8040648 2002-02-20 10:24 -0700 /263 rader/ Support Info <supinfo@caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-22 15:39 av Brevbäraren
Extern mottagare: announce@lists.caldera.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linux-security@redhat.com
Extern mottagare: linuxlist@securityportal.com
Mottagare: Bugtraq (import) <21095>
Ärende: Security Update: [CSSA-2002-004.0] Linux - Various security problems in ucd-snmp
------------------------------------------------------------
From: Support Info <supinfo@caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
linux-security@redhat.com, linuxlist@securityportal.com
Message-ID: <20020220102400.A21197@phoenix.calderasystems.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux - Various security problems in ucd-snmp
Advisory number: CSSA-2002-004.0
Issue date: 2002, January 22
Cross reference:
______________________________________________________________________________
1. Problem Description
Researchers at the university of Oulo, Finnland, discovered
several remotely exploitable vulnerabilities in ucd-snmp. This
security update fixes these vulnerabilities. This update also
contains a patch from the SuSE security team that cleans up a
number of unchecked memory operations.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 not vulnerable
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder ucd-snmp-4.2.1-17
OpenLinux eDesktop 2.4 not vulnerable
OpenLinux Server 3.1 All packages previous to
ucd-snmp-4.2.1-17
OpenLinux Workstation 3.1 All packages previous to
ucd-snmp-4.2.1-17
OpenLinux 3.1 IA64 not vulnerable
OpenLinux Server 3.1.1 All packages previous to
ucd-snmp-4.2.1-17
OpenLinux Workstation All packages previous to
3.1.1 ucd-snmp-4.2.1-17
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
not vulnerable
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
39455abae12c26af0767e73ce5fa21ba
RPMS/ucd-snmp-4.2.1-17.i386.rpm
2a13a2370c9da23d09a9fdfb94242cb0
RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
552a1f07b57743ea2f83a77878f8b307
RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
02914263b92c14023b6a8a986739975a
RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5
SRPMS/ucd-snmp-4.2.1-17.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm
6. OpenLinux eDesktop 2.4
not vulnerable
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
e1f2eab37121fd66aefab49da3f6173b
RPMS/ucd-snmp-4.2.1-17.i386.rpm
ad7405f4578ca3f25a56d8e5d96020bb
RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
980115ed7580c8a772e8111ad1494067
RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
48f82f6ee0561fc0961cf99e471a14de
RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5
SRPMS/ucd-snmp-4.2.1-17.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm
8. OpenLinux 3.1 Workstation
8.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
8.2 Verification
e1f2eab37121fd66aefab49da3f6173b
RPMS/ucd-snmp-4.2.1-17.i386.rpm
ad7405f4578ca3f25a56d8e5d96020bb
RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
980115ed7580c8a772e8111ad1494067
RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
48f82f6ee0561fc0961cf99e471a14de
RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5
SRPMS/ucd-snmp-4.2.1-17.src.rpm
8.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm
9. OpenLinux 3.1 IA64
not vulnerable
10. OpenLinux 3.1.1 Server
10.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS
10.2 Verification
0bf1e8d5ec70518f2b548871fb1d00b7
RPMS/ucd-snmp-4.2.1-17.i386.rpm
7b8f7fd19b3a0dd61a1113e3d12bd00d
RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
b0bf4250ba668660b0c9d859d164e918
RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
df84f06b86e973ee8d38f5f995fa7905
RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5
SRPMS/ucd-snmp-4.2.1-17.src.rpm
10.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm
11. OpenLinux 3.1.1 Workstation
11.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS
11.2 Verification
0bf1e8d5ec70518f2b548871fb1d00b7
RPMS/ucd-snmp-4.2.1-17.i386.rpm
7b8f7fd19b3a0dd61a1113e3d12bd00d
RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
b0bf4250ba668660b0c9d859d164e918
RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
df84f06b86e973ee8d38f5f995fa7905
RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5
SRPMS/ucd-snmp-4.2.1-17.src.rpm
11.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm
12. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 10987.
13. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through
our security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
Caldera OpenLinux.
14. Acknowledgements
Caldera International wishes to thank the Secure Programming
Research Group at Oulu University for their work, and for sharing
their research results in this fashion. We also wish to thank
Thomas Biege at SuSE for
his additional patches.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8XrgL18sy83A/qfwRAuhgAJ9gtSLdWozsFnY3ofHp9MGhSrMJSwCfWfj2
OoEiOStF4FrXEhw3dlZuH6Q=
=pLMu
-----END PGP SIGNATURE-----
(8040648) /Support Info <supinfo@caldera.com>/(Ombruten)