__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN l2tpns Buffer Overflow [DSA-1230-1] December 8, 2006 21:00 GMT Number R-067 ______________________________________________________________________________ PROBLEM: A vulnerability in l2tpns which could be triggered by a remote user to execute arbitary code. PLATFORM: For the stable distribution (sarge) fixed in version 2.0.14-1sarge1 For the unstable distribution (sid) fixed in version 2.1.21-1 DAMAGE: Could allow a remote user to execute arbitrary code. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow a remote user to execute ASSESSMENT: arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-067.shtml ORIGINAL BULLETIN: http://www.debian.org/security/2006/dsa-1230 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5873 ______________________________________________________________________________ [***** Start DSA-1230-1 *****] Debian Security Advisory DSA-1230-1 l2tpns -- buffer overflow Date Reported: 08 Dec 2006 Affected Packages: l2tpns (2.0.14-1sarge1) Vulnerable: Yes Security database references: In the Debian bugtracking system: Bug 401742. In Mitre's CVE dictionary: CVE-2006-5873. More information: Rhys Kidd discovered a vulnerability in l2tpns, a layer 2 tunnelling protocol network server, which could be triggered by a remote user to execute arbitary code. For the stable distribution (sarge), this problem has been fixed in version 2.0.14-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.1.21-1 We recommend that you upgrade your l2tpns package. Fixed in: Debian GNU/Linux 3.1 (stable) Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14.orig.tar.gz Size/MD5 checksum: 149672 462bca675b5e27f40f5e5f92918911cb http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1.diff.gz Size/MD5 checksum: 2760 21dd07043e996a6deb282ad9318ff523 http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1.dsc Size/MD5 checksum: 585 16faad913601881770b688f2fc8e8357 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_alpha.deb Size/MD5 checksum: 195906 4d8481e9bf411cd71b3439fba8c65f4d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_amd64.deb Size/MD5 checksum: 152440 164d2205b4cd8fc99bc4763fb7ac9b38 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_arm.deb Size/MD5 checksum: 151706 317794e1cbd89bf03a5276a5e0e6e946 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_hppa.deb Size/MD5 checksum: 169062 80e4b651500315e6cfeae09cbd990cca i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_i386.deb Size/MD5 checksum: 144584 4a447fcc5dae3781f84f21bc8a262937 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_ia64.deb Size/MD5 checksum: 227898 e14fc8e036271566d4a9178e10650ad3 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_m68k.deb Size/MD5 checksum: 128076 e30c757e00a9914890caeab4da5e364d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_mips.deb Size/MD5 checksum: 165256 c5eadfb746ff587e557241fcea756011 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_mipsel.deb Size/MD5 checksum: 168406 b11641d83e799878de35512edb09dbfa powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_powerpc.deb Size/MD5 checksum: 168706 9b4038dbfaa5fe14ac7df25857cc0e7f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_s390.deb Size/MD5 checksum: 155020 d4a196ecf8b13ae8d0830e45571cc29d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_sparc.deb Size/MD5 checksum: 160188 ab36083d96a6d5ca028d93032eccdec0 MD5 checksums of the listed files are available in the original advisory. [***** End DSA-1230-1 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Debian for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-057: Apple Security Update 2006-007 R-058: Potential vulnerabilities in Adobe Reader and Acrobat R-059: texinfo Buffer Overflow R-060: libgsf Buffer Overflow R-061: HTTP Requests in Sun Java System Server(s) R-062: proftpd Several Vulnerabilities R-063: Vulnerability in Microsoft Word R-064: GnuPG Security Update R-065: Google Mini and Google Search Appliance Vulnerable R-066: Adobe Download Manager Vulnerability