[14728] in bugtraq
Re: aaa_base still vulnerable after upgrade
daemon@ATHENA.MIT.EDU (Marc Heuse)
Mon May 1 00:43:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <20000429170120.70A6F67AD@Galois.suse.de>
Date: Sat, 29 Apr 2000 19:01:20 +0200
Reply-To: Marc Heuse <marc@SUSE.DE>
From: Marc Heuse <marc@SUSE.DE>
X-To: Matthias Andree <matthias.andree@gmx.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000429180510.A8715@emma1.emma.line.org> from Matthias Andree
at "Apr 29, 2000 6: 5:10 pm"
> * Marc Heuse (marc@suse.de) [2000-04-29 16:28]:
> > ______________________________________________________________________________
> >
> > SuSE Security Announcement
> >
> > Package: aaabase < 2000.1.3
> > Date: Sat, 29 Apr 2000 14:03:28 GMT
> >
> > Affected SuSE versions: all
> > Vulnerability Type: remove any local file(s)
> > executing attacker supplied commands as non-root
>
> > 350cabc140a177dfa1909d356c982647 ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/aaa_base-99.9.8-0.i386.rpm
>
> Note that after applying this non-fix, SuSE 6.2 remains vulnerable (as
> it's not an update and the 99.9.8 version _IS_ vulnerable).
>
> Isn't it embarrassing to announce fixes which don't even touch the
> _vulnerable_ packages?
it is true that the rpm does not fix the problem. the reason: the security
update rpm building failed for 6.2 for unknown reason, which will be fixed.
The updates for 6.3 and 6.4 do work and fix this and another security
problem.
You can see that easily by a look at the filenames:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/aaa_base-2000.1.3-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/aaa_base-99.9.8-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/aaa_base-2000.1.3-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/aaa_base-2000.4.27-1.i386.rpm
the update for 6.2 is a different - and old - rpm ...
We will provide the correct 6.2 rpm asap.
> It expresses that SuSE still are not familiar with security, and they
> do not regularly audit their programs for security issues.
thank you very much, but I think it is completely the other way around.
> touch "/tmp/x /etc/rc.config"
btw have you ever tried out this command? It won't work. A filename is not
allowed to have a slash in it's name ...
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
