Gentoo Archives: gentoo-announce

From: Rajiv Aaron Manglani <rajiv@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: hylafax (200311-03)
Date: Thu, 20 Nov 2003 07:53:29
Message-Id: a0521060bbbe2214c14b9@[10.96.0.12]
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4
5 - ---------------------------------------------------------------------------
6 GENTOO LINUX SECURITY ANNOUNCEMENT 200311-03
7 - ---------------------------------------------------------------------------
8
9 GLSA: 200311-03
10 package: net-misc/hylafax
11 summary: Remote code exploit in hylafax
12 severity: normal
13 Gentoo bug: 33368
14 date: 2003-11-10
15 CVE: CAN-2003-0886
16 exploit: remote
17 affected: <=4.1.7
18 fixed: >=4.1.8
19
20 DESCRIPTION:
21
22 During a code review of the hfaxd server, the SuSE Security Team discovered a
23 format bug condition that allows a remote attacker to execute arbitrary code
24 as the root user. However, the bug cannot be triggered in the default hylafax
25 configuration.
26
27 SuSE-SA:2003:045 outlines the problem, and is available at
28 http://lwn.net/Articles/57562/
29
30 SOLUTION:
31
32 Users are encouraged to perform an 'emerge --sync' and upgrade the package to
33 the latest available version. Vulnerable versions of hylafax have been
34 removed from portage. Specific steps to upgrade:
35
36 emerge --sync
37 emerge '>=net-misc/hylafax-4.1.8'
38 emerge clean
39
40 -----BEGIN PGP SIGNATURE-----
41 Version: GnuPG v1.2.3 (Darwin)
42
43 iD8DBQE/vHEAnt0v0zAqOHYRAlCAAKCLwz7O2bjXT4nIPoJNWYNfaoVURgCgkGtd
44 b5odwnwTh5KQwRIIq7WzYPM=
45 =D1ou
46 -----END PGP SIGNATURE-----