Vulnerability
analog
Affected
analog all versions except 4.16 and 4.90beta3
Description
Stephen Turner found following. There is a buffer overflow bug
in all versions of analog released prior to 13-02-2001. A
malicious user could use an ALIAS command to construct very long
strings which were not checked for length.
This bug is particularly dangerous if the form interface (which
allows unknown users to run the program via a CGI script) has been
installed.
Solution
This bug was discovered by the program author, and there is no
known exploit. However, users are advised to upgrade to one of
the two safe versions immediately, especially if they have
installed the form interface.
For Red Hat:
ftp://updates.redhat.com/secureweb/2.0/SRPMS/analog-4.16-1.src.rpm
ftp://updates.redhat.com/secureweb/2.0/i386/analog-4.16-1.i386.rpm
ftp://updates.redhat.com/secureweb/2.0/i386/analog-form-4.16-1.i386.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/analog_4.01.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/source/analog_4.01-1potato1.dsc
http://security.debian.org/dists/stable/updates/main/source/analog_4.01-1potato1.diff.gz
http://security.debian.org/dists/stable/updates/main/binary-i386/analog_4.01-1potato1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/analog_4.01-1potato1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/analog_4.01-1potato1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/analog_4.01-1potato1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/analog_4.01-1potato1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/analog_4.01-1potato1_arm.deb
For Turbo Linux:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/analog-4.16-2.i386.rpm
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
