|
| Current Newswire:
Progeny Security Advisory: Local root vulnerability in sendfiledApr 20, 2001, 21:30 (0 Talkback[s])From: Progeny Security Team <security@progeny.com> Subject: PROGENY-SA-2001-08: Local root vulnerability in sendfiled Date: Fri, 20 Apr 2001 13:11:35 -0500 (EST) PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-08 Topic: Local root vulnerability in sendfiled Software: sendfile Announced: 2001-04-19 Credits: Colin Phipps <cphipps@doomworld.com> Daniel Kobras Ulli Horlacher <framstag@rus.uni-stuttgart.de> Martin Schulze <joey@infodrom.north.de> Affects: Progeny Debian (sendfile prior to 2.1-24) Debian GNU/Linux potato (sendfile prior to 2.1-20.2) Debian GNU/Linux woody/sid (sendfile prior to 2.1-24) Vendor-Status: New Version Released (sendfile 2.1-24) Corrected: 2001-04-20 Progeny Only: NO $Id: PROGENY-SA-2001-08,v 1.2 2001/04/20 18:05:01 jgoerzen Exp $ DESCRIPTION Local users on a system may be able to exploit security flaws in sendfiled to obtain root privileges. SOLUTION (See also: UPDATING VIA APT-GET) Upgrade to a fixed version of sendfile. sendfile version 2.1-24 corrects the problem. For your convenience, you may upgrade to the sendfile_2.1-24 package. WORKAROUND sendfile may not be a vital system utility in every installation. If you prefer, you can remove rather than upgrade sendfile. To remove it, use this command: dpkg --remove sendfile UPDATING VIA APT-GET
deb http://archive.progeny.com/progeny updates/newton/ 2. Update your cache of available packages for apt(8). Example: # apt-get update 3. Using apt(8), install the new package. apt(8) will download the update, verify its integrity with md5, and then install the package on your system with dpkg(8). Example: # apt-get install sendfile UPDATING VIA DPKG
http://archive.progeny.com/progeny/updates/newton/ MD5 Checksum Filename 903eef59cc9253d6d732326eafe9c307 sendfile_2.1-24_i386.deb/ Example: # wget \ http://archive.progeny.com/progeny/updates/newton/sendfile_2.1-24_i386.deb 2. Use the md5sum command on the retrieved files to verify that they match the md5sum provided in this advisory: Example: # md5sum sendfile_2.1-24_i386.deb/ 3. Then install the replacement package(s) using the dpkg command. Example: # dpkg --install sendfile_2.1-24_i386.deb/ MORE INFORMATION This issue was first documented at bug #74068 in the Debian GNU/Linux bug tracking system. Information on this bug report is available at http://bugs.debian.org/76048. Progeny advisories can be found at http://www.progeny.com/security/. pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com> |