lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42D2F289.7050409@videotron.ca>
Date: Mon Jul 11 23:30:40 2005
From: marcdeslauriers at videotron.ca (Marc Deslauriers)
Subject: [FLSA-2005:152583] Updated telnet packages fix
	security issues

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated telnet packages fix security issues
Advisory ID:       FLSA:152583
Issue date:        2005-07-11
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CAN-2005-0468 CAN-2005-0469
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated telnet packages that fix two buffer overflow vulnerabilities are
now available.

The telnet package provides a command line telnet client. The telnet-
server package includes a telnet daemon, telnetd, that supports remote
login to the host machine.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

Two buffer overflow flaws were discovered in the way the telnet client
handles messages from a server. An attacker may be able to execute
arbitrary code on a victim's machine if the victim can be tricked into
connecting to a malicious telnet server. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468
and CAN-2005-0469 to these issues.

Users of telnet should upgrade to this updated package, which contains
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152583

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/telnet-0.17-20.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/telnet-0.17-20.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/telnet-server-0.17-20.1.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/telnet-0.17-25.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/telnet-0.17-25.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/telnet-server-0.17-25.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/telnet-0.17-26.2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/telnet-0.17-26.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/telnet-server-0.17-26.2.1.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

eb72994dc7fa63672d461f1b80189e450b7dc7ab
redhat/7.3/updates/i386/telnet-0.17-20.1.legacy.i386.rpm
ae27914b4039594609d14d209c466f78b09649d4
redhat/7.3/updates/i386/telnet-server-0.17-20.1.legacy.i386.rpm
3e426f9573240179fb31d5407ef9a25b82b836ec
redhat/7.3/updates/SRPMS/telnet-0.17-20.1.legacy.src.rpm
114ead8f946fd9f50f88ed017f03a2302647ebd1
redhat/9/updates/i386/telnet-0.17-25.1.legacy.i386.rpm
e5c31fdc2b08cd4a5614101be249a4888d87ded0
redhat/9/updates/i386/telnet-server-0.17-25.1.legacy.i386.rpm
acf5dc1ab3bbe1d704963eefe79fb66521a012da
redhat/9/updates/SRPMS/telnet-0.17-25.1.legacy.src.rpm
3298baa93d57f2caa2110bc83ae45731fc8c41e7
fedora/1/updates/i386/telnet-0.17-26.2.1.legacy.i386.rpm
208769de63330b46785dbe0b23502c37307dfa65
fedora/1/updates/i386/telnet-server-0.17-26.2.1.legacy.i386.rpm
58836e7c8741f08c5da712f6dc7cbd3d7a5581e8
fedora/1/updates/SRPMS/telnet-0.17-26.2.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

9. Contact:

The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050711/33fe44be/signature.bin

Powered by blists - more mailing lists