TUCoPS :: Linux :: Conectiva :: bt1481.txt

ethereal CLA-2003:627



----- Original Message -----
From: "Conectiva Updates" <secure@conectiva.com.br>
To: <conectiva-updates@papaleguas.conectiva.com.br>; <lwn@lwn.net>;
<bugtraq@securityfocus.com>; <security-alerts@linuxsecurity.com>;
<linsec@lists.seifried.org>
Sent: Wednesday, April 16, 2003 11:05 AM
Subject: [CLA-2003:627] Conectiva Security Announcement - ethereal


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------
--
> CONECTIVA LINUX SECURITY ANNOUNCEMENT
> - ------------------------------------------------------------------------
--
>
> PACKAGE   : ethereal
> SUMMARY   : Several vulnerabilities
> DATE      : 2003-04-16 16:03:00
> ID        : CLA-2003:627
> RELEVANT
> RELEASES  : 6.0, 7.0, 8
>
> - ------------------------------------------------------------------------
-
>
> DESCRIPTION
>  Ethereal is a powerful network traffic analyzer with an intuitive
>  interface.
>
>  This update addresses the problems listed below. All these
>  vulnerabilities can be exploited by exposing the Ethereal program to
>  specially created network traffic, be it by sniffing a live network
>  or reading a capture file. The impact varies from a denial of service
>  to arbitrary command execution with the same privileges as the user
>  who is running Ethereal:
>
>  - buffer overflow in the ISIS protocol dissector[2];
>
>  - denial of service in the BGP protocol dissector[3], reported by
>  Silvio Cesare. Ethereal can enter an infinite loop when trying to
>  process a malformed message;
>
>  - several vulnerabilities[3] in the LMP, PPP and TDS protocol
>  dissectors;
>
>  - format string vulnerability[4] in the SOCKS protocol dissector,
>  reported by Georgi Guninski;
>
>  - buffer overflow vulnerability[4] in the NTLMSSP protocol dissector.
>
>
> SOLUTION
>  It is recommended that all Ethereal users upgrade their packages. It
>  is also possible to bypass these specific vulnerabilities by
>  deactivating the vulnerable protocol dissectors. This can be done via
>  the "Edit->Protocols" menu.
>
>
>  REFERENCES
>  1. http://www.ethereal.com
>  2. http://www.ethereal.com/appnotes/enpa-sa-00006.html
>  3. http://www.ethereal.com/appnotes/enpa-sa-00007.html
>  4. http://www.ethereal.com/appnotes/enpa-sa-00008.html
>
>
> UPDATED PACKAGES
>
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/ethereal-0.9.11-1U60_1cl.src.r
pm
>
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ethereal-0.9.11-1U60_1cl.i386.r
pm
>
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ethereal-0.9.11-1U70_1cl.src.r
pm
>
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ethereal-0.9.11-1U70_1cl.i386.r
pm
>
ftp://atualizacoes.conectiva.com.br/8/SRPMS/ethereal-0.9.11-1U80_1cl.src.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-0.9.11-1U80_1cl.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-common-0.9.11-1U80_1cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-gtk-0.9.11-1U80_1cl.i386
.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-utils-0.9.11-1U80_1cl.i3
86.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/tethereal-0.9.11-1U80_1cl.i386.rp
m
>
>
> ADDITIONAL INSTRUCTIONS
>  The apt tool can be used to perform RPM packages upgrades:
>
>  - run:                 apt-get update
>  - after that, execute: apt-get upgrade
>
>  Detailed instructions reagarding the use of apt and upgrade examples
>  can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
>
> - ------------------------------------------------------------------------
-
> All packages are signed with Conectiva's GPG key. The key and instructions
> on how to import it can be found at
> http://distro.conectiva.com.br/seguranca/chave/?idioma=en
> Instructions on how to check the signatures of the RPM packages can be
> found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
>
> - ------------------------------------------------------------------------
-
> All our advisories and generic update instructions can be viewed at
> http://distro.conectiva.com.br/atualizacoes/?idioma=en
>
> - ------------------------------------------------------------------------
-
> Copyright (c) 2003 Conectiva Inc.
> http://www.conectiva.com
>
> - ------------------------------------------------------------------------
-
> subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
> unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD4DBQE+nalh42jd0JmAcZARAtQuAJjAuNLWpTWZpbvrBRLfuY2Vq+BqAJwO7vLE
> 13Hwk3XxPaVF8IkOgBpAlw==
> =Q+0r
> -----END PGP SIGNATURE-----
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH