From secure@CONECTIVA.COM.BR Wed Dec 13 06:59:51 2000 From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 12 Dec 2000 15:42:31 -0200 Subject: [BUGTRAQ] [CLA-2000:357] Conectiva Linux Security Announcement - rp-pppoe -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - ----------------------------------------------------------------------- PACKAGE : rp-pppoe SUMMARY : Denial of service DATE : 2000-12-12 15:41:00 ID : CLA-2000:357 RELEVANT RELEASES : 6.0 - ---------------------------------------------------------------------- DESCRIPTION rp-pppoe is an userspace PPPoE client mainly used with ADSL connections which require PPP. The version distributed with Conectiva Linux 6.0 has a security problem which, if exploited, would cause the connection to be dropped. If rp-pppoe receives a crafted TCP segment with an option where the option-length field is zero (illegal), the program would enter an infinite loop and the connection would time-out and be dropped. SOLUTION All rp-pppoe users should upgrade. We would like to thank David F. Skoll for releasing a new version and to Robert Schlabbach for reporting the vulnerability to him. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/rp-pppoe-2.5-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ---------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato - ----------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.conectiva.com.br/suporte/atualizacoes - ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6NmOG42jd0JmAcZARAlELAJ0YSd1KtIhLK8gERS9L6glt7UC+6wCbB+NQ rKQNKh3G8D67qIEg8l+6krY= =dkfl -----END PGP SIGNATURE-----