73276 2002-08-14  22:41  /51 rader/ Daniel Ahlberg <aliz@gentoo.org>
Importerad: 2002-08-14  22:41  av Brevbäraren
Extern mottagare: gentoo-security@gentoo.org
Mottagare: Bugtraq (import) <1098>
Ärende: GLSA: xinetd
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :xinetd
SUMMARY        :pipe exposure
DATE           :2002-08-14 08:40 UTC

- - --------------------------------------------------------------------

OVERVIEW

File descriptors introduced in 2.3.4 can be used to crash xinetd 
resulting in a denial of service.

DETAIL

Solar Designer found a vulnerability in xinetd, a replacement for the
BSD derived inetd.  File descriptors for the signal pipe introduced in
version 2.3.4 are leaked into services started from xinetd.  The
descriptors could be used to talk to xinetd resulting in crashing it
entirely.  This is usually called a denial of service.

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/xinetd-2.3.5 and earlier update their systems as follows.

emerge rsync
emerge xinetd
emerge clean

xinetd-2.3.7 is currently only available for x86. Sparc and ppc will
be available when it's been tested on these archs.

- - --------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9Wh+4fT7nyhUpoZMRAmdAAJ0a+G6wsTrpxl/KLH8A03XXDfQgHACggUqw
1xtIcSrLOLwAyv9aain+tDk=
=GYvc
-----END PGP SIGNATURE-----
(73276) /Daniel Ahlberg <aliz@gentoo.org>/----------