[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: [RHSA-2000:002] New lpr packages available

To: "KLUG" <klug@xxxxxxxxxxxxxxxx>
Subject: Fw: [RHSA-2000:002] New lpr packages available
From: "Richard Zimmerman" <ke4rit@xxxxxxxxxxxxx>
Date: Sat, 8 Jan 2000 00:41:21 -0500
Reply-To: "Richard Zimmerman" <ke4rit@xxxxxxxxxxxxx>


-----Original Message-----
From: Bill Nottingham <notting@redhat.com>
To: redhat-watch-list@redhat.com <redhat-watch-list@redhat.com>
Cc: linux-security@redhat.com <linux-security@redhat.com>;
bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Date: Friday, January 07, 2000 11:55 PM
Subject: [RHSA-2000:002] New lpr packages available


>---------------------------------------------------------------------
>    Red Hat, Inc. Security Advisory
>
>Synopsis: New lpr packages available
>Advisory ID: RHSA-2000:002-01
>Issue date: 2000-01-07
>Updated on: 2000-01-07
>Keywords: lpr lpd DNS sendmail
>Cross references:
>---------------------------------------------------------------------
>
>1. Topic:
>
>New lpr packages are available to fix two security problems
>in lpd.
>
>2. Relevant releases/architectures:
>
>Red Hat Linux 4.x, all architectures
>Red Hat Linux 5.x, all architectures
>Red Hat Linux 6.x, all architectures
>
>3. Problem description:
>
>Two security vulnerabilities exist in the lpd
>(line printer daemon) shipped with the lpr package.
>
>First, authentication was not thorough enough. If a remote user
>was able to control their own DNS so that their IP address resolved
>to the hostname of the print server, access would be granted,
>when it should not be.
>
>Secondly, it was possible in the control file of a print job
>to specify arguments to sendmail. By careful manipulation of
>control and data files, this could cause sendmail to be executed
>with a user-specified configuration file. This could lead
>very easily to a root compromise.
>
>It is recommended that all users of Red Hat Linux using the
>lpr package (which is required to print) upgrade to the
>fixed packages.
>
>Thanks go to DilDog (dildog@l0pht.com) for noting the vulnerability.
>
>4. Solution:
>
>For each RPM for your particular architecture, run:
>    rpm -Fvh <filename>
>where filename is the name of the RPM.
>
>5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla/ for more info):
>
>6. Obsoleted by:
>
>7. Conflicts with:
>
>8. RPMs required:
>
>Red Hat Linux 6.x:
>
>Intel:
>  ftp://updates.redhat.com/6.1/i386/lpr-0.48-1.i386.rpm
>
>Alpha:
>  ftp://updates.redhat.com/6.1/alpha/lpr-0.48-1.alpha.rpm
>
>Sparc:
>  ftp://updates.redhat.com/6.1/sparc/lpr-0.48-1.sparc.rpm
>
>Source packages:
>  ftp://updates.redhat.com/6.1/SRPMS/lpr-0.48-1.src.rpm
>
>
>Red Hat Linux 5.x:
>
>Intel:
>  ftp://updates.redhat.com/5.2/i386/lpr-0.48-0.5.2.i386.rpm
>
>Alpha:
>  ftp://updates.redhat.com/5.2/alpha/lpr-0.48-0.5.2.alpha.rpm
>
>Sparc:
>  ftp://updates.redhat.com/5.2/sparc/lpr-0.48-0.5.2.sparc.rpm
>
>Source packages:
>  ftp://updates.redhat.com/5.2/SRPMS/lpr-0.48-0.5.2.src.rpm
>
>
>Red Hat Linux 4.x:
>
>Intel:
>  ftp://updates.redhat.com/4.2/i386/lpr-0.48-0.4.2.i386.rpm
>
>Alpha:
>  ftp://updates.redhat.com/4.2/alpha/lpr-0.48-0.4.2.alpha.rpm
>
>Sparc:
>  ftp://updates.redhat.com/4.2/sparc/lpr-0.48-0.4.2.sparc.rpm
>
>Source packages:
>  ftp://updates.redhat.com/4.2/SRPMS/lpr-0.48-0.4.2.src.rpm
>
>
>9. Verification:
>
>MD5 sum                           Package Name
>--------------------------------------------------------------------------
>78f2220331189e723eab944b53d0710e  i386/lpr-0.48-1.i386.rpm
>3fcb89eb1a76741a505d3eeeddfa3674  alpha/lpr-0.48-1.alpha.rpm
>441cfee04428ca215d98d9ce3d20bc4d  sparc/lpr-0.48-1.sparc.rpm
>55c6a740b03569919ec08992257cad96  SRPMS/lpr-0.48-1.src.rpm
>
>25ba4d2b49ff42403062d44f52f59947  i386/lpr-0.48-0.5.2.i386.rpm
>aa13284c581601705fef727565ed407e  alpha/lpr-0.48-0.5.2.alpha.rpm
>8d158ba104fadbfc84b5122f9564b2ed  sparc/lpr-0.48-0.5.2.sparc.rpm
>3d7a10a086f5bd5aea739ec41d761881  SRPMS/lpr-0.48-0.5.2.src.rpm
>
>a215955554df002e91e336abd310e3f1  i386/lpr-0.48-0.4.2.i386.rpm
>a96363769e3815a5a5bb40084d8fac61  alpha/lpr-0.48-0.4.2.alpha.rpm
>f56271b462851990238a24a5357c454f  sparc/lpr-0.48-0.4.2.sparc.rpm
>48453e0c888e3d124a6b50fbb9a89be9  SRPMS/lpr-0.48-0.4.2.src.rpm
>
>These packages are GPG signed by Red Hat, Inc. for security.  Our key
>is available at:
>    http://www.redhat.com/corp/contact.html
>
>You can verify each package with the following command:
>    rpm --checksig  <filename>
>
>If you only wish to verify that each package has not been corrupted or
>tampered with, examine only the md5sum with the following command:
>    rpm --checksig --nogpg <filename>
>
>10. References:
>
>
>--
>         To unsubscribe: mail redhat-watch-list-request@redhat.com with
>                       "unsubscribe" as the Subject.
>
>--
>To unsubscribe:
>mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null
>
>

Prev by Date: Re:linux - newbie questions
Next by Date: New on BSware this week.
Prev by thread: Meeting January 11th - Setting up a home network.
Next by thread: New on BSware this week.
Index(es):
- Date
- Thread