linux, säkerhet

5236223 2000-06-28  22:31  /185 rader/ Postmaster
Mottagare: Bugtraq (import) <11478>
Ärende: [SECURITY] New verion of dhcp released
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Envelope-Sender: wichert@cistron.nl
X-Debian: PGP check passed for security officers
Priority: urgent
X-Mailing-List: <debian-security-announce@lists.debian.org> archive/latest/95
X-Loop: debian-security-announce@lists.debian.org
Precedence: list
Message-ID:  <OuwSlD.A.lHB.pViW5@murphy>
Date:         Wed, 28 Jun 2000 09:22:37 -0700
Reply-To: security@debian.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Comments:     Resent-From: debian-security-announce@lists.debian.org
Comments:     Originally-From: Wichert Akkerman <wichert@cistron.nl>
From: debian-security-announce@LISTS.DEBIAN.ORG
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory                             security@debian.org
http://www.debian.org/security/                            Michael Stone
June 27, 2000
- ------------------------------------------------------------------------

Package: dhcp-client-beta (dhcp-client)
Vulnerability type: remote root exploit
Debian-specific: no

The versions of the ISC DHCP client in debian 2.1 (slink) and debian
2.2 (potato) are vulnerable to a root exploit. The OpenBSD team
reports that the client inappropriately executes commands embedded in
replies sent from a dhcp server. This means that a malicious dhcp
server can execute commands on the client with root privilages.

The reported vulnerability is fixed in the package dhcp-client-beta
2.0b1pl6-0.3 for the current stable release (debian 2.1) and in
dhcp-client 2.0-3potato1 for the frozen pre-release (debian 2.2). The
dhcp server and relay agents are built from the same source as the
client; however, the server and relay agents are not vulnerable to
this issue and do not need to be upgraded.  We recommend upgrading
your dhcp-client-beta and dhcp-client immediately.


wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.1 alias slink
- --------------------------------

  This version of Debian was released only for Intel ia32, the
  Motorola 680x0, the alpha and the Sun sparc architecture.

  Source archives:
    http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.3.diff.gz
      MD5 checksum: 90e5a3d2e299aad278b10186b02c1d7b
    http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.3.dsc
      MD5 checksum: 9d15d1043a092b103fdbac2827470d5b
    http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6.orig.tar.gz
      MD5 checksum: 2b63a90b272f087afb24c8f4ca72d3bd

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-beta_2.0b1pl6-0.3_alpha.deb
      MD5 checksum: 668d2f48562297d8e5e4d30ac2f81914
    http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-client-beta_2.0b1pl6-0.3_alpha.deb
      MD5 checksum: c3966535396dc550408eb8f0544fab34
    http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-relay-beta_2.0b1pl6-0.3_alpha.deb
      MD5 checksum: ba634900487c740efc262b323dc97d98

  Intel ia32 architecture:
    http://security.debian.org/dists/stable/updates/binary-i386/dhcp-beta_2.0b1pl6-0.3_i386.deb
      MD5 checksum: e499e80e9906c7e412df40a75a16ece4
    http://security.debian.org/dists/stable/updates/binary-i386/dhcp-client-beta_2.0b1pl6-0.3_i386.deb
      MD5 checksum: c139d79a9f4a19e12c36108897b8335c
    http://security.debian.org/dists/stable/updates/binary-i386/dhcp-relay-beta_2.0b1pl6-0.3_i386.deb
      MD5 checksum: 0040eba75e437b961070218e7c8c2949

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-beta_2.0b1pl6-0.3_m68k.deb
      MD5 checksum: 4027b4da37034c63612678c16743864e
    http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-client-beta_2.0b1pl6-0.3_m68k.deb
      MD5 checksum: 4b6ef60ff3b93ffa8d4ebe03d5dac4db
    http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-relay-beta_2.0b1pl6-0.3_m68k.deb
      MD5 checksum: 232876b42a696989e6a3aff2214596ac

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-beta_2.0b1pl6-0.3_sparc.deb
      MD5 checksum: 68f64e910a56e229bf06ab7f4bbae58d
    http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-client-beta_2.0b1pl6-0.3_sparc.deb
      MD5 checksum: 1aec24648990145058166416e08c3648
    http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-relay-beta_2.0b1pl6-0.3_sparc.deb
      MD5 checksum: c5af416bb6c447ea9fb531cf8b3ddddd

  These files will be moved into
  ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Please note that potato has not been released yet. However since it
  is in the final stages of the release process security updates are
  already being distributed.

  Source archives:
    http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato1.diff.gz
      MD5 checksum: 40d365a28b6278cdeea7208ca06b1bde
    http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato1.dsc
      MD5 checksum: 31a4060c49ef699ddfb2d431450a8993
    http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0.orig.tar.gz
      MD5 checksum: eff5d5359a50f878e4c0da082bf10475

  Alpha architecture:
    http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-client_2.0-3potato1_alpha.deb
      MD5 checksum: b4d9ca359de9bdcffaad04ff9683b262
    http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-relay_2.0-3potato1_alpha.deb
      MD5 checksum: 1c790b774617f1434c1be8215090c3e9
    http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp_2.0-3potato1_alpha.deb
      MD5 checksum: 4d67ac7c8dabbe24df698ab322862480

  ARM architecture:
    http://security.debian.org/dists/potato/updates/main/binary-arm/dhcp-client_2.0-3potato1_arm.deb
      MD5 checksum: 5bf5b55723279bd632b93368ed2bcfcb
    http://security.debian.org/dists/potato/updates/main/binary-arm/dhcp-relay_2.0-3potato1_arm.deb
      MD5 checksum: a50aef6eeca2f268bb824b6a46375d0c
    http://security.debian.org/dists/potato/updates/main/binary-arm/dhcp_2.0-3potato1_arm.deb
      MD5 checksum: 1a01cbd7073e45aee598377645a752bf
    http://security.debian.org/dists/potato/updates/main/binary-arm/wu-ftpd_2.6.0-5.1_arm.deb
      MD5 checksum: 9faeaec3a831510179c4e3a6ea50ff52

  Intel ia32 architecture:
    http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-client_2.0-3potato1_i386.deb
      MD5 checksum: 73c893f4c87c20a48607fda52d34d7da
    http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-relay_2.0-3potato1_i386.deb
      MD5 checksum: b18ca08c0e0c3ceed171c08c881730c3
    http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp_2.0-3potato1_i386.deb
      MD5 checksum: da3735ce715897893c88cfb7539749bf

  Motorola 680x0 architecture:
    http://security.debian.org/dists/potato/updates/main/binary-m68k/dhcp-client_2.0-3potato1_m68k.deb
      MD5 checksum: 7893850b9ed93ae41014dcba451530c3
    http://security.debian.org/dists/potato/updates/main/binary-m68k/dhcp-relay_2.0-3potato1_m68k.deb
      MD5 checksum: 64a03a6a18de8c3f51737dbdea674271
    http://security.debian.org/dists/potato/updates/main/binary-m68k/dhcp_2.0-3potato1_m68k.deb
      MD5 checksum: 4006f5fbe178e3e008d03a9b945880db

  PowerPC architecture:
    http://security.debian.org/dists/potato/updates/main/binary-powerpc/dhcp-client_2.0-3potato1_powerpc.deb
      MD5 checksum: f24bde7e97de3241ba3684cc027a5854
    http://security.debian.org/dists/potato/updates/main/binary-powerpc/dhcp-relay_2.0-3potato1_powerpc.deb
      MD5 checksum: 5ad85017bae30f087c353653352f64f0
    http://security.debian.org/dists/potato/updates/main/binary-powerpc/dhcp_2.0-3potato1_powerpc.deb
      MD5 checksum: e15b22f787231cf0f368d16932025a5c

  Sun Sparc architecture:
    http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-client_2.0-3potato1_sparc.deb
      MD5 checksum: 464e251bbe127d25e3812d2edca4b3d6
    http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-relay_2.0-3potato1_sparc.deb
      MD5 checksum: 5c7a405a8bf604114c9b16ebad69aee1
    http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp_2.0-3potato1_sparc.deb
      MD5 checksum: 862808cee5fb3c8c025641cffb3f01f7

- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
Mailing list: debian-security-announce@lists.debian.org


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBOVok+KjZR/ntlUftAQEntwL+N8eMiJAVXoRA0WO9tKno7i+on9dCe/tw
R3I+yhEiWIg4MbNCkTdhQltNtV4936LrCAF0av38AlepA1Tm8BhxZQyyU6izGIM9
HPIuHQ70BhmRnHOacBUWq4BoBU11gIVp
=v5Q9
-----END PGP SIGNATURE-----


-- To UNSUBSCRIBE, email to
debian-security-announce-request@lists.debian.org with a subject of
"unsubscribe". Trouble? Contact listmaster@lists.debian.org
(5236223) ------------------------------------------(Ombruten)