[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) Security Update: security problem in traceroute

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx, linux-india-help@xxxxxxxxxxxxxxxxxxxxx
Subject: (fwd) Security Update: security problem in traceroute
From: Raju Mathur <raju@xxxxxxxxxxxxxxx>
Date: Sat, 30 Sep 2000 09:32:45 +0530 (IST)
Reply-to: raju@xxxxxxxxxxxxxxx

[This message is for traceroute for Caldera, but most Linux
distributions are vulnerable.  Please upgrade if you have traceroute
installed on your system -- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Return-Path: <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6us
Message-ID:  <20000929135349.A6881@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-To: Caldera Support Info <sup-info@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
X-To:         announce@xxxxxxxxxxxxxxxxxxxxxxxx, linux-security@xxxxxxxxxx,
              linuxlist@xxxxxxxxxxxxxxxxxx
From: Caldera Support Info <sup-info@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject:      Security Update: security problem in traceroute
Date:         Fri, 29 Sep 2000 13:53:49 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		security problem in traceroute
Advisory number: 	CSSA-2000-034.0
Issue date: 		2000 September, 29
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a bug in the traceroute command that can possibly be used
   by local users to obtain super user privilege.

   There are no exploits available so far, but we encourage our customers
   to upgrade nevertheless.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        All packages previous to
   				traceroute-1.4a5-9

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       traceroute-1.4a5-9

   OpenLinux eDesktop 2.4	All packages previous to
                                traceroute-1.4a5-9

3. Solution

   Workaround:

   Remove the setuid bit from traceroute

        chmod u-s /usr/sbin/traceroute

   or uninstall it entirely:

        rpm -e traceroute

   The proper solution is to upgrade to the fixed packages.

4. OpenLinux Desktop 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

       10a0865014f9a7adde15b1273a613672  RPMS/traceroute-1.4a5-9.i386.rpm
       9bccc641518d1e2726b61911913006ba  SRPMS/traceroute-1.4a5-9.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -Fhv traceroute-1.4a5-9.i386.rpm

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       8f65446f8da688c94d7a1090579b987c  RPMS/traceroute-1.4a5-9.i386.rpm
       9bccc641518d1e2726b61911913006ba  SRPMS/traceroute-1.4a5-9.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -Fhv traceroute-1.4a5-9.i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       45cd9ac95771a444ace0e2275789ba11  RPMS/traceroute-1.4a5-9.i386.rpm
       9bccc641518d1e2726b61911913006ba  SRPMS/traceroute-1.4a5-9.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -Fhv traceroute-1.4a5-9.i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 7927.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

  Thanks to Pekka Savola <pekkas@xxxxxxxxxx> for discovering the bug,
  and to Chris Evans <chris@xxxxxxxxxxxxxxxx>.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE51Jk118sy83A/qfwRAn/xAJ9jjBxGq7hmUC/wmJ4WnONm+5PcSwCfXdOK
F2BtVam2XeK9tCdUb9m68Mo=
=Xetc
-----END PGP SIGNATURE-----

------------------------------

End of this Digest
******************

Prev by Subject: (fwd) [slackware-security]: glibc 2.1.3 vulnerabilities patched
Next by Subject: (fwd) Security Update: serious vulnerability in glibc NLS code
Previous by thread: Re: Networking Help Again
Next by thread: Yauuk!! MS LINUX???]
Index(es):
- Subject
- Thread