[PLDSA 55-1] New snort packages fix remote root exploits
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 15:46:50 CEST 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 55-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
16 April 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to snort-1.9.0-2
Vulnerability : multiple vulnerabilities
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2003-0029, CAN-2003-0033
CERT advisory : VU#139129, VU#916785
Upstream URLs : www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
www.snort.org/advisories/snort-2003-04-16-1.txt
www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
There are two vulnerabilities in the Snort Intrusion Detection System,
each in a separate preprocessor module. Both vulnerabilities allow
remote attackers to execute arbitrary code with the privileges of the
user running Snort, typically root:
CAN-2003-0029
Researchers at CORE Security Technologies have discovered a remotely
exploitable heap overflow in the Snort "stream4" preprocessor module.
This module allows Snort to reassemble TCP packet fragments for
further analysis.
CAN-2003-0033
Researchers at Internet Security Systems (ISS) have discovered a
remotely exploitable buffer overflow in the Snort RPC preprocessor
module.
When the RPC decoder normalizes fragmented RPC records, it incorrectly
checks the lengths of what is being normalized against the current packet
size, leading to an overflow condition. The RPC preprocessor is enabled
by default.
The above problems have been fixed in version 2.0.0-2 for the
current stable distribution (ra).
We recommend that you upgrade your snort packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'snort*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'snort*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/snort-2.0.0-2.src.rpm
MD5 checksum: cc29d9fa5e8bd64f962a8dd9d6c9c4e6
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/snort-2.0.0-2.i386.rpm
MD5 checksum: 9c2ff5e448a55998a66238522450ed15
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/snort-2.0.0-2.i586.rpm
MD5 checksum: 1a02bf6c19619fc1a922923c1703724a
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/snort-2.0.0-2.i686.rpm
MD5 checksum: eaef2d205ca6c2f4ae96ef174fc83f23
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/snort-2.0.0-2.ppc.rpm
MD5 checksum: aa64f305bc351b483e519d1300db2464
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list