Joined: 25 Feb 2003
Location: Essen, Germany
|Posted: Tue Jan 11, 2005 5:48 pm Post subject: [ GLSA 200501-21 ] HylaFAX: hfaxd unauthorized login vulnera
|Gentoo Linux Security Advisory
Title: HylaFAX: hfaxd unauthorized login vulnerability (GLSA 200501-21)
Date: January 11, 2005
HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.
HylaFAX is a software package for sending and receiving facsimile messages.
Vulnerable: < 4.2.0-r2
Unaffected: >= 4.2.0-r2
Architectures: All supported architectures
The code used by hfaxd to match a given username and hostname with an entry in the hosts.hfaxd file is insufficiently protected against malicious entries.
If the HylaFAX installation uses a weak hosts.hfaxd file, a remote attacker could authenticate using a malicious username or hostname and bypass the intended access restrictions.
As a workaround, administrators may consider adding passwords to all entries in the hosts.hfaxd file.
All HylaFAX users should upgrade to the latest version:
Note: Due to heightened security, weak entries in the hosts.hfaxd file may no longer work. Please see the HylaFAX documentation for details of accepted syntax in the hosts.hfaxd file.
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2"
Last edited by GLSA on Sun May 07, 2006 4:54 pm; edited 1 time in total