|
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: icecast buffer overflows and denial-of-service Advisory number: CSSA-2002-020.0 Issue date: 2002 May 10 Cross reference: ______________________________________________________________________________ 1. Problem Description Buffer overflows in the icecast server allow remote attackers to execute arbitrary code via a long HTTP GET request, as well as allowing denial of service attacks. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to icecast-1.3.12-1.i386.rpm OpenLinux 3.1 Server prior to icecast-1.3.12-1.i386.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages 83407efa0c40a9ceac02606ae37237f2 icecast-1.3.12-1.i386.rpm 4.3 Installation rpm -Fvh icecast-1.3.12-1.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages d55ff1702ff28781cf097566e34c91c5 icecast-1.3.12-1.src.rpm 5. OpenLinux 3.1 Server 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 5.2 Packages acd0d312bcb7679c205eb5305d7d4585 icecast-1.3.12-1.i386.rpm 5.3 Installation rpm -Fvh icecast-1.3.12-1.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 5.5 Source Packages b36bf262d34fb88e9a00b695b024916e icecast-1.3.12-1.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0177 Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr863781, fz520848 and erg712036. 7. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 8. Acknowledgements The "Packet Knights" group discovered some of these vulnerabilities.