[874] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd)

daemon@ATHENA.MIT.EDU (Darren/Torin/Who Ever...)
Wed Jul 3 16:15:47 1996

To: buhr@stat.wisc.edu
Cc: jlewis@inorganic5.fdt.net, linux-security@tarsier.cv.nrao.edu
From: "Darren/Torin/Who Ever..." <torin@daft.com>
In-Reply-To: Kevin Buhr's message of Thu, 27 Jun 96 10:34 CDT
Date: 03 Jul 1996 11:34:12 -0700

-----BEGIN PGP SIGNED MESSAGE-----

Kevin Buhr, in an immanent manifestation of deity, wrote:
>(someone else said):
>| Has anyone verified yet whether this is a problem on Linux boxes across 
>| the world?

This is a problem with all linux boxes running any version of Perl
before 5.003 and running any version of linux in the 1.1.x series or
after.

>I've verified the Perl saved setuid bug (CERT Advisory CA-96.12) on a
>Debian Linux 1.2.8 box running Perl 5.001.  Most other configurations

Your best bet is to upgrade to Perl 5.003 as was stated in the CERT
Advisory.  It's been available on most CPAN mirrors since 25 Jun at
{CPAN}/src/5.03/perl5.003.tar.gz.  (CPAN is the Comprehensive Perl
Archive Network, examples are ftp.funet.fi:/pub/languages/perl/CPAN and
ftp.cis.ufl.edu:/pub/perl/CPAN.  See
ftp://ftp.uoknor.edu/mirrors/CPAN/CPAN.html for more.)

Perl 5.003 has also been available for Debian since 25 Jul as
perl_5.003-1.deb and perl-suid_5.003-1.deb.  perl*_5.003-2.deb is now
available as of Tuesday.  This is available at
ftp://ftp.daft.com/pub/debian/ as well as in buzz-fixes on the debian
mirrors.

Darren, debian perl maintainer
- -- 
<torin@daft.com> <http://www.daft.com/~torin> <torin@debian.org> <torin@io.com>
Darren Stalder/2608 Second Ave, @282/Seattle, WA 98121-1212/USA/+1-800-921-4996
@ Do you have your clothes on? I probably don't. Take yours off. Feel better. @
@ Sysadmin, webweaver, postmaster for hire.  C/Perl/CGI programmer and tutor. @

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBMdq9GI4wrq++1Ls5AQEvAQP+LHdiSbYz/Od/BLjny8zDin/bL37GpZsW
AaT2l/Jn7CtqpRUVAog9ZqTymztgc2MR28E/PVvOhDl3aN3XQnP8/SdkFcjN81ui
wptoALl0gViRolpDpaTxIY6mmfvRenZ2Gy8mzB0hJmWnZEShKy8dyF5pjArdP2W+
R6Z8CoZZ3Ao=
=kpwn
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post