Gentoo Archives: gentoo-dev

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-security@g.o
Cc: gentoo-user@g.o, gentoo-dev@g.o, gentoo-desktop@g.o, gentooppc-user@g.o, gentooppc-dev@g.o, gentoo-sparc@g.o, gentoo-announce@g.o
Subject: [gentoo-dev] GLSA: xinetd
Date: Wed, 14 Aug 2002 04:29:22
Message-Id: 200208141115.44005.aliz@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT
6 - - --------------------------------------------------------------------
7
8 PACKAGE :xinetd
9 SUMMARY :pipe exposure
10 DATE :2002-08-14 08:40 UTC
11
12 - - --------------------------------------------------------------------
13
14 OVERVIEW
15
16 File descriptors introduced in 2.3.4 can be used to crash xinetd
17 resulting in a denial of service.
18
19 DETAIL
20
21 Solar Designer found a vulnerability in xinetd, a replacement for the
22 BSD derived inetd. File descriptors for the signal pipe introduced in
23 version 2.3.4 are leaked into services started from xinetd. The
24 descriptors could be used to talk to xinetd resulting in crashing it
25 entirely. This is usually called a denial of service.
26
27 SOLUTION
28
29 It is recommended that all Gentoo Linux users who are running
30 sys-apps/xinetd-2.3.5 and earlier update their systems as follows.
31
32 emerge rsync
33 emerge xinetd
34 emerge clean
35
36 xinetd-2.3.7 is currently only available for x86. Sparc and ppc will
37 be available when it's been tested on these archs.
38
39 - - --------------------------------------------------------------------
40 Daniel Ahlberg
41 aliz@g.o
42 - - --------------------------------------------------------------------
43 -----BEGIN PGP SIGNATURE-----
44 Version: GnuPG v1.0.7 (GNU/Linux)
45
46 iD8DBQE9Wh+4fT7nyhUpoZMRAmdAAJ0a+G6wsTrpxl/KLH8A03XXDfQgHACggUqw
47 1xtIcSrLOLwAyv9aain+tDk=
48 =GYvc
49 -----END PGP SIGNATURE-----