From security@linux-mandrake.com Mon Dec 8 20:38:14 2003 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 9 Dec 2003 00:58:32 -0000 Subject: [Full-Disclosure] MDKSA-2003:113 - Updated screen packages fix buffer overflow vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrake Linux Security Update Advisory _______________________________________________________________________ Package name: screen Advisory ID: MDKSA-2003:113 Date: December 8th, 2003 Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: A vulnerability was discovered and fixed in screen by Timo Sirainen who found an exploitable buffer overflow that allowed privilege escalation. This vulnerability also has the potential to allow attackers to gain control of another user's screen session. The ability to exploit is not trivial and requires approximately 2GB of data to be transferred in order to do so. Updated packages are available that fix the vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972 http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: 757d420f6d823e26a487eff794490bbe corporate/2.1/RPMS/screen-3.9.11-4.1.C21mdk.i586.rpm 54336329e042b03ebca3c00ca0a1f0c3 corporate/2.1/SRPMS/screen-3.9.11-4.1.C21mdk.src.rpm Corporate Server 2.1/x86_64: bf60dabe82228d7f879c1fa232df2e20 x86_64/corporate/2.1/RPMS/screen-3.9.11-4.1.C21mdk.x86_64.rpm 54336329e042b03ebca3c00ca0a1f0c3 x86_64/corporate/2.1/SRPMS/screen-3.9.11-4.1.C21mdk.src.rpm Mandrake Linux 9.0: 2ed29228596116d87146cb2f1eb75ad3 9.0/RPMS/screen-3.9.11-4.1.90mdk.i586.rpm db59e945ca7dabc7d81df3388566feb9 9.0/SRPMS/screen-3.9.11-4.1.90mdk.src.rpm Mandrake Linux 9.1: 4d1ce0bb5f0b8335b9f3da4520280fdb 9.1/RPMS/screen-3.9.13-2.1.91mdk.i586.rpm 025da8fcc964f065afb0c51d2716d472 9.1/SRPMS/screen-3.9.13-2.1.91mdk.src.rpm Mandrake Linux 9.1/PPC: b8570b8b63461c8f444dcdbe2c4f6e99 ppc/9.1/RPMS/screen-3.9.13-2.1.91mdk.ppc.rpm 025da8fcc964f065afb0c51d2716d472 ppc/9.1/SRPMS/screen-3.9.13-2.1.91mdk.src.rpm Mandrake Linux 9.2: 656ca2f3bf4796052972997c214d7909 9.2/RPMS/screen-3.9.15-2.1.92mdk.i586.rpm 4d078d5d3b28c417a51e3a8bfe622f45 9.2/SRPMS/screen-3.9.15-2.1.92mdk.src.rpm Multi Network Firewall 8.2: c4b0b5a690692dac14eaeb8590fe2d8f mnf8.2/RPMS/screen-3.9.11-4.1.M82mdk.i586.rpm 9a363746316958e58a843f4d838b0cf0 mnf8.2/SRPMS/screen-3.9.11-4.1.M82mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/1R44mqjQ0CJFipgRArMXAJ9ezfOdZLFEUT8XN/oY/gDi89a6SwCcD4Ob Q6zeST1HguxS9C4EqkTo7Bc= =dXIE -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html