Debian fixes multiple flaws


Debian fixes multiple flaws

Bill Brenner, News Writer

Denial-of-service, buffer overflow and format string vulnerabilities in Debian GNU/Linux that an attacker could use to remotely execute malicious code or crash machines has been fixed. Flaws and fixes in the operating system are outlined in three advisories Debian released over the weekend.

The first fix is for a format string vulnerability in netkit-telnet-ssl, which could allow a remote attacker to execute arbitrary code with the privileges of the telnet daemon (the 'telnetd' user by default). For the stable system, called Woody, the problem has been fixed in version 0.17.17+0.1-2woody1. For the unstable system, called Sid, the problem has been fixed in version 0.17.24+0.1-2.

Copenhagen, Denmark-based IT security firm Secunia calls this flaw "highly critical."

The second fix is for a buffer overflow in l2tpd, an implementation of the layer 2 tunneling protocol. An attacker could use this to execute arbitrary code by transmitting a specially crafted packet. For Woody, Debian said the problem has been fixed in version 0.67-1.2. For Sid, the problem has been fixed in version 0.70-pre20031121-2.

Secunia calls this flaw "moderately critical."

The third fix is for several denial-of-service vulnerabilities in Ethereal, a network traffic analyzer. A malicious person could exploit it to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file. The problem was first reported July 6 and affects versions 0.8.15 up to and including 0.10.4.

Secunia calls the Ethereal flaw "less critical."

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy