--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated ncpfs package fixes security issues Advisory ID: FLSA:152904 Issue date: 2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-1079 CVE-2005-0013 CVE-2005-0014 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated ncpfs package is now available. Ncpfs is a file system that understands the Novell NetWare(TM) NCP protocol. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Buffer overflows were found in the nwclient program. An attacker, using a long -T option, could possibly execute arbitrary code and gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1079 to this issue. A bug was found in the way ncpfs handled file permissions. ncpfs did not sufficiently check if the file owner matched the user attempting to access the file, potentially violating the file permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0013 to this issue. A buffer overflow was found in the ncplogin program. A remote malicious NetWare server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0014 to this issue. All users of ncpfs are advised to upgrade to this updated package, which contains backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 16740d3fa5e17a46429ad3586e4adf9a14a64f8d redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm 21f8520c8a2a3d60e55041c0db028e03549f8544 redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm 6704d55f1f43360b6ad4211e2ca0f92e9f2174c8 redhat/7.3/updates/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm 6acd3b7b7d09cb0e47769b43a888adf72a6278ac redhat/9/updates/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm c49d83f88b229ce57c689d313eccb4df7b89f36b redhat/9/updates/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm ac833c51fcf831bca3edef5d0275ccd1ae0a530f redhat/9/updates/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm 8379face8f68fe556d40bf32f72a5ab368e8eb6d fedora/1/updates/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm eefaa839a26179ca5d41897eacf7bbf3c49661e1 fedora/1/updates/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm ede00a8544200515b5e09a7a40836d8f558cac9d fedora/1/updates/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm 1d32d2f0c39475f98206d78f87c587d4f96ddb70 fedora/2/updates/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm c095ce2d66184b605516231609cddc30520c3eb5 fedora/2/updates/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm 874f8a48f85fef80615b5892a70d214f0935ed7a fedora/2/updates/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm dc329c8b3558f67350486358b01b6a62f6f467af fedora/3/updates/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm 1ddd6caafe4a693d4a69d341be69600df446de3b fedora/3/updates/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm db8660759a23570a6d06bda37c619e0931425ef8 fedora/3/updates/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm 1e8bc7d10995fde90688b424f5001c14f7d3e3bc fedora/3/updates/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm 7f29dd88dcf31f19970e22c8c3af7267c62a5508 fedora/3/updates/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0014 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature