-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.20: Vulnerability in traceroute Caldera Security Advisory SA-1997.20 Original report date: 20-Aug-1997 RPM build date: 03-Sep-1997 Advisory issue date: 22-Sep-1997 Topic: Vulnerability in traceroute package I. Problem Description The traceroute command had a buffer overflow problem that had the various security related exploit possibilities. Details and specifics of the exploit possibilities have not been disclosed for general public knowledge. II. Impact The traceroute package prior to release 1.4a5-3 distributed on the following OpenLinux releases are vulnerable: CND 1.0 Base 1.0 Lite 1.1 Base 1.1 Standard 1.1 This new traceroutes has been found to function properly on all of the distributions shown above. III. Solution Install the new traceroute-1.4a5-3 package, as described below. Both source and binary packages are located on Caldera's FTP server (ftp.caldera.com): Binary files can be obtained at: ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS Source files can be obtained at: ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS To install the update on COL Base 1.0 or any OpenLinux 1.1 release use the following commands: rpm -e traceroute rpm -i RPMS/traceroute-1.4a5-3.i386.rpm The CND version of this RPM can be obtained at: ftp://ftp.caldera.com/pub/cnd-1.0/updates To install the update on CND 1.0 use the following command: rpm --force -i RPMS/cnd10_traceroute-1.4a5-3.i386.rpm The source for the CND 1.0 version is the same as for the other releases. Note: If you are running on CND 1.0 you must first obtain and properly install the rpm-upgrade-0.9-1.i386.rpm. This will allow you to use rpm's built for the OpenLinux releases. This rpm upgrade can be found at ftp.caldera.com under "/pub/cnd-1.0/updates". IV. References / Credits This update fixes Caldera's internal problem report #886. This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.20,v 1.1 1997/09/22 22:39:30 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNCbz1un+9R4958LpAQHefgP/UR/J7eHBVQZeN3zkFZ1OiLo7A2+UP+jt QYA/kgQ8Rl1TKN0RgoDTOXlETnjTyyjKEsmiI/FNHAEQiknqjjtqWCgkIj2i60qT yFwg/5kzAcHGsIMGqAHHY36DjanwfnXyU+A9J7+QVlFHyvPmXGR7eVz1LgVNi0Us jxrQuxmz/2E= =yTga -----END PGP SIGNATURE-----