![[LWN Logo]](/images/lwn.banner.gif)
Date: Sun, 9 Jan 2000 18:12:42 +0100
From: Wichert Akkerman <wichert@soil.nl>
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] New version of lpr released
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
Debian Security Advisory security@debian.org
http://www.debian.org/security/ Wichert Akkerman
January 9, 2000
- ------------------------------------------------------------------------
Package: lpr
Vulnerability type: remote exploit
Debian-specific: no
The version of lpr that was distributed with Debian GNU/Linux 2.1
and the updated version released in 2.1r4 have a two security
problems:
* the client hostname wasn't verified properly, so if someone is able to
control the DNS entry for their IP he could fool lpr into granting
access.
* it was possible to specify extra options to sendmail which could be
used to specify another configuration file. This can be used to
gain root access.
Both problems have been fixed in 0.48-0.slink1 . We recommend you upgrade
your lpr package immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.1 alias slink
- --------------------------------
This version of Debian was released only for Intel ia32, the Motorola
680x0, the alpha and the Sun sparc architecture.
Source archives:
http://security.debian.org/dists/stable/updates/source/lpr_0.48-0.slink1.diff.gz
MD5 checksum: aca07389fc8f536df0d01d6469058a83
http://security.debian.org/dists/stable/updates/source/lpr_0.48-0.slink1.dsc
MD5 checksum: 8854564310b6eb52cf00d06bfdf298d6
http://security.debian.org/dists/stable/updates/source/lpr_0.48.orig.tar.gz
MD5 checksum: 7b67555568e1c2d03aedbe66098a52a5
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/lpr_0.48-0.slink1_alpha.deb
MD5 checksum: 891a7a518265c292e4d6183d27b1d284
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/lpr_0.48-0.slink1_i386.deb
MD5 checksum: 386d1e35a9cab64cd960385a46dab6a1
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/lpr_0.48-0.slink1_m68k.deb
MD5 checksum: a6e05782ce4394cff1c48c7ddc50835f
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/lpr_0.48-0.slink1_sparc.deb
MD5 checksum: f14d908138bfee39cf7cd665df44e35d
These files will be moved into
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.
For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
- --
- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBOHjBiKjZR/ntlUftAQGfCgL9H3Jom4Ahqy2WlWcJoDwVJ9X2nMSCfepg
rv/JZgsFjgE5xU6jK6dTLhfHE0DBBrYprgv7fftDK7EhgsQ0BxqaWAkOtFu+WniG
sDEgwqqYbG2LR48WoBQHmQn/lsGLthY/
=Ui9f
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org