From security@linux-mandrake.com Mon Jun 7 21:54:08 2004 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 8 Jun 2004 01:15:17 -0000 Subject: [Full-Disclosure] MDKSA-2004:057 - Updated tripwire packages fix format string vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: tripwire Advisory ID: MDKSA-2004:057 Date: June 7th, 2004 Affected versions: 10.0, 9.2, Corporate Server 2.1 ______________________________________________________________________ Problem Description: Paul Herman discovered a format string vulnerability in tripwire that could allow a local user to execute arbitrary code with the rights of the user running tripwire (typically root). This vulnerability only exists when tripwire is generating an email report. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0536 http://www.securityfocus.com/archive/1/365036 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: f7218d2fbde501fff2d418e7817679e6 10.0/RPMS/tripwire-2.3.1.2-7.1.100mdk.i586.rpm 4476fcbb452e7af2a7171e303f75f0f4 10.0/SRPMS/tripwire-2.3.1.2-7.1.100mdk.src.rpm Corporate Server 2.1: 69367ac3b8afe929b0542f1921606ea1 corporate/2.1/RPMS/tripwire-2.3.1.2-7.1.C21mdk.i586.rpm 85b56f3e3587ed3ff69ffd98708e9d39 corporate/2.1/SRPMS/tripwire-2.3.1.2-7.1.C21mdk.src.rpm Mandrakelinux 9.2: b8fa611b9f5c5b65bc8bfc30e880e6e5 9.2/RPMS/tripwire-2.3.1.2-7.1.92mdk.i586.rpm ae1cd49c93ad98e770ddd82fb9a55356 9.2/SRPMS/tripwire-2.3.1.2-7.1.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAxRMlmqjQ0CJFipgRAjfIAJ4ikNoIKkSdPdwJyt7bJT0Ma3JbYQCdFiU5 O5Z+DqqCC/vE9U15eACPMJ4= =dvYs -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html