SuSE Security Announcement: traceroute (SuSE-SA:2000:041)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: traceroute
Announcement-ID: SuSE-SA:2000:041
Date: Monday, October 16th, 2000 16:10 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
Vulnerability Type: local root compromise
Severity (1-10): 6
SuSE default package: yes
Other affected systems: Linux systems using the NANOG traceroute
Content of this advisory:
1) security vulnerability resolved: traceroute
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The security problem in the traceroute program as shipped with SuSE
Linux distributions is completely different from the one reported on
security mailing lists a few days ago (`traceroute -g 1 -g 1') by
Pekka Savola
Roman, Is this a mistake or is the 6.4 version already safe? All the other dates are 2000.10.4 On Mon, 16 Oct 2000, Roman Drahtmueller wrote:
SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/nkitb-2000.7.11-0.i386.rpm 118075b7fc295be86b3659bf9b3fa778
When trying to apply the update I got: marx:/home/staff/bobv/work # rpm --checksig --nogpg nkitb-2000.7.11-0.i386.rpm nkitb-2000.7.11-0.i386.rpm: md5 OK marx:/home/staff/bobv/work # rpm -Fhv nkitb-2000.7.11-0.i386.rpm no packages require freshening marx:/home/staff/bobv/work # rpm -q nkitb nkitb-2000.7.11-0 Thanks, Bob ============================================================== Bob Vickers R.Vickers@dcs.rhbnc.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhbnc.ac.uk/home/bobv Phone: +44 1784 443691
Roman,
Is this a mistake or is the 6.4 version already safe? All the other dates are 2000.10.4
You're right. I'll have it changed asap.
Grüße,
Roman.
--
- -
| Roman Drahtmüller
Is this a mistake or is the 6.4 version already safe? All the other dates are 2000.10.4
To clear it up:
nkitb-2000.10.4 is the most recent version, nkitb-2000.7.11-0 is the old
version that does not have the fix.
nkitb-2000.7.11-0 has been removed a few hours ago, but the link in the
announcement was still pointing to it.
To fix this, I've made a symlink named as in the announcement that points
to the new package. The advisories are just about to go out right
now already, so I think this makes most sense before all people get
confused... I apologize, mea culpa.
Thank you for the high-speed hint, Bob!
Roman.
--
- -
| Roman Drahtmüller
Roman Drahtmueller wrote:
Is this a mistake or is the 6.4 version already safe? All the other
dates are 2000.10.4
To clear it up:
nkitb-2000.10.4 is the most recent version, nkitb-2000.7.11-0 is the old version that does not have the fix.
nkitb-2000.7.11-0 has been removed a few hours ago, but the link in the announcement was still pointing to it.
And I was just wondering why I get a wrong md5sum. I get 321b78de11928a3361edf0a044721383 for nkitb-2000.10.4-0 downloaded under the name nkitb-2000.7.11-0.i386.rpm (for 6.4). Is this value correct? Thanks, Ingo -- Ingo Klöcker Lehrstuhl A für Mathematik RWTH Aachen 52056 Aachen
And I was just wondering why I get a wrong md5sum. I get 321b78de11928a3361edf0a044721383 for nkitb-2000.10.4-0 downloaded under the name nkitb-2000.7.11-0.i386.rpm (for 6.4). Is this value correct?
Thanks, Ingo
321b78de11928a3361edf0a044721383 is correct, yes.
I'll post the corrected advisory again. bugtraq has a correct one.
What a mess just because of an old file... :-/
Roman.
--
- -
| Roman Drahtmüller
participants (3)
-
Bob Vickers
-
Ingo Kloecker
-
Roman Drahtmueller