dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


SOT Linux Advisories: cups, ethereal

Nov 11, 2003, 14:52 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated cups package for SOT Linux 2003
Advisory ID: SLSA-2003:50
Date: Friday, November 7, 2003
Product: SOT Linux 2003

1. Problem description

The Common UNIX Printing System provides a portable printing layer for UNIX® operating systems.
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). Updated package with fixed issue is avaible for SOT Linux.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/cups-libs-1.1.20rc5-14.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/cups-1.1.20rc5-14.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/cups-devel-1.1.20rc5-14.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/cups-1.1.20rc5-14.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/cups-libs-1.1.20rc5-14.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/cups-1.1.20rc5-14.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/cups-1.1.20rc5-14.i386.rpm da57844da8e4afee7b0d2b0a946bf745
/Desktop/i386/cups-libs-1.1.20rc5-14.i386.rpm a767b375e57893f41fb9d9f38d9f5f31
/Desktop/i386/cups-devel-1.1.20rc5-14.i386.rpm f5b59a0c6ad7d5c28d6a1c1028848250
/Desktop/SRPMS/cups-1.1.20rc5-14.src.rpm 21e5693748960d714f82e209da36c6c6
/Server/i386/cups-libs-1.1.20rc5-14.i386.rpm a767b375e57893f41fb9d9f38d9f5f31
/Server/SRPMS/cups-1.1.20rc5-14.src.rpm 21e5693748960d714f82e209da36c6c6

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0788 http://www.cups.org/str.php?L315+P0+S0+C0+I0+E0+Q

Copyright(c) 2001-2003 SOT


SOT Linux Security Advisory

Subject: Updated ethereal package for SOT Linux 2003
Advisory ID: SLSA-2003:51
Date: Tuesday, November 11, 2003
Product: SOT Linux 2003

1. Problem description

Ethereal is a network traffic analyzer for GNU/Linux operating system.

A number of security issues affect Ethereal. By exploiting these issues, it may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully-malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

CAN-2003-0925 : A buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string.

CAN-2003-0926: Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) via certain malformed ISAKMP or MEGACO packets.

CAN-2003-0927: A heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector.

Users of Ethereal should update to these erratum packages containing Ethereal version 0.9.16, which is not vulnerable to these issues.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/ethereal-base-0.9.16-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/ethereal-gtk+-0.9.16-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/ethereal-kde-0.9.16-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/ethereal-usermode-0.9.16-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/ethereal-0.9.16-3.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Server/i386/ethereal-base-0.9.16-3.i386.rpm 288e8fd77523606d3026f51ab2b7fe15
/Server/i386/ethereal-gtk+-0.9.16-3.i386.rpm d1fe21bc98bb56c25c162a764f46f43e
/Server/i386/ethereal-kde-0.9.16-3.i386.rpm 9aa31e0efc23bcf939dffc4ca1ff689b
/Server/i386/ethereal-usermode-0.9.16-3.i386.rpm 80cc334691db1a2ad346ce172efe5b69
/Server/SRPMS/ethereal-0.9.16-3.src.rpm 52bb8aaac353b64f5a280118c5769b4c

5. References

http://www.ethereal.com/appnotes/enpa-sa-00011.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0927

Copyright(c) 2001-2003 SOT