[gentoo-announce] GLSA: ethereal (200311-04) - gentoo-announce

From:	Andrea Barisani <lcars@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] GLSA: ethereal (200311-04)
Date:	Mon, 24 Nov 2003 17:58:19
Message-Id:	`20031124174148.GC19297@emu.gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

5

- - ---------------------------------------------------------------------------

6

GENTOO LINUX SECURITY ANNOUNCEMENT 200311-04

7

- - ---------------------------------------------------------------------------

8

9

GLSA:        200311-04

10

package:     net-analyzer/ethereal

11

summary:     Security problems in Ethereal 0.9.15

12

severity:    normal

13

Gentoo bug:  32691

14

date:        2003-11-22

15

CVE:         none

16

exploit:     remote

17

affected:    <0.9.16

18

fixed:       >=0.9.16

19

20

DESCRIPTION:

21

22

23

Quote from <http://www.ethereal.com/appnotes/enpa-sa-00011.html>:

24

25

  Potential security issues have been discovered in the following protocol

26

  dissectors:

27

28

    * An improperly formatted GTP MSISDN string could cause a buffer

29

      overflow.

30

31

    * A malformed ISAKMP or MEGACO packet could make Ethereal or

32

      Tethereal crash.

33

34

    * The SOCKS dissector was susceptible to a heap overlfow.

35

36

  Impact:

37

38

    It may be possible to make Ethereal crash or run arbitrary code

39

    by injecting a purposefully malformed packet onto the wire, or

40

    by convincing someone to read a malformed packet trace file.

41

42

  Resolution:

43

44

     Upgrade to 0.9.16.

45

46

     If you are running a version prior to 0.9.16 and you cannot

47

     upgrade, you can disable the GTP, ISAKMP, MEGACO, and SOCKS

48

     protocol dissectors by selecting Edit->Protocols... and

49

     deselecting them from the list.

50

51

52

SOLUTION:

53

54

55

It is recommended that all Gentoo Linux users who are running

56

net-analyzer/ethereal 0.9.x upgrade:

57

58

emerge sync

59

emerge '>=net-analyzer/ethereal-0.9.16'

60

emerge clean

61

62

63

- -- 

64

Andrea Barisani <lcars@g.o>                            .*.

65

Gentoo Linux Infrastructure Developer                          V

66

                                                             (   )

67

GPG-Key 0xC9EE0905 http://dev.gentoo.org/~lcars/pubkey.asc   (   )

68

    491D E9E0 3875 0EC9 10DD 150B CAA9 2C7D C9EE 0905        ^^_^^

69

70

71

-----BEGIN PGP SIGNATURE-----

72

Version: GnuPG v1.2.3 (GNU/Linux)

73

74

iD8DBQE/wi7qyqksfcnuCQURAtzrAJ9aRrV+aALW2vrSlcdgZmKshnS3kACfVz2E

75

IZI8yNOWjMb81RRpK6IY+wE=

76

=IPJD

77

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4
5	- - ---------------------------------------------------------------------------
6	GENTOO LINUX SECURITY ANNOUNCEMENT 200311-04
7	- - ---------------------------------------------------------------------------
8
9	GLSA: 200311-04
10	package: net-analyzer/ethereal
11	summary: Security problems in Ethereal 0.9.15
12	severity: normal
13	Gentoo bug: 32691
14	date: 2003-11-22
15	CVE: none
16	exploit: remote
17	affected: <0.9.16
18	fixed: >=0.9.16
19
20	DESCRIPTION:
21
22
23	Quote from <http://www.ethereal.com/appnotes/enpa-sa-00011.html>:
24
25	Potential security issues have been discovered in the following protocol
26	dissectors:
27
28	* An improperly formatted GTP MSISDN string could cause a buffer
29	overflow.
30
31	* A malformed ISAKMP or MEGACO packet could make Ethereal or
32	Tethereal crash.
33
34	* The SOCKS dissector was susceptible to a heap overlfow.
35
36	Impact:
37
38	It may be possible to make Ethereal crash or run arbitrary code
39	by injecting a purposefully malformed packet onto the wire, or
40	by convincing someone to read a malformed packet trace file.
41
42	Resolution:
43
44	Upgrade to 0.9.16.
45
46	If you are running a version prior to 0.9.16 and you cannot
47	upgrade, you can disable the GTP, ISAKMP, MEGACO, and SOCKS
48	protocol dissectors by selecting Edit->Protocols... and
49	deselecting them from the list.
50
51
52	SOLUTION:
53
54
55	It is recommended that all Gentoo Linux users who are running
56	net-analyzer/ethereal 0.9.x upgrade:
57
58	emerge sync
59	emerge '>=net-analyzer/ethereal-0.9.16'
60	emerge clean
61
62
63	- --
64	Andrea Barisani <lcars@g.o> .*.
65	Gentoo Linux Infrastructure Developer V
66	( )
67	GPG-Key 0xC9EE0905 http://dev.gentoo.org/~lcars/pubkey.asc ( )
68	491D E9E0 3875 0EC9 10DD 150B CAA9 2C7D C9EE 0905 ^^_^^
69
70
71	-----BEGIN PGP SIGNATURE-----
72	Version: GnuPG v1.2.3 (GNU/Linux)
73
74	iD8DBQE/wi7qyqksfcnuCQURAtzrAJ9aRrV+aALW2vrSlcdgZmKshnS3kACfVz2E
75	IZI8yNOWjMb81RRpK6IY+wE=
76	=IPJD
77	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce