I'm still behind on my email so I don't know if this went out already
today or not.
Carl P.
----- Forwarded message from CERT Advisory <
cert-advisory@cert.org> -----
CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd
Original release date: November 05, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* BSDi BSD/OS Version 4.1 and earlier
* Debian GNU/Linux 2.1 and 2.1r4
* FreeBSD All released versions FreeBSD 4.x, 3.x, FreeBSD
4.3-STABLE, 3.5.1-STABLE prior to the correction date
* Hewlett-Packard HP9000 Series 700/800 running HP-UX releases
10.01, 10.10, 10.20, 11.00, and 11.11
* IBM AIX Versions 4.3 and AIX 5.1
* Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
* NetBSD 1.5.2 and earlier
* OpenBSD Version 2.9 and earlier
* Red Hat Linux 6.0 all architectures
* SCO OpenServer Version 5.0.6a and earlier
* SGI IRIX 6.5-6.5.13
* Sun Solaris 8 and earlier
* SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Overview
There are multiple vulnerabilities in several implementations of the
line printer daemon (lpd). The line printer daemon enables various
clients to share printers over a network. Review your configuration to
be sure you have applied all relevant patches. We also encourage you
to restrict access to the lpd service to only authorized users.
<snip>
II. Impact
All of these vulnerabilities can be exploited remotely. In most cases,
they allow an intruder to execute arbitrary code with the privileges
of the lpd server. In some cases, an intruder must have access to a
machine listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some
cases, an intruder must be able to control a nameserver.
<snip>
III. Solution
Apply a patch from your vendor
<snip>
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-30.html
______________________________________________________________________
(text/plain)