lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030618040930.GR13593__14755.2978400656$1055951801@alcor.net>
Date: Wed, 18 Jun 2003 00:09:30 -0400
From: Matt Zimmerman <mdz@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA-324-1] New ethereal packages fix multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 324-1                     security@...ian.org
http://www.debian.org/security/                             Matt Zimmerman
June 18th, 2003                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : ethereal
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432

Several of the packet dissectors in ethereal contain string handling
bugs which could be exploited using a maliciously crafted packet to
cause ethereal to consume excessive amounts of memory, crash, or
execute arbitrary code.

These vulnerabilites were announced in the following Ethereal security
advisory:

http://www.ethereal.com/appnotes/enpa-sa-00010.html

Ethereal 0.9.4 in Debian 3.0 (woody) is affected by most of the
problems described in the advisory, including:

    * The DCERPC dissector could try to allocate too much memory
      while trying to decode an NDR string.
    * Bad IPv4 or IPv6 prefix lengths could cause an overflow in the
      OSI dissector.
    * The tvb_get_nstringz0() routine incorrectly handled a
      zero-length buffer size.
    * The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, and ISIS
      dissectors handled strings improperly. 

The following problems do NOT affect this version:

    * The SPNEGO dissector could segfault while parsing an invalid
      ASN.1 value.
    * The RMI dissector handled strings improperly

as these modules are not present.

For the stable distribution (woody) these problems have been fixed in
version 0.9.4-1woody5.

The old stable distribution (potato) these problems will be fixed in a
future advisory.

For the unstable distribution (sid) these problems are fixed in
version 0.9.13-1.

We recommend that you update your ethereal package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5.dsc
      Size/MD5 checksum:      679 fb98a4629ed5c2a09188264978e235cb
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5.diff.gz
      Size/MD5 checksum:    36263 4db84b40ff262dc4fa536bcbb215eb2b
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
      Size/MD5 checksum:  3278908 42e999daa659820ee93aaaa39ea1e9ea

  Alpha architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_alpha.deb
      Size/MD5 checksum:  1938816 8e4a1ce81eb9f19d45c01e590d9a377e
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_alpha.deb
      Size/MD5 checksum:   334136 08bf42a6d7dbb50692d708d7a9197d87
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_alpha.deb
      Size/MD5 checksum:   221920 ee4403d6c0b7c07c83eec534988a84ee
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_alpha.deb
      Size/MD5 checksum:  1705816 7ee849802d94d148a14119f76992b2f0

  ARM architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_arm.deb
      Size/MD5 checksum:  1633896 0abfa9d3c0eb5db8321a6762ab9dfa7b
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_arm.deb
      Size/MD5 checksum:   297150 bfbad9f07fab5ab34a6eab1ef8e5953d
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_arm.deb
      Size/MD5 checksum:   205828 ea7d760224ab01952527eacbc4587d20
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_arm.deb
      Size/MD5 checksum:  1438470 4f1f6d0135cbfc0044c688c39a956bea

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_i386.deb
      Size/MD5 checksum:  1511912 5c1107c1016a8025e5b1d56eeccf84df
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_i386.deb
      Size/MD5 checksum:   286266 9c979f57424b5d55c5de6621098e96d2
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_i386.deb
      Size/MD5 checksum:   198218 c49c94d9dc7312668c9b48a550df6a1c
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_i386.deb
      Size/MD5 checksum:  1324568 9aeb2ffbc5277b3196b83e6d38b53621

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_ia64.deb
      Size/MD5 checksum:  2149036 c68b86189746723e62bf08368bce227b
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_ia64.deb
      Size/MD5 checksum:   372962 9247b82b07d2eb11446fdce5f88983dc
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_ia64.deb
      Size/MD5 checksum:   233512 c030461e088a87758a4ba9935f0733e1
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_ia64.deb
      Size/MD5 checksum:  1859410 ab7f2190f094c3b8e67d56ff49045b9a

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_hppa.deb
      Size/MD5 checksum:  1802910 eb690bcb02ebf1c750205177cb248f72
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_hppa.deb
      Size/MD5 checksum:   322214 5ee2178f9c733121c7a1f0d524627880
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_hppa.deb
      Size/MD5 checksum:   216700 fa66e8a08983e09421560bd10f3c3965
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_hppa.deb
      Size/MD5 checksum:  1574692 b336a02e18c9f495960a9d0dec3d8e45

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_m68k.deb
      Size/MD5 checksum:  1423170 d59023d4c5cdf8dde7d3bfe8cc33d587
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_m68k.deb
      Size/MD5 checksum:   282466 6c85c7db7c36488746ef3f1e4a18d186
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_m68k.deb
      Size/MD5 checksum:   194916 d33873842e7080c48de9e9c337c76c79
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_m68k.deb
      Size/MD5 checksum:  1247402 58295f85485a65b3f65e2f4af5ef5961

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_mips.deb
      Size/MD5 checksum:  1616264 7d0870d9b8b38f03a0a380996dfa33f9
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_mips.deb
      Size/MD5 checksum:   305088 295015eb873bfb754e75c1396e752243
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_mips.deb
      Size/MD5 checksum:   213484 8d0afae76790f5fdbebfd785bd3e0eb5
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_mips.deb
      Size/MD5 checksum:  1421086 ecfbd6ffa565b529da0e654f344a1d55

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_mipsel.deb
      Size/MD5 checksum:  1596546 b84b95c09877df3556a688045c99c260
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_mipsel.deb
      Size/MD5 checksum:   304588 762bfcd3d71a6baec47e2e1faec0ef4c
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_mipsel.deb
      Size/MD5 checksum:   213108 666e6babaccfceda951053a9e03d5e77
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_mipsel.deb
      Size/MD5 checksum:  1405282 93b65858bfce3a879a05de921f2b0adc

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_powerpc.deb
      Size/MD5 checksum:  1616884 20f757b5b8bbdd9c604741f0a4e6f844
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_powerpc.deb
      Size/MD5 checksum:   301724 96ce6842b578c13330879589a1692d47
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_powerpc.deb
      Size/MD5 checksum:   208664 de9e536ef2560206395d9ede28c4aeef
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_powerpc.deb
      Size/MD5 checksum:  1418060 f28e69f82efff9434c37ac70f9f6af86

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_s390.deb
      Size/MD5 checksum:  1573598 a93240eca8bb226a0ad8bcabc6a6c5a3
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_s390.deb
      Size/MD5 checksum:   300554 a239b466decac0566be563242665d1aa
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_s390.deb
      Size/MD5 checksum:   203712 94f12ad0a3961df640587313f2b20b6a
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_s390.deb
      Size/MD5 checksum:  1386068 6401707646ae88c8220e5c6143a9c40b

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_sparc.deb
      Size/MD5 checksum:  1581564 c60e1b864726561eea77d65c6c3d4da3
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_sparc.deb
      Size/MD5 checksum:   317866 16956acf9b44bf36174733cd620348d3
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_sparc.deb
      Size/MD5 checksum:   204488 a5bccb53d6e679c552cb0093936c0e69
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_sparc.deb
      Size/MD5 checksum:  1388806 429a6f0c8c4ff5443dbabd94610998aa

These files will probably be moved into the stable distribution on its
next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+7+WgArxCt0PiXR4RApkaAJoCsrPE4mkvcm+XN8vAGLkpuJ2USwCghY7p
Bav/5pgLLDta0TotoscgwJk=
=IzRs
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ