- -------------------------------------------------------------------------- Debian-Edu/Skolelinux Security Advisory DESA 2004-005 http://www.skolelinux.no/security/ Morten Werner Olsen May 10th, 2004 debian-edu-security@lists.alioth.debian.org - -------------------------------------------------------------------------- Package : sane-backends (libsane) Vulnerability : several vulnerabilities Problem-Type : remote Need reboot : no Debian-Edu-specific : no CVE ID : CAN-2003-0773, CAN-2003-0774, CAN-2003-0775, CAN-2003-0776, CAN-2003-0777, CAN-2003-0778 DSA ID : 379 Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segmentation fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf. You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. We recommend that you upgrade your libsane package. Upgrade Instructions - -------------------- Make sure 'deb ftp://ftp.skolelinux.no/skolelinux/ woody local' is present in your /etc/apt/sources.list and run 'apt-get update' to update your package lists. To upgrade, run this command: apt-get install libsane Upgrade Warning - --------------- This upgrade may result in that your scanners stop working. We have had reports about a paralell scanner that did not work after the upgrade, but our recomendation is that you upgrade the package anyway! If your scanner(s) stop working after the upgrade, please report this as a bug in our bug-tracking system (http://bugs.skolelinux.no/) or send an email to the Debian-Edu/Skolelinux Security Team (debian-edu-security@lists.alioth.debian.org). - -------------------------------------------------------------------------- For apt-get: deb ftp://ftp.skolelinux.no/skolelinux/ woody local Mailing list: bruker@skolelinux.no, debian-edu@lists.debian.org, linuxiskolen@skolelinux.no, user@skolelinux.de Package info: `apt-cache show <pkg>'
Attachment:
signature.asc
Description: Digital signature