Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0423 -- Debian Security Advisory DSA 522-1 New super packages fix format string vulnerability 21 June 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: super Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux variants Impact: Root Compromise Access Required: Existing Account CVE Names: CAN-2004-0579 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 522-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman June 19th, 2004 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : super Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids : CAN-2004-0579 Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. For the current stable distribution (woody), this problem has been fixed in version 3.16.1-1.2. For the unstable distribution (sid), this problem will has been fixed in version 3.23.0-1. We recommend that you update your super package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2.dsc Size/MD5 checksum: 575 cac1a056bb9e19b1338819fc4b88562c http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2.diff.gz Size/MD5 checksum: 10032 99656fad8f5c309f26a02e2ef55d7358 http://security.debian.org/pool/updates/main/s/super/super_3.16.1.orig.tar.gz Size/MD5 checksum: 192062 cc868b2fc2b44c47d86da314a11acf0b Alpha architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_alpha.deb Size/MD5 checksum: 126800 06b6c023404345b2cf744dda440ffa05 ARM architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_arm.deb Size/MD5 checksum: 115492 89f02438278dfb1c01d93d47be991d7a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_i386.deb Size/MD5 checksum: 110300 357228adad26cd42db7f25c1634d8808 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_ia64.deb Size/MD5 checksum: 144430 2d72df2a9ec7322272e0c5966b0e5b7c HP Precision architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_hppa.deb Size/MD5 checksum: 124062 50ed0d3bc17633b2dcf01007ee7e035c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_m68k.deb Size/MD5 checksum: 108254 9cedd2b84c59a6666f7b8942ebde0597 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_mips.deb Size/MD5 checksum: 120728 a7ccfd46184977221d8fd0b1ec0ef7e5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_mipsel.deb Size/MD5 checksum: 121174 77a234a605b57758fdbded86a533ce7f PowerPC architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_powerpc.deb Size/MD5 checksum: 116772 c190e00530ae034c0036a28b70cec5bd IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_s390.deb Size/MD5 checksum: 114678 04d5d44dc5298d141851bb3ca939c5ea Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.2_sparc.deb Size/MD5 checksum: 117518 5f5437d7e2879a1ead1916ee7d9453db These files will probably be moved into the stable distribution on its next revision. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0/vbArxCt0PiXR4RAsS3AJ0V1lW0QYN9YBE8xuG/y2hgwQgnWACgwP8r uDdnL36hNIK+eZKBK0M8xRU= =y9ry - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQNZEiCh9+71yA2DNAQJ9ewQAiD58+1YEXTzvLk6Qz3Ym/WzfSTD3aw9f 8DIOUMSlRmoh+0zKqou8vaUdBFQ1i7z2Ahl3nTt1T2amzCmYmIdiJvmuQg0mn786 kGJYofiwTDzuLX/cX4o2xblqMRMJWy0l8a0ia+tZ8EHvi2RlumT9BLZZyFVfLZ+Q +gKq735qVNU= =9vbG -----END PGP SIGNATURE-----