Conectiva Linux Advisories: mpg123, ucd-snmp

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE	:	mpg123
SUMMARY	:	Local buffer overflow vulnerability
DATE	:	2003-07-15 14:43:00
ID	:	CLA-2003:695
RELEVANT RELEASES	:	7.0, 8

DESCRIPTION
mpg123 is a command line mp3 player.

A vulnerability[1] in the way mpg123 handles mp3 files with a
bitrate of zero may allow attackers to execute arbitrary code using
a specially crafted mp3 file. This update fixes the problem.

SOLUTION
All mpg123 users should upgrade.

REFERENCES:
2.http://www.securityfocus.com/bid/6629

UPDATED PACKAGES

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mpg123-0.59r-5U70_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mpg123-0.59r-5U70_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/8/RPMS/mpg123-0.59r-7U80_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/8/SRPMS/mpg123-0.59r-7U80_1cl.src.rpm

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

run: apt-get update
after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE	:	ucd-snmp
SUMMARY	:	Remote heap overflow vulnerability
DATE	:	2003-07-15 15:03:00
ID	:	CLA-2003:696
RELEVANT RELEASES	:	7.0, 8

DESCRIPTION
ucd-snmp is an implementation and a set of tools to deal with the
Simple Network Management Protocol (SNMP), which is used for remote
administration and monitoring of network devices and services.

Axioma Security Research found[1] a remote heap overflow
vulnerability[2] in snmpnetstat (a tool used to retrieve
information about a remote host). When a list of interfaces is
requested, a malicious server can return information in a way that
will cause a heap overflow in snmpnetstat.

A remote atacker able to control a snmp server can exploit this
vulnerability to execute arbitrary code with the privileges of the
user running snmpnetstat.

SOLUTION
All ucd-snmp users should upgrade.

REFERENCES:
1.http://www.securityfocus.com/archive/1/248141

2.http://www.securityfocus.com/bid/3780

UPDATED PACKAGES

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ucd-snmp-4.2.3-1U70_2cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ucd-snmp-devel-4.2.3-1U70_2cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ucd-snmp-devel-static-4.2.3-1U70_2cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ucd-snmp-utils-4.2.3-1U70_2cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ucd-snmp-4.2.3-1U70_2cl.src.rpm

ftp://atualizacoes.conectiva.com.br/8/RPMS/ucd-snmp-4.2.3-4U80_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/8/RPMS/ucd-snmp-devel-4.2.3-4U80_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/8/RPMS/ucd-snmp-devel-static-4.2.3-4U80_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/8/RPMS/ucd-snmp-utils-4.2.3-4U80_1cl.i386.rpm