1 |
------------------------------------------------------------------------------- |
2 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-2 |
3 |
------------------------------------------------------------------------------- |
4 |
Package : cfengine |
5 |
Summary : stack overflow in cfengine network code |
6 |
Date : 2003-10-04 23:30 UTC |
7 |
Exploit : remote |
8 |
Versions Affected : < 2.0.8, 2.1.0a6-a9 |
9 |
Fixed Version : >= 2.0.8, >=2.1.0b1 |
10 |
Gentoo Bug ID : 28910 |
11 |
CVE : we are not aware of any at this time |
12 |
------------------------------------------------------------------------------- |
13 |
|
14 |
DESCRIPTION |
15 |
=========== |
16 |
|
17 |
From the bugtraq posting: |
18 |
|
19 |
"There is an exploitable stack overflow in the network I/O code used in the |
20 |
cfservd daemon in Cfengine 2.x prior to version 2.0.8. Arbitrary code |
21 |
execution has been demonstrated on x86 FreeBSD and is believed to be |
22 |
possible on all platforms. |
23 |
|
24 |
Cfengine 1 is not vulnerable, but downgrading is not recommended as version |
25 |
1 is nolonger supported by the author." |
26 |
|
27 |
Read the full advisory at: |
28 |
http://packetstormsecurity.nl/0309-advisories/cfengine.txt |
29 |
|
30 |
|
31 |
SOLUTION |
32 |
======== |
33 |
|
34 |
It is recommended that all Gentoo Linux users who are using |
35 |
net-misc/cfengine upgrade to a fixed version. |
36 |
|
37 |
emerge sync |
38 |
emerge -p cfengine |
39 |
emerge cfengine |
40 |
emerge clean |
41 |
|
42 |
--------------------------------------------------------------------------- |
43 |
Kurt Lieber |
44 |
klieber@g.o |
45 |
|
46 |
GPG Key is available at http://dev.gentoo.org/~klieber/klieber.gpg |
47 |
--------------------------------------------------------------------------- |