GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Apr 27, 2006 6:26 am Post subject: [ GLSA 200604-17 ] Ethereal: Multiple vulnerabilities in pro |
|
|
Gentoo Linux Security Advisory
Title: Ethereal: Multiple vulnerabilities in protocol dissectors (GLSA 200604-17)
Severity: high
Exploitable: remote
Date: April 27, 2006
Bug(s): #130505
ID: 200604-17
Synopsis
Ethereal is vulnerable to numerous vulnerabilities, potentially resulting in the execution of arbitrary code.
Background
Ethereal is a feature-rich network protocol analyzer.
Affected Packages
Package: net-analyzer/ethereal
Vulnerable: < 0.99.0
Unaffected: >= 0.99.0
Architectures: All supported architectures
Description
Coverity discovered numerous vulnerabilities in versions of Ethereal prior to 0.99.0, including: - buffer overflows in the ALCAP (CVE-2006-1934), COPS (CVE-2006-1935) and telnet (CVE-2006-1936) dissectors.
- buffer overflows in the NetXray/Windows Sniffer and Network Instruments file code (CVE-2006-1934).
For further details please consult the references below.
Impact
An attacker might be able to exploit these vulnerabilities to crash Ethereal or execute arbitrary code with the permissions of the user running Ethereal, which could be the root user.
Workaround
There is no known workaround at this time.
Resolution
All Ethereal users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.99.0" |
References
CVE-2006-1932
CVE-2006-1933
CVE-2006-1934
CVE-2006-1935
CVE-2006-1936
CVE-2006-1937
CVE-2006-1938
CVE-2006-1939
CVE-2006-1940
Ethereal enpa-sa-00023
Last edited by GLSA on Sun May 07, 2006 5:01 pm; edited 1 time in total |
|