[PLDSA 2-1] New ypserv packages fix information leak

Tue Dec 3 20:35:05 CET 2002

- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 2-1                        security at pld.org.pl
http://www.pld.org.pl/security/                          PLD Security Team
03 December 2002 			http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------

Package        : ypserv prior to 1.3.12-5
Vulnerability  : information leak
Problem-Type   : remote
PLD-specific   : no

Thorsten Kukuck discovered a problem in the ypserv program which is
part of the Network Information Services (NIS).  A memory leak in all
versions of ypserv prior to 2.5 is remotely exploitable.  When a
malicious user could request a non-existing map the server will leak
parts of an old domainname and mapname.

The above problems have been fixed in version 1.3.12-6 for the
current stable distribution (ra).

We recommend that you upgrade your ypserv packages.

wget -c url
	will fetch the file for you
rpm -Uhv file(s)*.rpm
        will upgrade the referenced file.

If you are using "poldek" - the package manager, use the line as given below
for upgrade packages

poldek --update
        will update the internal database
poldek --upgrade 'ypserv*'
        will install corrected packages

If you are using "apt" - the package manager, use the line as given below
for upgrade packages

apt-get update
        will update the internal database
apt-get upgrade 'ypserv*'
        will install corrected packages

PLD Linux 1.0 alias ra
- --------------------

  Source archives:

ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/ypserv-1.3.12-6.src.rpm
       MD5 checksum: f229a1d410d189ddf4f70a9abb7b9022

  I386 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ypserv-1.3.12-6.i386.rpm
       MD5 checksum: b0d2163c8c3fc3948a73fb06368299d8

  I586 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ypserv-1.3.12-6.i586.rpm
       MD5 checksum: 949328a0e745383825cbd0c7f5ad2868

  I686 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ypserv-1.3.12-6.i686.rpm
       MD5 checksum: 3808f12efbd88dac42c6dae63346133f

  PowerPC Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ypserv-1.3.12-6.ppc.rpm
       MD5 checksum: 6c2c4c5e5f1aea47f6e2a908e9cb06e8

-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.

For i386 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security