[ Thanks to Sergio
Bruder for this announcement. ]
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE: gdm
SUMMARY : Remote buffer overflow
DATE : 2000-JUN-06
AFFECTED CONECTIVA VERSIONS : 4.1, 4.2 and 5.0
DESCRIPTION
The gdm program is on of the graphical login choices available
for Conectiva Linux users. A serious vulnerability has been found
in this program during the XDMCP protocol processing that could
lead to remote root compromise.
In order to exploit this vulnerability, the XDMCP option has to be
explicitly enabled in /etc/X11/gdm/gdm.conf. All Conectiva Linux
versions ship with this options DISABLED by default.
SOLUTION
If you need to use XDMCP, then you MUST upgrade the gdm program to
the latest release following the links below. If XDMCP is disabled
in /etc/X11/gdm/gdm.conf, then this vulnerability cannot be
exploited.
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/gdm-2.0beta4-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/gdm-2.0beta4-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/gdm-2.0beta4-2cl.i386.rpm
SOURCE RPM PACKAGES ARE ALSO AVAILABLE:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/gdm-2.0beta4-2cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/gdm-2.0beta4-2cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/gdm-2.0beta4-2cl.src.rpm
All packages are signed with Conectiva’s PGP key. The key can be
obtained at http://www.conectiva.com.br/conectiva/contato.html
Information on how to install and/or update packages, and mirror
sites, can be found at http://www.conectiva.com.br/atualizacoes
subscribe: [email protected]
unsubscribe: [email protected]