Conectiva Not Affected

Notified:  October 31, 2000 Updated: July 03, 2001

Status

Not Affected

Vendor Statement

Our last mandatory update of the dump package (June 29th, 2000)brought it up to version 0.4b18 and had the SUID bits disabled. These packages do not have the vulnerability that could give a local attacker root access.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Not Affected

Notified:  July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

Both programs are not installed setuid root or setgid root on a Debian GNU/Linux 2.2 (stable) system nor on Debian unstable (upcoming release).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Engarde Not Affected

Notified:  July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

We are not vulnerable as we do not ship the dump and restore utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett Packard Unknown

Notified:  July 16, 2001 Updated: August 07, 2001

Status

Unknown

Vendor Statement

Vendor could not reproduce this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Not Affected

Notified:  October 31, 2000 Updated: July 03, 2001

Status

Not Affected

Vendor Statement

http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-065.php3

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Not Affected

Notified:  July 16, 2001 Updated: July 16, 2001

Status

Not Affected

Vendor Statement

Our dump & restore have not been setuid or setgid for a very long time. We have also fixed numerous other bugs in them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

RedHat Affected

Notified:  October 31, 2000 Updated: July 03, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/redhat_advisory-849.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Not Affected

Notified:  July 16, 2001 Updated: July 16, 2001

Status

Not Affected

Vendor Statement

None of the EFS and XFS dump/restore tools in IRIX are setuid root per an SGI engineer, so we believe IRIX is not vulnerable unless proven otherwise.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.