Gentoo Archives: gentoo-announce

From: Kurt Lieber <klieber@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: cfengine (200310-02)
Date: Sun, 05 Oct 2003 16:08:57
Message-Id: 20031005160704.GH10917@mail.lieber.org
1 -------------------------------------------------------------------------------
2 GENTOO LINUX SECURITY ANNOUNCEMENT 200310-2
3 -------------------------------------------------------------------------------
4 Package : cfengine
5 Summary : stack overflow in cfengine network code
6 Date : 2003-10-04 23:30 UTC
7 Exploit : remote
8 Versions Affected : < 2.0.8, 2.1.0a6-a9
9 Fixed Version : >= 2.0.8, >=2.1.0b1
10 Gentoo Bug ID : 28910
11 CVE : we are not aware of any at this time
12 -------------------------------------------------------------------------------
13
14 DESCRIPTION
15 ===========
16
17 From the bugtraq posting:
18
19 "There is an exploitable stack overflow in the network I/O code used in the
20 cfservd daemon in Cfengine 2.x prior to version 2.0.8. Arbitrary code
21 execution has been demonstrated on x86 FreeBSD and is believed to be
22 possible on all platforms.
23
24 Cfengine 1 is not vulnerable, but downgrading is not recommended as version
25 1 is nolonger supported by the author."
26
27 Read the full advisory at:
28 http://packetstormsecurity.nl/0309-advisories/cfengine.txt
29
30
31 SOLUTION
32 ========
33
34 It is recommended that all Gentoo Linux users who are using
35 net-misc/cfengine upgrade to a fixed version.
36
37 emerge sync
38 emerge -p cfengine
39 emerge cfengine
40 emerge clean
41
42 ---------------------------------------------------------------------------
43 Kurt Lieber
44 klieber@g.o
45
46 GPG Key is available at http://dev.gentoo.org/~klieber/klieber.gpg
47 ---------------------------------------------------------------------------