der Mouse wrote: > Subject: Re: ISSalert: ISS Security Advisory: Buffer Overflow in "Super" ... > Does anyone (who is willing to talk) know anything more about this? > One site I work at has a version of super earlier than 3.9.6 installed, > and the advisory neither states that any versions are *not* vulnerable > (except, implicitly, 3.11.7) nor describes the vulnerability in enough > detail for me to test our version. > Generally, super v3.9.6 - v3.11.6 contains two known buffer overflow problems. The specific problem demonstrated by ISS X-Force to gain local root access was not introduced until _after_ 3.9.6, but all versions in that range had one problem or the other. (If you want complete details, please email me. In the usual manner of buffer overflows, the exploit is almost trivial if you know what to attack, so I'm not willing to publish on bugtraq the exact line of the code where the problem occurs.) Even you have an older version of super than 3.9.6, I urge you to upgrade, because a quick perusal of the "WhatsNew" file in the package shows that various other bugs -- not generally root-access bugs -- have been fixed over the years. Note that 3.9.6 is already three years old; other released versions go back to 1994 or so. It turned out that the announcement of the local root exploit caused more people to report more problems, and as a result super has had two quick updates, and the current version of super is 3.11.9. As usual, the home location is: ftp.ucolick.org:/pub/users/will/super-3.11.9.tar.gz Or, if you prefer to patch: ftp.ucolick.org:/pub/users/will/super-3.11.6-3.11.9 ftp.ucolick.org:/pub/users/will/super-3.11.7-3.11.9 ftp.ucolick.org:/pub/users/will/super-3.11.8-3.11.9 These should shortly appear on the ftp.onshore.com mirror at ftp.onshore.com:/pub/mirror/software/super/ Finally, one small correction to the X-Force announcement, which said that super is gnu copyleft'd. Actually, you are permitted to redistribute it and/or modify it under the terms of either the GNU license or Larry Wall's "Artistic License"; take your pick. (I'm agnostic :-) -Will -- William Deich UCO / Lick Observatory | Internet: willat_private University of California | Phone: (831) 459-3913 Santa Cruz, CA 95064 | Fax: (831) 426-3115
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:53 PDT