-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ Debian Security Advisory security@debian.org http://www.debian.org/security/ Wichert Akkerman January 9, 2000 - ------------------------------------------------------------------------ Package: lpr Vulnerability type: remote exploit Debian-specific: no The version of lpr that was distributed with Debian GNU/Linux 2.1 and the updated version released in 2.1r4 have a two security problems: * the client hostname wasn't verified properly, so if someone is able to control the DNS entry for their IP he could fool lpr into granting access. * it was possible to specify extra options to sendmail which could be used to specify another configuration file. This can be used to gain root access. Both problems have been fixed in 0.48-0.slink1 . We recommend you upgrade your lpr package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.1 alias slink - -------------------------------- This version of Debian was released only for Intel ia32, the Motorola 680x0, the alpha and the Sun sparc architecture. Source archives: http://security.debian.org/dists/stable/updates/source/lpr_0.48-0.slink1.diff.gz MD5 checksum: aca07389fc8f536df0d01d6469058a83 http://security.debian.org/dists/stable/updates/source/lpr_0.48-0.slink1.dsc MD5 checksum: 8854564310b6eb52cf00d06bfdf298d6 http://security.debian.org/dists/stable/updates/source/lpr_0.48.orig.tar.gz MD5 checksum: 7b67555568e1c2d03aedbe66098a52a5 Alpha architecture: http://security.debian.org/dists/stable/updates/binary-alpha/lpr_0.48-0.slink1_alpha.deb MD5 checksum: 891a7a518265c292e4d6183d27b1d284 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/lpr_0.48-0.slink1_i386.deb MD5 checksum: 386d1e35a9cab64cd960385a46dab6a1 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/lpr_0.48-0.slink1_m68k.deb MD5 checksum: a6e05782ce4394cff1c48c7ddc50835f Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/lpr_0.48-0.slink1_sparc.deb MD5 checksum: f14d908138bfee39cf7cd665df44e35d These files will be moved into ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . - -- - ---------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable updates For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBOHjBiKjZR/ntlUftAQGfCgL9H3Jom4Ahqy2WlWcJoDwVJ9X2nMSCfepg rv/JZgsFjgE5xU6jK6dTLhfHE0DBBrYprgv7fftDK7EhgsQ0BxqaWAkOtFu+WniG sDEgwqqYbG2LR48WoBQHmQn/lsGLthY/ =Ui9f -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org