Debian Security Advisory: remote cfingerd exploitApr 19, 2001, 03:46 (0 Talkback[s])
Date: Thu, 19 Apr 2001 03:02:24 +0200 From: Wichert Akkerman <firstname.lastname@example.org> Subject: [SECURITY] [DSA-048-1] remote cfingerd exploit
Debian Security Advisory DSA-048-1 email@example.com http://www.debian.org/security/ Wichert Akkerman April 19, 2001
Package : cfingerd
Megyer Laszlo report on Bugtraq that the cfingerd Debian as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges.
This has been fixed in version 1.4.1-1.1, and we recommend that you upgrade your cfingerd package immediately.
will fetch the file for you
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
These packages will be moved into the stable distribution on its next revision.
For not yet released architectures please refer to the appropriate directory: ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: firstname.lastname@example.org