On Mon, 2004-10-11 at 21:13 +0200, Nils Rennebarth wrote: > Martin Schulze wrote: > > Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet > > driver from Roaring Penguin. When the program is running setuid root > > (which is not the case in a default Debian installation), an attacker > > could overwrite any file on the file system. > > > > For the stable distribution (woody) this problem has been fixed in > > version 3.3-1.2. > > > > For the unstable distribution (sid) this problem has been fixed in > > version 3.5-4. > Is there an estimation when the 3.5-4 Version for unstable will hit the > archive? Okay, don't run it as setuid root. Nothing I can find on bugs.d.o or packages.d.o or alioth even begins to show 3.5-4 as existing yet. But, unless you run rp-pppoe/pppoe as setuid root... you should be fine. Minimizing ghe damage has already been done in the way it is setup by default in Debian. -- greg, greg@gregfolkert.net The technology that is Stronger, better, faster: Linux
Attachment:
signature.asc
Description: This is a digitally signed message part