[18032] in bugtraq
[CLA-2000:357] Conectiva Linux Security Announcement - rp-pppoe
daemon@ATHENA.MIT.EDU (secure@CONECTIVA.COM.BR)
Tue Dec 12 17:26:56 2000
Message-Id: <200012121742.PAA28739@frajuto.distro.conectiva>
Date: Tue, 12 Dec 2000 15:42:31 -0200
Reply-To: secure@CONECTIVA.COM.BR
From: secure@CONECTIVA.COM.BR
X-To: lwn@lwn.net, security-alert@linuxsecurity.com,
linuxlist@securityportal.com
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- -----------------------------------------------------------------------
PACKAGE : rp-pppoe
SUMMARY : Denial of service
DATE : 2000-12-12 15:41:00
ID : CLA-2000:357
RELEVANT
RELEASES : 6.0
- ----------------------------------------------------------------------
DESCRIPTION
rp-pppoe is an userspace PPPoE client mainly used with ADSL
connections which require PPP.
The version distributed with Conectiva Linux 6.0 has a security
problem which, if exploited, would cause the connection to be
dropped.
If rp-pppoe receives a crafted TCP segment with an option where the
option-length field is zero (illegal), the program would enter an
infinite loop and the connection would time-out and be dropped.
SOLUTION
All rp-pppoe users should upgrade.
We would like to thank David F. Skoll for releasing a new version and
to Robert Schlabbach for reporting the vulnerability to him.
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/rp-pppoe-2.5-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- ----------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key can be
obtained at http://www.conectiva.com.br/contato
- -----------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.conectiva.com.br/suporte/atualizacoes
- ----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6NmOG42jd0JmAcZARAlELAJ0YSd1KtIhLK8gERS9L6glt7UC+6wCbB+NQ
rKQNKh3G8D67qIEg8l+6krY=
=dkfl
-----END PGP SIGNATURE-----
