The pam_smb packages is not in the upgarde directory ftp://updates.redhat.com/9/en/os/i386/ bugzillaat_private wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - --------------------------------------------------------------------- > Red Hat Security Advisory > > Synopsis: Updated pam_smb packages fix remote buffer overflow. > Advisory ID: RHSA-2003:261-01 > Issue date: 2003-08-26 > Updated on: 2003-08-26 > Product: Red Hat Linux > Keywords: > Cross references: > Obsoletes: > CVE Names: CAN-2003-0686 > - --------------------------------------------------------------------- > > 1. Topic: > > Updated pam_smb packages are now available which fix a security > vulnerability (buffer overflow). > > 2. Relevant releases/architectures: > > Red Hat Linux 7.2 - i386, ia64 > Red Hat Linux 7.3 - i386 > Red Hat Linux 8.0 - i386 > Red Hat Linux 9 - i386 > > 3. Problem description: > > The pam_smb module is a pluggable authentication module (PAM) used to > authenticate users using an external Server Message Block (SMB) server. > > A buffer overflow vulnerability has been found that affects unpatched > versions of pam_smb up to and including 1.1.6. > > On systems that use pam_smb and are configured to authenticate a > remotely accessible service, an attacker can exploit this bug and > remotely execute arbitrary code. The Common Vulnerabilities and Exposures > project (cve.mitre.org) has assigned the name CAN-2003-0686 to this issue. > > Red Hat Linux versions 7.2, 7.3, 8.0, and 9 ship with versions of pam_smb > that are vulnerable to this issue, however pam_smb is not enabled by default. > > Users of pam_smb are advised to upgrade to these erratum packages, which > contain a patch to version 1.1.6 to correct this issue. > > Red Hat would like to thank Dave Airlie of the Samba team for notifying us > of this issue. > > 4. Solution: > > Before applying this update, make sure all previously released errata > relevant to your system have been applied. > > To update all RPMs for your particular architecture, run: > > rpm -Fvh [filenames] > > where [filenames] is a list of the RPMs you wish to upgrade. Only those > RPMs which are currently installed will be updated. Those RPMs which are > not installed but included in the list will not be updated. Note that you > can also use wildcards (*.rpm) if your current directory *only* contains the > desired RPMs. > > Please note that this update is also available via Red Hat Network. Many > people find this an easier way to apply updates. To use Red Hat Network, > launch the Red Hat Update Agent with the following command: > > up2date > > This will start an interactive process that will result in the appropriate > RPMs being upgraded on your system. > > 5. RPMs required: > > Red Hat Linux 7.2: > > SRPMS: > ftp://updates.redhat.com/7.2/en/os/SRPMS/pam_smb-1.1.6-9.7.src.rpm > > i386: > ftp://updates.redhat.com/7.2/en/os/i386/pam_smb-1.1.6-9.7.i386.rpm > > ia64: > ftp://updates.redhat.com/7.2/en/os/ia64/pam_smb-1.1.6-9.7.ia64.rpm > > Red Hat Linux 7.3: > > SRPMS: > ftp://updates.redhat.com/7.3/en/os/SRPMS/pam_smb-1.1.6-9.7.src.rpm > > i386: > ftp://updates.redhat.com/7.3/en/os/i386/pam_smb-1.1.6-9.7.i386.rpm > > Red Hat Linux 8.0: > > SRPMS: > ftp://updates.redhat.com/8.0/en/os/SRPMS/pam_smb-1.1.6-9.8.src.rpm > > i386: > ftp://updates.redhat.com/8.0/en/os/i386/pam_smb-1.1.6-9.8.i386.rpm > > Red Hat Linux 9: > > SRPMS: > ftp://updates.redhat.com/9/en/os/SRPMS/pam_smb-1.1.6-9.9.src.rpm > > i386: > ftp://updates.redhat.com/9/en/os/i386/pam_smb-1.1.6-9.9.i386.rpm > > 6. Verification: > > MD5 sum Package Name > - -------------------------------------------------------------------------- > fd60d4b954d24b50901f5d8034246619 7.2/en/os/SRPMS/pam_smb-1.1.6-9.7.src.rpm > 98f57da32415dec75f43bbe57165cc62 7.2/en/os/i386/pam_smb-1.1.6-9.7.i386.rpm > 5e0ecb7ec7e24de6efc32ad8f439d0ff 7.2/en/os/ia64/pam_smb-1.1.6-9.7.ia64.rpm > fd60d4b954d24b50901f5d8034246619 7.3/en/os/SRPMS/pam_smb-1.1.6-9.7.src.rpm > 98f57da32415dec75f43bbe57165cc62 7.3/en/os/i386/pam_smb-1.1.6-9.7.i386.rpm > 2e399b4016dac855bc3e01056c23a244 8.0/en/os/SRPMS/pam_smb-1.1.6-9.8.src.rpm > 8cb3feb19dd74abfb582546235ee9718 8.0/en/os/i386/pam_smb-1.1.6-9.8.i386.rpm > 5e31c7774d44716e4bc14f5d11eb54db 9/en/os/SRPMS/pam_smb-1.1.6-9.9.src.rpm > 11b99a275c316e57a3fdb68ab63c90f4 9/en/os/i386/pam_smb-1.1.6-9.9.i386.rpm > > These packages are GPG signed by Red Hat for security. Our key is > available from https://www.redhat.com/security/keys.html > > You can verify each package with the following command: > > rpm --checksig -v <filename> > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the md5sum with the following command: > > md5sum <filename> > > 7. References: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0686 > > 8. Contact: > > The Red Hat security contact is <secalertat_private>. More contact > details at https://www.redhat.com/solutions/security/news/contact.html > > Copyright 2003 Red Hat, Inc. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE/S1GlXlSAg2UNWIIRAhA1AKCwFpItixgKVX6IaAcv0lf1d7HOrwCfUfX6 > +jzALWi6v6ykRHXavDVx4JI= > =VaAR > -----END PGP SIGNATURE----- > > _______________________________________________ > Redhat-watch-list mailing list > To unsubscribe, visit: https://www.redhat.com/mailman/listinfo/redhat-watch-list -- -----------------------------------------------------------------+ Michael R. Berganski Science Systems Applications, Inc (SSAI) NASA's Goddard Space Flight Center Code 902/Distributed Active Archive Center PHONE: (301) 614-5281 Bldg32, Rm.N126-A FAX: (301) 614-5304 Greenbelt, MD 20771-0001 Email: berganskat_private -----------------------------------------------------------------+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 06:55:51 PDT