Full Disclosure mailing list archives
Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Mon, 5 Aug 2002 17:12:27 -0700
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure ()
lists netsys com
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: buffer overflow in multiple DNS resolver libraries
Advisory number: CSSA-2002-034.0
Issue date: 2002 August 05
Cross reference:
______________________________________________________________________________
1. Problem Description
From CERT CA-2002-19: A buffer overflow vulnerability exists in
multiple implementations of DNS resolver libraries. Operating
systems and applications that utilize vulnerable DNS resolver
libraries may be affected. A remote attacker who is able to
send malicious DNS responses could potentially exploit this
vulnerability to execute arbitrary code or cause a denial of
service on a vulnerable system.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to bind-8.3.3-1.i386.rpm
prior to bind-doc-8.3.3-1.i386.rpm
prior to bind-utils-8.3.3-1.i386.rpm
prior to glibc-2.2.4-23.i386.rpm
prior to glibc-devel-2.2.4-23.i386.rpm
prior to glibc-devel-static-2.2.4-23.i386.rpm
prior to glibc-localedata-2.2.4-23.i386.rpm
prior to nscd-2.2.4-23.i386.rpm
OpenLinux 3.1.1 Workstation prior to bind-8.3.3-1.i386.rpm
prior to bind-doc-8.3.3-1.i386.rpm
prior to bind-utils-8.3.3-1.i386.rpm
prior to glibc-2.2.4-23.i386.rpm
prior to glibc-devel-2.2.4-23.i386.rpm
prior to glibc-devel-static-2.2.4-23.i386.rpm
prior to glibc-localedata-2.2.4-23.i386.rpm
prior to nscd-2.2.4-23.i386.rpm
OpenLinux 3.1 Server prior to bind-8.3.3-1.i386.rpm
prior to bind-doc-8.3.3-1.i386.rpm
prior to bind-utils-8.3.3-1.i386.rpm
prior to glibc-2.2.4-23.i386.rpm
prior to glibc-devel-2.2.4-23.i386.rpm
prior to glibc-devel-static-2.2.4-23.i386.rpm
prior to glibc-localedata-2.2.4-23.i386.rpm
prior to nscd-2.2.4-23.i386.rpm
OpenLinux 3.1 Workstation prior to bind-8.3.3-1.i386.rpm
prior to bind-doc-8.3.3-1.i386.rpm
prior to bind-utils-8.3.3-1.i386.rpm
prior to glibc-2.2.4-23.i386.rpm
prior to glibc-devel-2.2.4-23.i386.rpm
prior to glibc-devel-static-2.2.4-23.i386.rpm
prior to glibc-localedata-2.2.4-23.i386.rpm
prior to nscd-2.2.4-23.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-034.0/RPMS
4.2 Packages
c4175dab7596a7e20540b548a9245351 bind-8.3.3-1.i386.rpm
0492168645952a0c3331a8550a955b98 bind-doc-8.3.3-1.i386.rpm
bb21f7d71544b7d30a45ad052a16f61b bind-utils-8.3.3-1.i386.rpm
3981b760212d84b07f3ada0b6f640ae7 glibc-2.2.4-23.i386.rpm
34b1f56b27e5e561d378382a3b540092 glibc-devel-2.2.4-23.i386.rpm
31a1148ed101aa8dcf345e7f68806db2 glibc-devel-static-2.2.4-23.i386.rpm
999e375c52f236b7ce9a79311228568a glibc-localedata-2.2.4-23.i386.rpm
828c32ab1d920faa3cbca27b47a9ce04 nscd-2.2.4-23.i386.rpm
4.3 Installation
rpm -Fvh bind-8.3.3-1.i386.rpm
rpm -Fvh bind-doc-8.3.3-1.i386.rpm
rpm -Fvh bind-utils-8.3.3-1.i386.rpm
rpm -Fvh glibc-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-static-2.2.4-23.i386.rpm
rpm -Fvh glibc-localedata-2.2.4-23.i386.rpm
rpm -Fvh nscd-2.2.4-23.i386.rpm
4.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-034.0/SRPMS
4.5 Source Packages
2c0e5c37e7ce156e2248e9fffaa8406c bind-8.3.3-1.src.rpm
d7c443043599d74ab3ea924d0059780f glibc-2.2.4-23.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-034.0/RPMS
5.2 Packages
63aa5ba585097c12a57a095aee7c1581 bind-8.3.3-1.i386.rpm
85f08cbe9ac9b76bca6ca701e57c0a88 bind-doc-8.3.3-1.i386.rpm
c09ace86a9e096024cb97aad1e253531 bind-utils-8.3.3-1.i386.rpm
cf8a07b46703849238b53e3af6b5b310 glibc-2.2.4-23.i386.rpm
0b4bf6623ff5fb5c6ff4bcecb11ede9d glibc-devel-2.2.4-23.i386.rpm
d575040e3b46515862cab4650925cebf glibc-devel-static-2.2.4-23.i386.rpm
59b8dda119b518e084575228fd24e919 glibc-localedata-2.2.4-23.i386.rpm
599720843db585f011d586fa5029e7c7 nscd-2.2.4-23.i386.rpm
5.3 Installation
rpm -Fvh bind-8.3.3-1.i386.rpm
rpm -Fvh bind-doc-8.3.3-1.i386.rpm
rpm -Fvh bind-utils-8.3.3-1.i386.rpm
rpm -Fvh glibc-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-static-2.2.4-23.i386.rpm
rpm -Fvh glibc-localedata-2.2.4-23.i386.rpm
rpm -Fvh nscd-2.2.4-23.i386.rpm
5.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-034.0/SRPMS
5.5 Source Packages
c7987406a635360bb39246e9bc850700 bind-8.3.3-1.src.rpm
c63a0354b4bc9e5c35936f985d8a3371 glibc-2.2.4-23.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-034.0/RPMS
6.2 Packages
97310a145a1fac4fffc960feab323cc4 bind-8.3.3-1.i386.rpm
8a0d3c316ec29647540aa2a0b6792dfc bind-doc-8.3.3-1.i386.rpm
962f50faaa4b324c95c82be85bdf711c bind-utils-8.3.3-1.i386.rpm
ae5ac1338fd90a7e65ccd0fa707d55e3 glibc-2.2.4-23.i386.rpm
2272829001ba8dba6fe5b0d27b323c2e glibc-devel-2.2.4-23.i386.rpm
ea1a88d622b7bad0daa6f5840cf1a650 glibc-devel-static-2.2.4-23.i386.rpm
3a60a419bc4cb8794057c2ae832c1132 glibc-localedata-2.2.4-23.i386.rpm
497f26a658aa9a23f26bdcacfbf6c311 nscd-2.2.4-23.i386.rpm
6.3 Installation
rpm -Fvh bind-8.3.3-1.i386.rpm
rpm -Fvh bind-doc-8.3.3-1.i386.rpm
rpm -Fvh bind-utils-8.3.3-1.i386.rpm
rpm -Fvh glibc-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-static-2.2.4-23.i386.rpm
rpm -Fvh glibc-localedata-2.2.4-23.i386.rpm
rpm -Fvh nscd-2.2.4-23.i386.rpm
6.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-034.0/SRPMS
6.5 Source Packages
1d49abc211068aedd550d8b82837c6c4 bind-8.3.3-1.src.rpm
5b62e0ab7c60bb875147c521346fac38 glibc-2.2.4-23.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-034.0/RPMS
7.2 Packages
06f426cfbffc0282216aedab4c235abb bind-8.3.3-1.i386.rpm
a069730960a6b3bb19aacfaa020f1625 bind-doc-8.3.3-1.i386.rpm
9a6a47c0040f3fdf89885d4f7b95fd32 bind-utils-8.3.3-1.i386.rpm
a75a8f74a263b5290f697609439084cf glibc-2.2.4-23.i386.rpm
d2d21d81306a12da7cbea0d63fb3768f glibc-devel-2.2.4-23.i386.rpm
ea496ffd59c1db465b49231988e74156 glibc-devel-static-2.2.4-23.i386.rpm
e6b63ab2513a276594769323c3083ca7 glibc-localedata-2.2.4-23.i386.rpm
d09a9fb83215cd78d055fa09eaac508d nscd-2.2.4-23.i386.rpm
7.3 Installation
rpm -Fvh bind-8.3.3-1.i386.rpm
rpm -Fvh bind-doc-8.3.3-1.i386.rpm
rpm -Fvh bind-utils-8.3.3-1.i386.rpm
rpm -Fvh glibc-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-2.2.4-23.i386.rpm
rpm -Fvh glibc-devel-static-2.2.4-23.i386.rpm
rpm -Fvh glibc-localedata-2.2.4-23.i386.rpm
rpm -Fvh nscd-2.2.4-23.i386.rpm
7.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-034.0/SRPMS
7.5 Source Packages
96f2c68732c563df08a69f14fbb9ecdb bind-8.3.3-1.src.rpm
3f38eb5c48d593509cc9156f61651fba glibc-2.2.4-23.src.rpm
8. References
Specific references for this advisory:
http://www.cert.org/advisories/CA-2002-19.html
http://www.kb.cert.org/vuls/id/803539
http://www.kb.cert.org/vuls/id/542971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0651
http://www.isc.org/products/BIND/bind-security.html
Caldera security resources:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera incidents sr866552, fz521492,
erg501623.
9. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.
10. Acknowledgements
Caldera wishes to thank the CERT Coordination Center, Joost
Pol of PINE-CERT, the FreeBSD Project, and the NetBSD Project
for information used in this document.
______________________________________________________________________________
--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj1PFGsACgkQbluZssSXDTEP1gCaA8PmAd+uWeDOU3eMKR33IKqV
jDkAoMcJJvmLJ0ZYNDo3elPejMFUkpkK
=EBnM
-----END PGP SIGNATURE-----
--G4iJoqBmSsgzjUCe--
Current thread:
- Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries full-disclosure () lists netsys com (Aug 05)