Fedora Legacy Test Update Notification: ncpfs

Marc Deslauriers marcdeslauriers at videotron.ca
Wed Mar 29 00:38:10 UTC 2006 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-152904
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904
2006-03-28
---------------------------------------------------------------------

Name        : ncpfs
Versions    : rh73: ncpfs-2.2.0.18-6.1.legacy
Versions    : rh9: ncpfs-2.2.1-1.1.legacy
Versions    : fc1: ncpfs-2.2.3-1.1.legacy
Versions    : fc2: ncpfs-2.2.4-1.1.legacy
Versions    : fc3: ncpfs-2.2.4-5.FC3.1.legacy
Summary     : Utilities for the ncpfs filesystem, a NetWare client.
Description :
Ncpfs is a filesystem which understands the Novell NetWare(TM) NCP
protocol.  Functionally, NCP is used for NetWare the way NFS is used
in the TCP/IP world.  For a Linux system to mount a NetWare
filesystem, it needs a special mount program.  The ncpfs package
contains such a mount program plus other tools for configuring and
using the ncpfs filesystem.

---------------------------------------------------------------------
Update Information:

An updated ncpfs package is now available.

Ncpfs is a file system that understands the Novell NetWare(TM) NCP
protocol.

Buffer overflows were found in the nwclient program. An attacker, using
a long -T option, could possibly execute arbitrary code and gain
privileges. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-1079 to this issue.

A bug was found in the way ncpfs handled file permissions. ncpfs did not
sufficiently check if the file owner matched the user attempting to
access the file, potentially violating the file permissions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0013 to this issue.

A buffer overflow was found in the ncplogin program. A remote malicious
NetWare server could execute arbitrary code on a victim's machine. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0014 to this issue.

All users of ncpfs are advised to upgrade to this updated package, which
contains backported fixes for these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Fri Mar 10 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.0.18-6.1.legacy
- fixed getuid security bug CVE-2005-0013

rh9:
* Fri Mar 10 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.1-1.1.legacy
- Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014

fc1:
* Sat Mar 11 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.3-1.1.legacy
- Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014

fc2:
* Sat Mar 11 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.4-1.1.legacy
- Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014

fc3:
* Sat Mar 11 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.4-5.FC3.1.legacy
- Added missing part of CVE-2005-0013 fix

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
16740d3fa5e17a46429ad3586e4adf9a14a64f8d
redhat/7.3/updates-testing/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm
21f8520c8a2a3d60e55041c0db028e03549f8544
redhat/7.3/updates-testing/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm
6704d55f1f43360b6ad4211e2ca0f92e9f2174c8
redhat/7.3/updates-testing/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm

rh9:
6acd3b7b7d09cb0e47769b43a888adf72a6278ac
redhat/9/updates-testing/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm
c49d83f88b229ce57c689d313eccb4df7b89f36b
redhat/9/updates-testing/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm
ac833c51fcf831bca3edef5d0275ccd1ae0a530f
redhat/9/updates-testing/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm

fc1:
8379face8f68fe556d40bf32f72a5ab368e8eb6d
fedora/1/updates-testing/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm
eefaa839a26179ca5d41897eacf7bbf3c49661e1
fedora/1/updates-testing/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm
ede00a8544200515b5e09a7a40836d8f558cac9d
fedora/1/updates-testing/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm

fc2:
1d32d2f0c39475f98206d78f87c587d4f96ddb70
fedora/2/updates-testing/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm
c095ce2d66184b605516231609cddc30520c3eb5
fedora/2/updates-testing/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm
874f8a48f85fef80615b5892a70d214f0935ed7a
fedora/2/updates-testing/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm

fc3:
dc329c8b3558f67350486358b01b6a62f6f467af
fedora/3/updates-testing/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm
1ddd6caafe4a693d4a69d341be69600df446de3b
fedora/3/updates-testing/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm
db8660759a23570a6d06bda37c619e0931425ef8
fedora/3/updates-testing/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm
1e8bc7d10995fde90688b424f5001c14f7d3e3bc
fedora/3/updates-testing/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm
7f29dd88dcf31f19970e22c8c3af7267c62a5508
fedora/3/updates-testing/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060328/c59977fa/attachment.sig>

More information about the fedora-legacy-list mailing list