Re: [SECURITY] [DSA 1587-1] New mtr packages fix execution of arbitrary code
On Mon, 26 May 2008 13:37:48 +0100
Steve Kemp <skx@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1587-1
> security@debian.org
> http://www.debian.org/security/ Steve
> Kemp May 26, 2008
> http://www.debian.org/security/faq
> -
> ------------------------------------------------------------------------
>
> Package : mtr
> Vulnerability : buffer overflow
> Problem type : remote
> Debian-specific: no
> CVE Id(s) : CVE-2008-2357
>
> Adam Zabrocki discovered that under certain circumstances mtr, a full
> screen ncurses and X11 traceroute tool, could be tricked into
> executing arbitrary code via overly long reverse DNS records.
>
> For the stable distribution (etch), this problem has been fixed in
> version 0.71-2etch1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 0.73-1.
>
> We recommend that you upgrade your mtr package.
mtr-tiny in Etch is still vulnerable? (0.71-2)
--
Pozdrawiam, Tomek
- www
http://www.urug.net
http://urug.gnu.pl
- GnuPG
KeyID: 0x70F9CEDD @ pgp.mit.edu
Fingerprint: 7CD2 C47F CBD7 D15D 2D91 0E89 ADD7 CD4F 70F9 CEDD
Reply to: