5.9.12-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/fetchmail-5.9.12-1U70_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-5.9.12-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmailconf-5.9.12-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-doc-5.9.12-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/fetchmail-5.9.12-1U80_3cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : kernel 2.4 SUMMARY : Local denial of service vulnerability DATE : 2002-12-16 17:41:00 ID : CLA-2002:553 RELEVANT RELEASES : 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION The Linux kernel is responsible for handling the basic functions of the Conectiva Linux operating system. Christophe Devine reported[1] a vulnerability in versions prior to 2.4.20 of the linux kernel that could be exploited by a local non-root user to completely "freeze" the machine. A local attacker could exploit this vulnerability to cause a Denial of Service (DoS) condition. This update fixes this problem. Please note that the updated kernel packages here listed are available in our update servers since November 20, 2002. SOLUTION All users should upgrade the kernel immediately. IMPORTANT: it is not possible to use apt to apply kernel updates. These packages have to be updated manually. Generic kernel update instructions can be found in our updates page[2]. Kernel 2.2 users in Conectiva Linux 6.0 and 7.0 are also vulnerable to this issue. It is recommended that these users upgrade to the latest (2.4) kernel, but updated packages for the 2.2 series are being prepared and will be released in a near future. REFERENCES: 1.http://online.securityfocus.com/archive/1/299687/2002-11-11/2002-11-17/0 2.http://distro.conectiva.com.br/atualizacoes/?idioma=en UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.4.12-4U70_4cl.i586.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.4.12-4U70_4cl.i686.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-BOOT-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-doc-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-enterprise-2.4.12-4U70_4cl.i686.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-headers-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.4.12-4U70_4cl.i586.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.4.12-4U70_4cl.i686.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-source-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/kernel-2.4.12-4U70_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_5cl.i586.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_5cl.i686.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-BOOT-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-doc-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-enterprise-2.4.19-1U80_5cl.i686.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-headers-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-rbc-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_5cl.i586.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_5cl.i686.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-source-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/kernel-2.4.19-1U80_5cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en