The Debian GNU/Linux xmcd package has historically installed two
setuid helpers for accessing cddb databases and SCSI cdrom drives.
More recently, the package offered the administrator the chance to
remove these setuid flags, but did so incorrectly.
A buffer overflow in ncurses, linked to the "cda" binary,
allowed a root exploit. Fixed ncurses packages have been released,
as well as fixed xmcd packages which do not install this binary
with a setuid flag.
The problem is fixed in xmcd 2.5pl1-7.1, and we recommend all
users with xmcd installed upgrade to this release. You may need to
add users of xmcd to the "audio" and "cdrom" groups in order for
them to continue using xmcd.
Debian GNU/Linux 2.1 alias slink
Slink is no longer being supported by the Debian Security Team.
We highly recommend an upgrade to the current stable release.
Debian GNU/Linux 2.2 (stable) alias potato
Fixes are currently available for the Alpha, ARM, Intel ia32,
Motorola 680x0, PowerPC and Sun SPARC architectures, and will be
included in 2.2r2.
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.