dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Mandrake Linux Advisories: ethereal, gzip

Jun 17, 2003, 12:18 (0 Talkback[s])

Mandrake Linux Security Update Advisory


Package name: ethereal
Advisory ID: MDKSA-2003:067
Date: June 16th, 2003
Affected versions: 9.1

Problem Description:

Several vulnerabilities in ethereal were discovered by Timo Sirainen. Integer overflows were found in the Mount and PPP dissectors, as well as one-byte buffer overflows in the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP, and TSP dissectors. These vulnerabilties were corrected in ethereal 0.9.12.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0357
http://www.ethereal.com/appnotes/enpa-sa-00009.html


Updated Packages:

Mandrake Linux 9.1:
d039c495347d612fce4685ee3bec4d87 9.1/RPMS/ethereal-0.9.12-1.2mdk.i586.rpm
5873c050db02b2bf0f914299553d059b 9.1/SRPMS/ethereal-0.9.12-1.2mdk.src.rpm

Mandrake Linux 9.1/PPC:
87bf6388f0299a419726362742499be7 ppc/9.1/RPMS/ethereal-0.9.12-1.2mdk.ppc.rpm
5873c050db02b2bf0f914299553d059b ppc/9.1/SRPMS/ethereal-0.9.12-1.2mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command:

rpm --checksig <filename>

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from:

https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>

Mandrake Linux Security Update Advisory


Package name: gzip
Advisory ID: MDKSA-2003:068
Date: June 16th, 2003
Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1, Multi Network Firewall 8.2

Problem Description:

A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. Patches have been applied to make use of mktemp to generate unique filenames, and properly make use of noclobber in the script. Likewise, a fix for gzexe which had been applied previously was incomplete. It has been fixed to make full use of mktemp everywhere a temporary file is created.

The znew problem was initially reported by Michal Zalewski and was again reported more recently to Debian by Paul Szabo.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0367
http://marc.theaimsgroup.com/?l=bugtraq&m=88998519803911&w=2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193375


Updated Packages:

Corporate Server 2.1:
3e7bff9e74dfacdb5708fdf60b8f18c6 corporate/2.1/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc corporate/2.1/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm

Mandrake Linux 8.2:
e114d1ff62fe8456d945a11d91362855 8.2/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc 8.2/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm

Mandrake Linux 8.2/PPC:
0d290a3f2a22396bcc5a6fc7c77aaeaa ppc/8.2/RPMS/gzip-1.2.4a-11.2mdk.ppc.rpm
ddf940b835e0718d80840694b65067bc ppc/8.2/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm

Mandrake Linux 9.0:
3e7bff9e74dfacdb5708fdf60b8f18c6 9.0/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc 9.0/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm

Mandrake Linux 9.1:
fe732815834057c64e3c4e311ee9462d 9.1/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc 9.1/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm

Mandrake Linux 9.1/PPC:
c4947b2e7a4de6f2e72c038e953a402f ppc/9.1/RPMS/gzip-1.2.4a-11.2mdk.ppc.rpm
ddf940b835e0718d80840694b65067bc ppc/9.1/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm

Multi Network Firewall 8.2:
e114d1ff62fe8456d945a11d91362855 mnf8.2/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc mnf8.2/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command:

rpm --checksig <filename>

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from:

https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>