SuSE Security Announcement: Resolver (SuSE-SA:2002:026)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: bind, glibc
Announcement-ID: SuSE-SA:2002:026
Date: Tue Jul 09 2002
Affected products: 7.0, 7.1, 7.2, 7.3, 8.0
SuSE Linux Enterprise Server for S/390,
SuSE Linux Database Server,
SuSE eMail Server III,
SuSE Linux Enterprise Server,
SuSE Linux Firewall on CD
Vulnerability Type: buffer overflow
Severity (1-10): 3
SuSE default package: yes
Cross References: CERT CA-2002-19; CVE CAN-2002-0651
Content of this advisory:
1) security vulnerability resolved: buffer overflow in
dig, host, and nslookup utilities.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
A vulnerability has been discovered in some resolver library
functions. The affected code goes back to the resolver library
shipped as part of BIND4; code derived from it has been included
in later BIND releases as well as the GNU libc.
The bug itself is a buffer overflow that can be triggered if a
DNS server sends multiple CNAME records in a DNS response.
This bug has been fixed for the gethostbyXXX class of functions
in GNU libc in 1999. Unfortunately, there is similar code in the
getnetbyXXX functions in recent glibc implementations, and
the code is enabled by default. However, these functions are
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely.
We will make updated glibc packages available as they have gone
through our build system, but without separate announcements.
Until glibc patches are available, we recommend that you disable
DNS lookups of network names in nsswitch.conf. Simply replace the
line containing the tag "networks:" with this line:
networks: files
In the unlikely event that you've configured any name to network
mapping via DNS, make sure you copy this information to
/etc/networks.
The resolver bug is also present in the libbind library included
in BIND. This library is used by utilities from the bindutil package.
We are therefore providing security updates for bind8 that
address this vulnerability. As communicated previously (1),
the SuSE security team is not providing fixes for BIND4 anymore.
The bind9 packages shipped by SuSE are not vulnerable.
Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement.
Apply the updata packages (bindutil, bind8) package using
rpm -Fvh bind*.rpm
If you are running the BIND name server, you should restart the name
server process by issuing
rcnamed restart
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.
References:
(1) http://www.suse.de/de/support/security/adv004_ssh.html
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- There is a format string bug in the "nn" news reader that can
be exploited by a malicious NNTP server to execute arbitrary
commands within the client user's account. We will be releasing
updated packages.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
I don't see SLEM III updates available. As an aside, can you guys fix the fact that antivir and avmailgate want to 'upgrade' from 2.0.0.6-1 to 6.13.0.2-0 which is actually a downgrade? On Wed, Jul 10, 2002 at 09:18:56PM +0200, Olaf Kirch wrote:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: bind, glibc Announcement-ID: SuSE-SA:2002:026 Date: Tue Jul 09 2002 Affected products: 7.0, 7.1, 7.2, 7.3, 8.0 SuSE Linux Enterprise Server for S/390, SuSE Linux Database Server, SuSE eMail Server III, SuSE Linux Enterprise Server, SuSE Linux Firewall on CD Vulnerability Type: buffer overflow Severity (1-10): 3 SuSE default package: yes Cross References: CERT CA-2002-19; CVE CAN-2002-0651
Content of this advisory: 1) security vulnerability resolved: buffer overflow in dig, host, and nslookup utilities. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
______________________________________________________________________________
----- SNIP -----
--
Jeff Graham
No package description file for bindutil has been posted to the patches/ directory for 7.1, so YOU and fou4s will not pick this package up. -- Alan Hadsell If brute force doesn't work, you aren't using enough.
No package description file for bindutil has been posted to the patches/ directory for 7.1, so YOU and fou4s will not pick this package up. Don't think so ... my server (fou4s) notified me this night and bindutil update was available:
Name : bindutil Relocations: (not relocateable) Version : 8.2.3 Vendor: SuSE Linux AG, Nuernberg, Germany Release : 183 Build Date: Tue Jul 9 15:24:18 2002 Install date: Thu Jul 11 09:09:08 2002 Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Markus Gaugusch
No package description file for bindutil has been posted to the patches/ directory for 7.1, so YOU and fou4s will not pick this package up. Don't think so ... my server (fou4s) notified me this night and bindutil update was available:
Yes, there is something wierd here. I think that the package description file is named "bind", even though it is for package "bindutil". I was also updated. -- Alan Hadsell If brute force doesn't work, you aren't using enough.
On Jul 11, Alan Hadsell
Yes, there is something wierd here. I think that the package description file is named "bind", even though it is for package "bindutil". I was also updated. This is normal. The name of the package description does not have anything in common with the packages inside. For example, KDE update is in the package description file KDE_2.2.2-1, which contains many kde packages with different names.
regards, Markus Gaugusch -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Markus Gaugusch
No package description file for bindutil has been posted to the patches/ directory for 7.1, so YOU and fou4s will not pick this package up. Don't think so ... my server (fou4s) notified me this night and bindutil update was available:
How can you get notified automatically of new updates being available? Self-crafted script or a utility from SuSE? Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese
Matthias Riese
Markus Gaugusch
writes: No package description file for bindutil has been posted to the patches/ directory for 7.1, so YOU and fou4s will not pick this package up. Don't think so ... my server (fou4s) notified me this night and bindutil update was available:
How can you get notified automatically of new updates being available? Self-crafted script or a utility from SuSE?
Ok, just found the FAQ. I thought fou4s was the hostname of your server.
Q14: What is the Fast OnlineUpdate and where do I get it? A14: The Fast OnlineUpdate (or Fou4s for short) is a project started by Markus Gaugusch, a frequent contributer to suse-security. Its goal is to provide an alternative to our YaST Online Update (YOU for short) system; Fou4s is both lighter in weight and more powerful than YOU. The homepage is here: http://www.gaugusch.at/fou4s/
Thanks to Markus and the contributers for all of their work.
Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese
i have just received what seems to be a script kiddie attempt to exploit a php vulnereability. ___ + Checking for vulnerable PHP version... + passed: server says PHP/4.0.6 + exploiting the bug now... [++++++++++] trying: bfffdf08 + done ... + you should be connected to a dup-shell now + if not simply try again command> ___ I am running php version 4.0.6 indeed, but completely up to date on every security update. Is it still possible for someone to exploit this? What should I do? Get the new version in php.net? TIA, __________________________ /"\ Francisco 'Paladino' Costa \ / ASCII Ribbon Campaign fgcosta@ccj.ufsc.br X Against HTML Mail / \
Does the interim fix apply to BIND 8 as well, or to
BIND 4 only..?..
AKNIT
--- Alan Hadsell
posted to the patches/ directory for 7.1, so YOU and fou4s will not pick this package up. -- Alan Hadsell If brute force doesn't work, you aren't using enough.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
participants (7)
-
Alan Hadsell
-
Francisco Costa
-
Jeff Graham
-
Mark Tinka
-
Markus Gaugusch
-
Matthias Riese
-
Olaf Kirch