OpenBSD has issued an update for xdm. This fixes a security issue, which potentially may allow malicious users to gain unintended access to a system. A CVS version of XFree86 xdm, which is included in some versions of OpenBSD, has an error that causes it to listen for queries on a random TCP socket, even though requestPort is set to 0 in the configuration file.
c82f31032c3a636e7f95a92cb1b1e6670b590120dc40af3b103d4cf8b2e8d341
TITLE:
OpenBSD XFree86 xdm Unintended Query Listening Security Issue
SECUNIA ADVISORY ID:
SA11723
VERIFY ADVISORY:
http://secunia.com/advisories/11723/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
OpenBSD 3.x
DESCRIPTION:
OpenBSD has issued an update for xdm. This fixes a security issue,
which potentially may allow malicious users to gain unintended access
to a system.
A CVS version of XFree86 xdm, which is included in some versions of
OpenBSD, has an error that causes it to listen for queries on a
random TCP socket, even though requestPort is set to "0" in the
configuration file.
SOLUTION:
A patch is available for OpenBSD 3.5:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/008_xdm.patch
A fix ("/cvs/xc/programs/xdm/socket.c") has reportedly been committed
to the XFree86 CVS repository.
PROVIDED AND/OR DISCOVERED BY:
Steve Rumble
ORIGINAL ADVISORY:
http://bugs.xfree86.org/show_bug.cgi?id=1376
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------