To: redhat-watch-list@redhat.com From: "Michael K. Johnson" <johnsonm@redhat.com> Subject: [CORRECTION] Bugs fixed in pump (DHCP client) Date: Sat, 14 Aug 1999 21:07:41 -0400 --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Bugs fixed in pump (DHCP client) [CORRECTION] Advisory ID: RHSA-1999:027-02 Issue date: 1999-08-11 Updated on: 1999-08-14 Keywords: pump DHCP RoadRunner @Home Cross references: --------------------------------------------------------------------- 1. Topic: New version of pump, 0.7.0, fixes several problems, including a potential security hole. We strongly recommend that all users using DHCP upgrade to pump 0.7.0, particularly if you use DHCP on a public network such as a cable modem or ADSL service. This is a correction to our previous announcement, which did not mention the security bug that is fixed in pump 0.7.0. 2. Bug IDs fixed: 3263 3. Relevant releases/architectures: Red Hat Linux 6.0, all architectures. 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Intel: ftp://ftp.redhat.com/redhat/updates/6.0/i386/pump-0.7.0-1.i386.rpm Alpha: ftp://ftp.redhat.com/redhat/updates/6.0/alpha/pump-0.7.0-1.alpha.rpm Sparc: ftp://ftp.redhat.com/redhat/updates/6.0/sparc/pump-0.7.0-1.sparc.rpm Source packages: ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/pump-0.7.0-1.src.rpm 7. Problem description: o DHCP did not work with some @Home and RoadRunner (and potentially other) servers. o Some (broken) servers did not return server address properly; in these cases, pump now reuses the broadcast address. o There was a security hole with the potential for a remote root exploit in certain configurations where DHCP is used on public networks 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- a93c710c0ce18e79b3dd33d268ae7752 i386/pump-0.7.0-1.i386.rpm 53df0de539645b34ad93272f3b4e6d97 alpha/pump-0.7.0-1.alpha.rpm d56bac8b659b353894092869782d59cc sparc/pump-0.7.0-1.sparc.rpm 2f18a5c39cdd327e0406df1ab5308549 SRPMS/pump-0.7.0-1.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp <filename> 10. References: -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject.