73276 2002-08-14 22:41 /51 rader/ Daniel Ahlberg <aliz@gentoo.org> Importerad: 2002-08-14 22:41 av Brevbäraren Extern mottagare: gentoo-security@gentoo.org Mottagare: Bugtraq (import) <1098> Ärende: GLSA: xinetd ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :xinetd SUMMARY :pipe exposure DATE :2002-08-14 08:40 UTC - - -------------------------------------------------------------------- OVERVIEW File descriptors introduced in 2.3.4 can be used to crash xinetd resulting in a denial of service. DETAIL Solar Designer found a vulnerability in xinetd, a replacement for the BSD derived inetd. File descriptors for the signal pipe introduced in version 2.3.4 are leaked into services started from xinetd. The descriptors could be used to talk to xinetd resulting in crashing it entirely. This is usually called a denial of service. SOLUTION It is recommended that all Gentoo Linux users who are running sys-apps/xinetd-2.3.5 and earlier update their systems as follows. emerge rsync emerge xinetd emerge clean xinetd-2.3.7 is currently only available for x86. Sparc and ppc will be available when it's been tested on these archs. - - -------------------------------------------------------------------- Daniel Ahlberg aliz@gentoo.org - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Wh+4fT7nyhUpoZMRAmdAAJ0a+G6wsTrpxl/KLH8A03XXDfQgHACggUqw 1xtIcSrLOLwAyv9aain+tDk= =GYvc -----END PGP SIGNATURE----- (73276) /Daniel Ahlberg <aliz@gentoo.org>/----------