105236 2003-06-18 18:41 /226 rader/ Matt Zimmerman <mdz@debian.org>
Importerad: 2003-06-18 18:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: listadmin@securityfocus.com
Mottagare: Bugtraq (import) <5245>
Ärende: [SECURITY] [DSA-324-1] New ethereal packages fix multiple vulnerabilities
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 324-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
June 18th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : ethereal
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Several of the packet dissectors in ethereal contain string handling
bugs which could be exploited using a maliciously crafted packet to
cause ethereal to consume excessive amounts of memory, crash, or
execute arbitrary code.
These vulnerabilites were announced in the following Ethereal security
advisory:
http://www.ethereal.com/appnotes/enpa-sa-00010.html
Ethereal 0.9.4 in Debian 3.0 (woody) is affected by most of the
problems described in the advisory, including:
* The DCERPC dissector could try to allocate too much memory
while trying to decode an NDR string.
* Bad IPv4 or IPv6 prefix lengths could cause an overflow in the
OSI dissector.
* The tvb_get_nstringz0() routine incorrectly handled a
zero-length buffer size.
* The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, and ISIS
dissectors handled strings improperly.
The following problems do NOT affect this version:
* The SPNEGO dissector could segfault while parsing an invalid
ASN.1 value.
* The RMI dissector handled strings improperly
as these modules are not present.
For the stable distribution (woody) these problems have been fixed in
version 0.9.4-1woody5.
The old stable distribution (potato) these problems will be fixed in a
future advisory.
For the unstable distribution (sid) these problems are fixed in
version 0.9.13-1.
We recommend that you update your ethereal package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5.dsc
Size/MD5 checksum: 679 fb98a4629ed5c2a09188264978e235cb
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5.diff.gz
Size/MD5 checksum: 36263 4db84b40ff262dc4fa536bcbb215eb2b
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea
Alpha architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_alpha.deb
Size/MD5 checksum: 1938816 8e4a1ce81eb9f19d45c01e590d9a377e
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_alpha.deb
Size/MD5 checksum: 334136 08bf42a6d7dbb50692d708d7a9197d87
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_alpha.deb
Size/MD5 checksum: 221920 ee4403d6c0b7c07c83eec534988a84ee
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_alpha.deb
Size/MD5 checksum: 1705816 7ee849802d94d148a14119f76992b2f0
ARM architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_arm.deb
Size/MD5 checksum: 1633896 0abfa9d3c0eb5db8321a6762ab9dfa7b
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_arm.deb
Size/MD5 checksum: 297150 bfbad9f07fab5ab34a6eab1ef8e5953d
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_arm.deb
Size/MD5 checksum: 205828 ea7d760224ab01952527eacbc4587d20
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_arm.deb
Size/MD5 checksum: 1438470 4f1f6d0135cbfc0044c688c39a956bea
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_i386.deb
Size/MD5 checksum: 1511912 5c1107c1016a8025e5b1d56eeccf84df
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_i386.deb
Size/MD5 checksum: 286266 9c979f57424b5d55c5de6621098e96d2
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_i386.deb
Size/MD5 checksum: 198218 c49c94d9dc7312668c9b48a550df6a1c
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_i386.deb
Size/MD5 checksum: 1324568 9aeb2ffbc5277b3196b83e6d38b53621
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_ia64.deb
Size/MD5 checksum: 2149036 c68b86189746723e62bf08368bce227b
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_ia64.deb
Size/MD5 checksum: 372962 9247b82b07d2eb11446fdce5f88983dc
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_ia64.deb
Size/MD5 checksum: 233512 c030461e088a87758a4ba9935f0733e1
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_ia64.deb
Size/MD5 checksum: 1859410 ab7f2190f094c3b8e67d56ff49045b9a
HP Precision architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_hppa.deb
Size/MD5 checksum: 1802910 eb690bcb02ebf1c750205177cb248f72
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_hppa.deb
Size/MD5 checksum: 322214 5ee2178f9c733121c7a1f0d524627880
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_hppa.deb
Size/MD5 checksum: 216700 fa66e8a08983e09421560bd10f3c3965
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_hppa.deb
Size/MD5 checksum: 1574692 b336a02e18c9f495960a9d0dec3d8e45
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_m68k.deb
Size/MD5 checksum: 1423170 d59023d4c5cdf8dde7d3bfe8cc33d587
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_m68k.deb
Size/MD5 checksum: 282466 6c85c7db7c36488746ef3f1e4a18d186
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_m68k.deb
Size/MD5 checksum: 194916 d33873842e7080c48de9e9c337c76c79
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_m68k.deb
Size/MD5 checksum: 1247402 58295f85485a65b3f65e2f4af5ef5961
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_mips.deb
Size/MD5 checksum: 1616264 7d0870d9b8b38f03a0a380996dfa33f9
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_mips.deb
Size/MD5 checksum: 305088 295015eb873bfb754e75c1396e752243
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_mips.deb
Size/MD5 checksum: 213484 8d0afae76790f5fdbebfd785bd3e0eb5
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_mips.deb
Size/MD5 checksum: 1421086 ecfbd6ffa565b529da0e654f344a1d55
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_mipsel.deb
Size/MD5 checksum: 1596546 b84b95c09877df3556a688045c99c260
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_mipsel.deb
Size/MD5 checksum: 304588 762bfcd3d71a6baec47e2e1faec0ef4c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_mipsel.deb
Size/MD5 checksum: 213108 666e6babaccfceda951053a9e03d5e77
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_mipsel.deb
Size/MD5 checksum: 1405282 93b65858bfce3a879a05de921f2b0adc
PowerPC architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_powerpc.deb
Size/MD5 checksum: 1616884 20f757b5b8bbdd9c604741f0a4e6f844
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_powerpc.deb
Size/MD5 checksum: 301724 96ce6842b578c13330879589a1692d47
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_powerpc.deb
Size/MD5 checksum: 208664 de9e536ef2560206395d9ede28c4aeef
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_powerpc.deb
Size/MD5 checksum: 1418060 f28e69f82efff9434c37ac70f9f6af86
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_s390.deb
Size/MD5 checksum: 1573598 a93240eca8bb226a0ad8bcabc6a6c5a3
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_s390.deb
Size/MD5 checksum: 300554 a239b466decac0566be563242665d1aa
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_s390.deb
Size/MD5 checksum: 203712 94f12ad0a3961df640587313f2b20b6a
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_s390.deb
Size/MD5 checksum: 1386068 6401707646ae88c8220e5c6143a9c40b
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_sparc.deb
Size/MD5 checksum: 1581564 c60e1b864726561eea77d65c6c3d4da3
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_sparc.deb
Size/MD5 checksum: 317866 16956acf9b44bf36174733cd620348d3
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_sparc.deb
Size/MD5 checksum: 204488 a5bccb53d6e679c552cb0093936c0e69
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_sparc.deb
Size/MD5 checksum: 1388806 429a6f0c8c4ff5443dbabd94610998aa
These files will probably be moved into the stable distribution on its
next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+7+WgArxCt0PiXR4RApkaAJoCsrPE4mkvcm+XN8vAGLkpuJ2USwCghY7p
Bav/5pgLLDta0TotoscgwJk=
=IzRs
-----END PGP SIGNATURE-----
(105236) /Matt Zimmerman <mdz@debian.org>/----------