Updated: September 26, 2001
Not Affected
Mac OS X is not vulnerable to the UUCP problems described in this advisory.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 25, 2001
Affected
http://www.caldera.com/support/security/advisories/CSSA-2001-033.0.txt
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 25, 2001
Affected
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 25, 2001
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Debian Security Advisory DSA 079-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 24, 2001 Package : uucp
Vulnerability : uucp uid/gid access
Problem-Type : local exploit
Debian-specific: no zen-parse has found a problem with Taylor UUCP as distributed with
many GNU/Linux distributions. It was possible to make `uux' execute
`uucp' with malicious commandline arguments which gives an attacker
access to files owned by uid/gid uucp. This problem has been fixed in version of 1.06.1-11potato1 for Debian
GNU/Linux 2.2 by using a patch that RedHat has provided. We recommend that you upgrade your uucp package immediately. wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file. If you are using the apt-get package manager, use the line for
sources.list as given below: apt-get update
will update the internal database
apt-get upgrade
will install corrected packages You may use an automated update by adding the resources from the
footer to the proper configuration. Debian GNU/Linux 2.2 alias potato Source archives: http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato1.diff.gz
MD5 checksum: 4e2f02a4abd2ce86ffb0e154ef5d162b
http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato1.dsc
MD5 checksum: fd358e7e14f32ffa16cd3f2e6137b05c
http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1.orig.tar.gz
MD5 checksum: 390af5277915fcadbeee74d2f3038af9 Alpha architecture: http://security.debian.org/dists/stable/updates/main/binary-alpha/uucp_1.06.1-11potato1_alpha.deb
MD5 checksum: c1ad1038530a5ee1a6fb92fb90be287f ARM architecture: http://security.debian.org/dists/stable/updates/main/binary-arm/uucp_1.06.1-11potato1_arm.deb
MD5 checksum: 5821d1b6b9bccfa7486183216ffc7dfa Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/uucp_1.06.1-11potato1_i386.deb
MD5 checksum: deb9d76651686c2b0a2d51488e3cf0da Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/binary-m68k/uucp_1.06.1-11potato1_m68k.deb
MD5 checksum: 37f78dceb1e6c3b492246c888a744af7 PowerPC architecture: http://security.debian.org/dists/stable/updates/main/binary-powerpc/uucp_1.06.1-11potato1_powerpc.deb
MD5 checksum: e2a81774e4cd6c1eabbcf1c8fbf2e406 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/binary-sparc/uucp_1.06.1-11potato1_sparc.deb
MD5 checksum: 28148692a588b9b0c9b7598d0084fd2a These files will be moved into the stable distribution on its next
revision. For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 24, 2001 Updated: October 09, 2001
Affected
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:62.uucp.asc
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 24, 2001 Updated: February 08, 2002
Affected
HP Support Information Digests o Security Bulletin Digest Split The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions. To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login
using your IT Resource Center User ID and Password. Under the notifications section (near the bottom of the page), select
Support Information Digests. To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
"Update Subscriptions" button at the bottom of the page. o IT Resource Center World Wide Web Service If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest. Digest Name: daily HP Secure OS Software for Linux security bulletins digest
Created: Wed Jan 23 3:00:08 PST 2002 Table of Contents: Document ID Title HPSBTL0201-018 Updated uucp packages available The documents are listed below. Document ID: HPSBTL0201-018
Date Loaded: 20020122
Title: Updated uucp packages available TEXT HEWLETT-PACKARD COMPANY SECURITY bulletin: #018
Originally issued: 22 January '02 The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Bulletin as soon as possible. Because the vulnerability does not require a HP Secure OS
1.0 patch or re-packaging of the RPM affected by the bulletin, the
RPMs have not been produced or tested by Hewlett-Packard Company. PROBLEM: Security flaw in the uuxqt utility of the uucp package. PLATFORM: Any system running HP Secure OS software for Linux Release 1.0 DAMAGE: Local users can gain inappropriate privileges SOLUTION: Apply the appropriate RPMs (see section B below) MANUAL ACTIONS: None AVAILABILITY: The RPMs are available now. A. Background Uuxqt is part of a remote command execution facility within
uucp. A flaw exists that allows local users to gain inappropriate
privileges. The uucp package is not included in the default
installation of HP Secure OS Software for Linux release 1.0. B. Fixing the problem Hewlett-Packard Company recommends that customers download the RPMs
listed in the following Red Hat Security Advisory: 2002-01-15 uucp (RHSA-2001-165) The uuxqt utility can be used to
execute arbitrary commands as uucp.uucp http://www.redhat.com/support/errata/RHSA-2001-165.html To install the security bulletin RPMs, use the following sequence
of commands: 1. If you use the tripwire product, we recommend that you run a
a consistency check and fix any violations before installing
the security bulletin RPM. tripwire --check --interactive 2. Install the bulletin RPM from the root account. rpm -F
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 25, 2001 Updated: January 17, 2002
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 25, 2001
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Mandrake Linux Security Update Advisory Package name: uucp
Date: September 21st, 2001
Advisory ID: MDKSA-2001:078 Affected versions: 7.1, 7.2, 8.0, Corporate Server 1.0.1 Problem Description: Zen Parse discovered that an argument handling problem that exists in
the uucp package can allow a local attacker to gain access to the uucp
user or group. References: http://www.securityfocus.com/archive/1/212892 Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command: rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you. Linux-Mandrake 7.1: fa65ca8883349b9be0e6cf7db7dea76b 7.1/RPMS/uucp-1.06.1-14.1mdk.i586.rpm
e28726519e93e1980d40dab2f06483af 7.1/SRPMS/uucp-1.06.1-14.1mdk.src.rpm Linux-Mandrake 7.2: 63dec090a832b711ff3a05577de6e375 7.2/RPMS/uucp-1.06.1-17.1mdk.i586.rpm
5e0b73597aaf0b0c731919e0e2608e2b 7.2/SRPMS/uucp-1.06.1-17.1mdk.src.rpm Mandrake Linux 8.0: 1d285f9a496ae17aac3a43faaf93046a 8.0/RPMS/uucp-1.06.1-18.1mdk.i586.rpm
231f4436c3d4ba45190b6f00430a8b0d 8.0/SRPMS/uucp-1.06.1-18.1mdk.src.rpm Mandrake Linux 8.0 (PPC): 9634b394fe43ab951969ab5088a071f3 ppc/8.0/RPMS/uucp-1.06.1-18.1mdk.ppc.rpm
519859d31a9a04d84d8090a6a4885431 ppc/8.0/SRPMS/uucp-1.06.1-18.1mdk.src.rpm Corporate Server 1.0.1: fa65ca8883349b9be0e6cf7db7dea76b 1.0.1/RPMS/uucp-1.06.1-14.1mdk.i586.rpm
e28726519e93e1980d40dab2f06483af 1.0.1/SRPMS/uucp-1.06.1-14.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". You can download the updates directly from one of the mirror sites
listed at: http://www.linux-mandrake.com/en/ftp.php3. Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them. Please be aware that sometimes it takes the mirrors a few hours to
update. You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com Mandrake Linux has two security-related mailing list services that
anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only
announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open
to anyone to discuss Mandrake Linux security specifically and Linux
security in general. To subscribe to either list, send a message to
sympa@linux-mandrake.com
with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to
sympa@linux-mandrake.com
with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to
sympa@linux-mandrake.com
with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe
from either list: http://www.linux-mandrake.com/en/flists.php3#security Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 25, 2001
Affected
http://www.openbsd.org/errata.html#uucp
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 25, 2001 Updated: January 18, 2002
Affected
http://www.redhat.com/support/errata/RHSA-2001-165.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: January 17, 2002
Affected
http://www.suse.de/de/support/security/2001_038_uucp_txt.txt
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.