[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LWN: More unsubstantiated criticism regarding security updates


> Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow
> vulnerability in all prior versions. However, newer versions, including
> 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions
> that was reported by Nick Cleaton.
> This Conectiva announcement addresses both vulnerabilities. The February
> 12th Red Hat security advisory does not address the AFS RPC buffer
> overflow vulnerability.
> Both problems appear to have been reported and fixed in FreeBSD some
> months ago. The CIAC report on the vulnerability in versions prior to
> 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory
> on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17,
> 2001.  Tcpdump 3.7 was released on January 21, 2002. So the Linux
> distributors are running a little slow on this one. (Thanks to Michael
> Richardson). 

The vulnerabilities in <3.5.2 were fixed in Debian stable (potato) in
November 20, 2000 with the following advisory:


Version 3.4a6, in Debian stable (potato), is not vulnerable to the AFS RPC
issue; this version does not decode such packets.  No advisory was released.

The AFS RPC issue did affect Debian unstable, and was fixed on July 19,

tcpdump (3.6.2-2) unstable; urgency=HIGH

  * print-rx.c: Take the version from current CVS fixing the remote 
    buffer overflow reported in FreeBSD Security Advisory SA-01:48
    yesterday. Thanks to Matt Zimmerman for forwarding the report, 
    I might have missed it.
  * debian/control: Clean the Build-Depends from build-essential 

 -- Torsten Landschoff <torsten@debian.org>  Thu, 19 Jul 2001 15:03:48 +0200

 - mdz

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: