|
----- Original Message ----- From: "Conectiva Updates" <secure@conectiva.com.br> To: <conectiva-updates@papaleguas.conectiva.com.br>; <lwn@lwn.net>; <bugtraq@securityfocus.com>; <security-alerts@linuxsecurity.com>; <linsec@lists.seifried.org> Sent: Wednesday, April 16, 2003 11:05 AM Subject: [CLA-2003:627] Conectiva Security Announcement - ethereal > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ -- > CONECTIVA LINUX SECURITY ANNOUNCEMENT > - ------------------------------------------------------------------------ -- > > PACKAGE : ethereal > SUMMARY : Several vulnerabilities > DATE : 2003-04-16 16:03:00 > ID : CLA-2003:627 > RELEVANT > RELEASES : 6.0, 7.0, 8 > > - ------------------------------------------------------------------------ - > > DESCRIPTION > Ethereal is a powerful network traffic analyzer with an intuitive > interface. > > This update addresses the problems listed below. All these > vulnerabilities can be exploited by exposing the Ethereal program to > specially created network traffic, be it by sniffing a live network > or reading a capture file. The impact varies from a denial of service > to arbitrary command execution with the same privileges as the user > who is running Ethereal: > > - buffer overflow in the ISIS protocol dissector[2]; > > - denial of service in the BGP protocol dissector[3], reported by > Silvio Cesare. Ethereal can enter an infinite loop when trying to > process a malformed message; > > - several vulnerabilities[3] in the LMP, PPP and TDS protocol > dissectors; > > - format string vulnerability[4] in the SOCKS protocol dissector, > reported by Georgi Guninski; > > - buffer overflow vulnerability[4] in the NTLMSSP protocol dissector. > > > SOLUTION > It is recommended that all Ethereal users upgrade their packages. It > is also possible to bypass these specific vulnerabilities by > deactivating the vulnerable protocol dissectors. This can be done via > the "Edit->Protocols" menu. > > > REFERENCES > 1. http://www.ethereal.com > 2. http://www.ethereal.com/appnotes/enpa-sa-00006.html > 3. http://www.ethereal.com/appnotes/enpa-sa-00007.html > 4. http://www.ethereal.com/appnotes/enpa-sa-00008.html > > > UPDATED PACKAGES > ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/ethereal-0.9.11-1U60_1cl.src.r pm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ethereal-0.9.11-1U60_1cl.i386.r pm > ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ethereal-0.9.11-1U70_1cl.src.r pm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ethereal-0.9.11-1U70_1cl.i386.r pm > ftp://atualizacoes.conectiva.com.br/8/SRPMS/ethereal-0.9.11-1U80_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-0.9.11-1U80_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-common-0.9.11-1U80_1cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-gtk-0.9.11-1U80_1cl.i386 .rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-utils-0.9.11-1U80_1cl.i3 86.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/tethereal-0.9.11-1U80_1cl.i386.rp m > > > ADDITIONAL INSTRUCTIONS > The apt tool can be used to perform RPM packages upgrades: > > - run: apt-get update > - after that, execute: apt-get upgrade > > Detailed instructions reagarding the use of apt and upgrade examples > can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en > > - ------------------------------------------------------------------------ - > All packages are signed with Conectiva's GPG key. The key and instructions > on how to import it can be found at > http://distro.conectiva.com.br/seguranca/chave/?idioma=en > Instructions on how to check the signatures of the RPM packages can be > found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en > > - ------------------------------------------------------------------------ - > All our advisories and generic update instructions can be viewed at > http://distro.conectiva.com.br/atualizacoes/?idioma=en > > - ------------------------------------------------------------------------ - > Copyright (c) 2003 Conectiva Inc. > http://www.conectiva.com > > - ------------------------------------------------------------------------ - > subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br > unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD4DBQE+nalh42jd0JmAcZARAtQuAJjAuNLWpTWZpbvrBRLfuY2Vq+BqAJwO7vLE > 13Hwk3XxPaVF8IkOgBpAlw== > =Q+0r > -----END PGP SIGNATURE----- >