[CLA-2002:474] Conectiva Linux Security Announcement - ethereal

From: secure@conectiva.com.br
Date: 04/25/02

Previous message: Jonas Eriksson: "Sudo version 1.6.6 now available (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Apr 2002 14:21:53 -0300
To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com
From: secure@conectiva.com.br

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : ethereal
SUMMARY : Packet handling vulnerabilities
DATE : 2002-04-25 14:21:00
ID : CLA-2002:474
RELEVANT
RELEASES : 5.0, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
Ethereal is a powerful network traffic analyzer with an intuitive
interface.

This update addresses two vulnerabilities stated in ethereal's home
page:

1.SNMP and LDAP string handling[1]
The PROTOS[2] test suite developed by the Oulu University Secure
Programming Group found some flaws in SNMP and LDAP protocols support
in ethereal. It may be possible to crash or execute arbitrary code in
the ethereal's context (ethereal is usually run by root) by injecting
crafted packets in the network or convincing someone to open a trace
file with such packets.

2.ASN.1 zero-length g_malloc[3]
Due to improper string parsing in ASN.1 routines, it is possible to
crash ethereal by inserting malformed packets in the wire or by
opening a trace file with such packets inside. SNMP, LDAP, COPS and
Kerberos parsers use the ASN routines to handle traffic.

There's also a third vulnerability reported in ethereal's home page
related to zlib's double free bug, which have been addressed already
by our zlib's advisory[4] some time ago.

SOLUTION
All ethereal users should do the upgrade.

REFERENCES:
1.http://www.ethereal.com/appnotes/enpa-sa-00001.html
2.http://www.ee.oulu.fi/research/ouspg/protos
3.http://www.ethereal.com/appnotes/enpa-sa-00003.html
4.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000469&idioma=en

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8yDsw42jd0JmAcZARAnwDAKCBbQlAE7hmcHK+U4xhbiIG/Uh1LgCgmUyg
KaQ5vPmuwkMKPnGIJdPlwKM=
=WLTd
-----END PGP SIGNATURE-----

Previous message: Jonas Eriksson: "Sudo version 1.6.6 now available (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[CLA-2004:821] Conectiva Security Announcement - XFree86
... Greg MacManus from iDEFENSE Labs discoveredtwo vulnerabilities ... in the way the X server deals with font files. ... It is recommended that all XFree86 users upgrade their packages. ... Detailed instructions regarding the use of apt and upgrade examples ...
(Bugtraq)
[CLA-2004:866] Conectiva Security Announcement - qt3
... Fixes for image loader vulnerabilities ... It is recommended that all qt users upgrade their packages. ... Detailed instructions regarding the use of apt and upgrade examples ...
(Bugtraq)
[CLA-2003:662] Conectiva Security Announcement - ethereal
... These vulnerabilities can be exploited ... All ethereal users should upgrade their packages. ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)
[CLA-2003:738] Conectiva Security Announcement - pine
... Pine is a mail and news text based client developed by the Washington ... This update fixes two pine remote vulnerabilities found by ... The apt tool can be used to perform RPM packages upgrades: ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)
[CLA-2003:751] Conectiva Security Announcement - openssl
... SUMMARY: Remote vulnerabilities ... in the OpenSSL implementation: ... It is recommended that all users upgrade their openssl packages. ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)