Date: Mon, 6 Dec 1999 13:10:55 -0500 (EST) From: Elliot Lee <sopwith@redhat.com> To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com Subject: RHSA-1999:058 - ORBit, esound, gnome-core --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: new ORBit, esound, and gnome-core packages Advisory ID: RHSA-1999:058-01 Issue date: 1999-12-03 --------------------------------------------------------------------- 1. Topic: ORBit and gnome-session each contained a denial-of-service hole. ORBit and esound each contained a security hole. 2. Relevant releases/architectures: Red Hat Linux 6.1 3. Problem description: ORBit and esound used a source of random data that was easily guessable, possibly allowing an attacker with local access to guess the authentication keys used to control access to these services. ORBit and gnome-session contained a bug that allowed attackers to remotely crash a program under unusual circumstances. In addition to fixing these problems, TCP Wrappers support has been added to gnome-session. ORBit already makes use of TCP Wrappers. It is recommended that this functionality be used when additional access controls are desired on network access to these services. 4. Solution: For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. 5. RPMs required: Intel: ftp://updates.redhat.com/6.1/i386/ORBit-0.5.0-2.i386.rpm ftp://updates.redhat.com/6.1/i386/ORBit-devel-0.5.0-2.i386.rpm ftp://updates.redhat.com/6.1/i386/esound-0.2.17-1.i386.rpm ftp://updates.redhat.com/6.1/i386/esound-devel-0.2.17-1.i386.rpm ftp://updates.redhat.com/6.1/i386/gnome-core-1.0.54-2.i386.rpm ftp://updates.redhat.com/6.1/i386/gnome-core-devel-1.0.54-2.i386.rpm Sparc: ftp://updates.redhat.com/6.1/sparc/ORBit-0.5.0-2.sparc.rpm ftp://updates.redhat.com/6.1/sparc/ORBit-devel-0.5.0-2.sparc.rpm ftp://updates.redhat.com/6.1/sparc/esound-0.2.17-1.sparc.rpm ftp://updates.redhat.com/6.1/sparc/esound-devel-0.2.17-1.sparc.rpm ftp://updates.redhat.com/6.1/sparc/gnome-core-1.0.54-2.sparc.rpm ftp://updates.redhat.com/6.1/sparc/gnome-core-devel-1.0.54-2.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/ORBit-0.5.0-2.src.rpm ftp://updates.redhat.com/6.1/SRPMS/esound-0.2.17-1.src.rpm ftp://updates.redhat.com/6.1/SRPMS/gnome-core-1.0.54-2.src.rpm 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 35cb261853a01711fb47ee6d48149bd4 i386/ORBit-0.5.0-2.i386.rpm 808e9dca462f8ef765b454b25e017614 i386/ORBit-devel-0.5.0-2.i386.rpm 261e7063065c50f5eb4235cb373c85f1 i386/esound-0.2.17-1.i386.rpm fa44e546df9b307cec6557cac0112eff i386/esound-devel-0.2.17-1.i386.rpm d8c3814f4b8c19c38af526271dd1c294 i386/gnome-core-1.0.54-2.i386.rpm a689359b3ff0bbe3ebc908a4ab5aaaad i386/gnome-core-devel-1.0.54-2.i386.rpm 4ce667c72a33146c5280cc7fecba0f4d sparc/ORBit-0.5.0-2.sparc.rpm 473056e09906fe49914c1d79dd30dc98 sparc/ORBit-devel-0.5.0-2.sparc.rpm 8ed14577fb93f8c684a98962c564b772 sparc/esound-0.2.17-1.sparc.rpm 0f8965c2d13bc000a87ed26ab5459ffb sparc/esound-devel-0.2.17-1.sparc.rpm 11a28ec13e110cbaabb403333efe27c1 sparc/gnome-core-1.0.54-2.sparc.rpm 7b86b6bb257376242e88096f1aafc722 sparc/gnome-core-devel-1.0.54-2.sparc.rpm 9fa749891ed4e9505b07cac512e80808 SRPMS/ORBit-0.5.0-2.src.rpm 4d34ef79104c3b754f368900a1f09370 SRPMS/esound-0.2.17-1.src.rpm 48f5b99bc92048e99e159a026b314871 SRPMS/gnome-core-1.0.54-2.src.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> -- Elliot -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject.