[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[RHSA-2003:315-01] Updated quagga packages fix local security vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated quagga packages fix local security vulnerability
Advisory ID:       RHSA-2003:315-01
Issue date:        2003-11-12
Updated on:        2003-11-12
Product:           Red Hat Enterprise Linux
Keywords:          DoS
Cross references:  
Obsoletes:         
CVE Names:         CAN-2003-0858
- ---------------------------------------------------------------------

1. Topic:

Updated Quagga packages that close a locally-exploitable denial of service
vulnerability are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64

3. Problem description:

Quagga is an open source implementation of TCP/IP routing software. 
 
Herbert Xu reported that Quagga can accept spoofed messages sent on the
kernel netlink interface by other users on the local machine.  This could
lead to a local denial of service attack.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to
this issue. 
 
Users of Quagga should upgrade to these erratum packages, which contain a
patch that checks that netlink messages actually came from the kernel. 
This erratum also includes quagga-devel and quagga-contrib packages which
were not originally shipped with Red Hat Enterprise Linux 3.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate.  The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

108575 - CAN-2003-0858  Netlink local DoS: quagga

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/quagga-0.96.2-8.3E.src.rpm

i386:
Available from Red Hat Network: quagga-0.96.2-8.3E.i386.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.i386.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.i386.rpm

ia64:
Available from Red Hat Network: quagga-0.96.2-8.3E.ia64.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.ia64.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.ia64.rpm

ppc:
Available from Red Hat Network: quagga-0.96.2-8.3E.ppc.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.ppc.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.ppc.rpm

ppc64:
Available from Red Hat Network: quagga-0.96.2-8.3E.ppc64.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.ppc64.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.ppc64.rpm

s390:
Available from Red Hat Network: quagga-0.96.2-8.3E.s390.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.s390.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.s390.rpm

s390x:
Available from Red Hat Network: quagga-0.96.2-8.3E.s390x.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.s390x.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.s390x.rpm

x86_64:
Available from Red Hat Network: quagga-0.96.2-8.3E.x86_64.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.x86_64.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/quagga-0.96.2-8.3E.src.rpm

i386:
Available from Red Hat Network: quagga-0.96.2-8.3E.i386.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.i386.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.i386.rpm

ia64:
Available from Red Hat Network: quagga-0.96.2-8.3E.ia64.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.ia64.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.ia64.rpm

x86_64:
Available from Red Hat Network: quagga-0.96.2-8.3E.x86_64.rpm
Available from Red Hat Network: quagga-contrib-0.96.2-8.3E.x86_64.rpm
Available from Red Hat Network: quagga-devel-0.96.2-8.3E.x86_64.rpm



7. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
7b6d7f1e620a945f3ad2cc9d0272c2e5 3AS/en/os/SRPMS/quagga-0.96.2-8.3E.src.rpm
29fbab71e8be4d1f12828a3f09d3079a 3AS/en/os/i386/quagga-0.96.2-8.3E.i386.rpm
e1850ff3c426c5adbee7b9daed05fa7d 3AS/en/os/i386/quagga-contrib-0.96.2-8.3E.i386.rpm
29f6979400740fc676313b5a7ff2f528 3AS/en/os/i386/quagga-devel-0.96.2-8.3E.i386.rpm
a5a38b71b7369a64c620b662856ed233 3AS/en/os/ia64/quagga-0.96.2-8.3E.ia64.rpm
54b463229d9dc19654a64e6fca39dd0e 3AS/en/os/ia64/quagga-contrib-0.96.2-8.3E.ia64.rpm
de01073379e50fcffe14fca6be8107ae 3AS/en/os/ia64/quagga-devel-0.96.2-8.3E.ia64.rpm
3795a1a570f61963f95804f8ba89cad2 3AS/en/os/ppc/quagga-0.96.2-8.3E.ppc.rpm
41a680b4c7aee2055d077695051afae7 3AS/en/os/ppc/quagga-contrib-0.96.2-8.3E.ppc.rpm
24df06dcdef6b87eda26b9a3db30a200 3AS/en/os/ppc/quagga-devel-0.96.2-8.3E.ppc.rpm
abd86a8c13d84deb4ba88d90528239fa 3AS/en/os/ppc64/quagga-0.96.2-8.3E.ppc64.rpm
0985d15ecb7484cc307fe0b9f9395615 3AS/en/os/ppc64/quagga-contrib-0.96.2-8.3E.ppc64.rpm
efc168b6761fc5014d8ba29db160d17a 3AS/en/os/ppc64/quagga-devel-0.96.2-8.3E.ppc64.rpm
2dda9c6fdc0fe959d0821507263c970f 3AS/en/os/s390/quagga-0.96.2-8.3E.s390.rpm
d93a6b749c77d1a1db40a700ae383992 3AS/en/os/s390/quagga-contrib-0.96.2-8.3E.s390.rpm
7edfe6c78c128a05bf090c280dc310db 3AS/en/os/s390/quagga-devel-0.96.2-8.3E.s390.rpm
9f4e3535bc22000340d7ba454569ab6f 3AS/en/os/s390x/quagga-0.96.2-8.3E.s390x.rpm
81f10f7576ae226817a70741f3d74b5f 3AS/en/os/s390x/quagga-contrib-0.96.2-8.3E.s390x.rpm
6ae089c74f01cf8b19d8263221f2c776 3AS/en/os/s390x/quagga-devel-0.96.2-8.3E.s390x.rpm
069c38a1b4909773ed3484159bef7be9 3AS/en/os/x86_64/quagga-0.96.2-8.3E.x86_64.rpm
52886c92bf6fa892cedb8020f0bb55be 3AS/en/os/x86_64/quagga-contrib-0.96.2-8.3E.x86_64.rpm
47aea8546e07f8b6ddb00b8451bca386 3AS/en/os/x86_64/quagga-devel-0.96.2-8.3E.x86_64.rpm
7b6d7f1e620a945f3ad2cc9d0272c2e5 3ES/en/os/SRPMS/quagga-0.96.2-8.3E.src.rpm
29fbab71e8be4d1f12828a3f09d3079a 3ES/en/os/i386/quagga-0.96.2-8.3E.i386.rpm
e1850ff3c426c5adbee7b9daed05fa7d 3ES/en/os/i386/quagga-contrib-0.96.2-8.3E.i386.rpm
29f6979400740fc676313b5a7ff2f528 3ES/en/os/i386/quagga-devel-0.96.2-8.3E.i386.rpm
a5a38b71b7369a64c620b662856ed233 3ES/en/os/ia64/quagga-0.96.2-8.3E.ia64.rpm
54b463229d9dc19654a64e6fca39dd0e 3ES/en/os/ia64/quagga-contrib-0.96.2-8.3E.ia64.rpm
de01073379e50fcffe14fca6be8107ae 3ES/en/os/ia64/quagga-devel-0.96.2-8.3E.ia64.rpm
069c38a1b4909773ed3484159bef7be9 3ES/en/os/x86_64/quagga-0.96.2-8.3E.x86_64.rpm
52886c92bf6fa892cedb8020f0bb55be 3ES/en/os/x86_64/quagga-contrib-0.96.2-8.3E.x86_64.rpm
47aea8546e07f8b6ddb00b8451bca386 3ES/en/os/x86_64/quagga-devel-0.96.2-8.3E.x86_64.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0858

9. Contact:

The Red Hat security contact is <secalert redhat com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/skNlXlSAg2UNWIIRAu2kAKCrAoJaYoIrIjDQ7AwvPUJWEmuaygCdF6Yt
urE3S+Gl435dfTorcVKuueE=
=3qfv
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]