The version of lpr that was distributed with Debian GNU/Linux 2.1 and the updated version released in 2.1r4 have a two security problems - Local users can obtain root access and remote users can access the print server. Debian security homepage here.
4598f33acb97daed298ecb9e2d609df5The version of htdig that was shipped in Debian GNU/Linux 2.1 has a problem with calling external programs to handle non-HTML documents: it calls the external program with the document as a parameter, but does not check for shell escapes. This can be exploited by creating files with filenames that include shell escapes to run arbitraty commands on the machine that runs htdig. Debian security homepage here.
a8fd02d13b305694bfbadced3f58307dThe version of sendmail and sendmail-wide that was distributed with Debian GNU/Linux 2.1 has a slight problem in the code to regenerate the aliases database. Sendmail allowed any user to run sendmail with the -bi option to (re)initialize the aliases database. The user could then interrupt sendmail and leave the system with a broken aliases database. This has been fixed in version 8.9.3-3slink1 by only allowing root and trusted users to regenerate the aliases database. Debian security homepage here.
d724290163864d34d014fa8e4be217fcThe version of dump that was distributed with Debian GNU/Linux 2.1 suffers from a problem with restoring symbolic links. The new version uses lchown instead of chown, fixing a possible security problem when restoring symlinks (a malicious user could use this to deliberately corrupt the ownership of important system files). Debian security website here.
4edf808c4cd9c533f103be8ae03b2899The version bind that was distributed in Debian GNU/Linux 2.1 has a vulnerability in the processing of NXT records that can be used by an attacked in a Debian of Service attack or exploited to gain root access to the server. This has been fixed in version 8.2.5p5-0slink1, and we recommend that you upgrade your bind package immediately. Debian security homepage here.
c54927e4c04dc6d6857c80bbf06fbc95Debian Security Advisory: New version of nfs-server fixes remote exploit. Debian security homepage here.
49b2e2eefb687de5bc34a50f4aebd09dThe version of lpr that was distributed with Debian GNU/Linux 2.1 suffers from a couple of problems. There was a race in lpr that could be exploited by users to print files they can not normally read, and lpd did not check permissions of queue-files. As a result by using the -s flag it could be tricked into printing files a user can otherwise not read. This has been fixed in version 0.46-1-0slink1. We recommend you upgrade your lpr package immediately. Debian security homepage here.
09c3264dfd9b00e60efe0be857e15228
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed