LWN: More unsubstantiated criticism regarding security updates
http://lwn.net/2002/0509/security.php3
> Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow
> vulnerability in all prior versions. However, newer versions, including
> 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions
> that was reported by Nick Cleaton.
>
> This Conectiva announcement addresses both vulnerabilities. The February
> 12th Red Hat security advisory does not address the AFS RPC buffer
> overflow vulnerability.
>
> Both problems appear to have been reported and fixed in FreeBSD some
> months ago. The CIAC report on the vulnerability in versions prior to
> 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory
> on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17,
> 2001. Tcpdump 3.7 was released on January 21, 2002. So the Linux
> distributors are running a little slow on this one. (Thanks to Michael
> Richardson).
The vulnerabilities in <3.5.2 were fixed in Debian stable (potato) in
November 20, 2000 with the following advisory:
http://www.debian.org/security/2000/20001120a
Version 3.4a6, in Debian stable (potato), is not vulnerable to the AFS RPC
issue; this version does not decode such packets. No advisory was released.
The AFS RPC issue did affect Debian unstable, and was fixed on July 19,
2001:
tcpdump (3.6.2-2) unstable; urgency=HIGH
* print-rx.c: Take the version from current CVS fixing the remote
buffer overflow reported in FreeBSD Security Advisory SA-01:48
yesterday. Thanks to Matt Zimmerman for forwarding the report,
I might have missed it.
* debian/control: Clean the Build-Depends from build-essential
packages.
-- Torsten Landschoff <torsten@debian.org> Thu, 19 Jul 2001 15:03:48 +0200
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: