Apple Computer Inc. Not Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Not Affected

Vendor Statement

Apple has conducted an investigation and determined that Mac OS X Public Beta and Mac OS X Server do not use LPRng and are therefore not vulnerable to this exploitation.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation Not Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Not Affected

Vendor Statement

Compaq Tru64 UNIX S/W is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Notified:  December 06, 2000 Updated: December 07, 2000

Status

Affected

Vendor Statement

None available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see: http://lists.debian.org/debian-security-0011/msg00212.html

FreeBSD Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Affected

Vendor Statement

FreeBSD does not include LPRng in the base system. Older versions of FreeBSD included a vulnerable version of LPRng in the Ports Collection but this was corrected almost 2 months ago, prior to the release of FreeBSD 4.2. See FreeBSD Security Advisory 00:56 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc) for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

While the default FreeBSD install is not vulnerable to this issue, users runnning the LPRng included the Ports Collections prior to 4.2 should immediately upgrade to the LPRng-3.6.25 in the latest sysutils package.

Hewlett-Packard Company Not Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Not Affected

Vendor Statement

This does not apply to HP; HP does not ship LPRng on HP-UX.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Not Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Not Affected

Vendor Statement

IBM's AIX operating system is not vulnerable to this security exploit.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation Not Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Not Affected

Vendor Statement

Microsoft doesn't use LPRng in any of its products, so no Microsoft products are affected by the vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  December 06, 2000 Updated: December 11, 2000

Status

Affected

Vendor Statement

NetBSD does not include LPRng in the base system; however we do have a third-party package of LPRng-3.6.8 which is vulnerable. There's work underway to upgrade it to a non-vulnerable version.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Not Affected

Notified:  December 06, 2000 Updated: December 07, 2000

Status

Not Affected

Vendor Statement

openbsd does not ship lprng.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Patrick Powell Affected

Updated:  December 05, 2000

Status

Affected

Vendor Statement

Patrick Powell is the author responsible for development of this version of LPRng. Extract from CHANGES in LPRng-3.6.25 distribution at: [ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz] Release LPRng 3.6.25 Tue Oct 3 09:19:11 PDT 2000 syslog Compromise - modified syslog to use 'syslog(xx,"%s", msg). gettext Compromise - added the following to Initialize(): if( getuid() == 0 || geteuid() == 0 ) unsetenv("NLSPATH"); See the various CERT advisories. Sigh...

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc. Affected

Notified:  September 26, 2000 Updated: January 27, 2003

Status

Affected

Vendor Statement

LPRng Version 3.6.24 and earlier is vulnerable. See RHSA-2000:065 at: http://www.redhat.com/support/errata/RHSA-2000-065.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has recieved reports of this vulnerability being scanned for on systems installed with vulnerable versions of LPRng.

SGI Not Affected

Notified:  December 06, 2000 Updated: December 12, 2000

Status

Not Affected

Vendor Statement

IRIX does not contain LPRng support.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Inc. Not Affected

Updated:  December 05, 2000

Status

Not Affected

Vendor Statement

SuSE is not vulnerable. Please see additional comments at: http://lists.suse.com/archives/suse-security/2000-Sep/0259.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Linux) Affected

Updated:  December 05, 2000

Status

Affected

Vendor Statement

See CSSA-2000-033.0 "format bug in LPRng" at : [http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt ]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Trustix Affected

Updated:  December 04, 2000

Status

Affected

Vendor Statement

See Trustix Secure Linux updates at: [http://www.trustix.net/download/Trustix/updates/1.1/RPMS/LPRng-3.6.24-1tr.i586.rpm]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 15 vendors View less vendors