dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Conectiva Linux Security Announcement - rp-pppoe

Dec 12, 2000, 23:36 (0 Talkback[s])

Date: Tue, 12 Dec 2000 15:42:31 -0200
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [CLA-2000:357] Conectiva Linux Security Announcement - rp-pppoe


CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE   : rp-pppoe
SUMMARY   : Denial of service
DATE      : 2000-12-12 15:41:00
ID        : CLA-2000:357
RELEVANT
RELEASES  : 6.0

DESCRIPTION
rp-pppoe is an userspace PPPoE client mainly used with ADSL connections which require PPP.
The version distributed with Conectiva Linux 6.0 has a security problem which, if exploited, would cause the connection to be dropped.
If rp-pppoe receives a crafted TCP segment with an option where the option-length field is zero (illegal), the program would enter an infinite loop and the connection would time-out and be dropped.

SOLUTION
All rp-pppoe users should upgrade.

We would like to thank David F. Skoll for releasing a new version and to Robert Schlabbach for reporting the vulnerability to him.

DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/rp-pppoe-2.5-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades:
- add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

 - run:                 apt-get update
 - after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato