__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN tcpdump Security Update [Red Hat RHSA-2005:505-03] June 13, 2005 18:00 GMT Number P-219 [REVISED 10 Oct 2005] ______________________________________________________________________________ PROBLEM: A denial of service bug was found in tcpdump during the processing of certain network packets. PLATFORM: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 4) Debian GNU/Linux 3.1 alias sarge DAMAGE: It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. It is possible for an attacker to inject a ASSESSMENT: carefully crafted packet onto the network, crashing a running tcpdump session. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-219.shtml ORIGINAL BULLETIN: Red Hat RHSA-2005:505-03 https://rhn.redhat.com/errata/RHSA-2005-505.html ADDITIONAL LINK: Debian Security Advisory DSA-854-1 http://www.debian.org/security/2005/dsa-850 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-1267 ______________________________________________________________________________ REVISION HISTORY: 10/10/2005 - revised to add a link to Debian Security Advisory DSA-854-1 for Debian GNU/Linux 3.1 alias sarge. [***** Start Red Hat RHSA-2005:505-03 *****] Low: tcpdump security update Advisory: RHSA-2005:505-03 Type: Security Advisory Issued on: 2005-06-13 Last updated on: 2005-06-13 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CAN-2005-1267 Details Updated tcpdump packages that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. A denial of service bug was found in tcpdump during the processing of certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1267 to this issue. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: tcpdump-3.8.2-10.RHEL4.src.rpm 282487d62fa99a54900b540261c399f8 IA-32: arpwatch-2.1a13-10.RHEL4.i386.rpm 915ffa5eb69ac30ef880db7a7d118eb1 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 tcpdump-3.8.2-10.RHEL4.i386.rpm 54c561a0af5fa0f8d30693a58af3478f x86_64: arpwatch-2.1a13-10.RHEL4.x86_64.rpm b28de5bc7cd4a6b6accd48c0bf6edb59 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.x86_64.rpm dacdf9f4f40a12cf36d89a0ed3249187 tcpdump-3.8.2-10.RHEL4.x86_64.rpm ef7dc19abecc70943533bde89c3e7f59 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: tcpdump-3.8.2-10.RHEL4.src.rpm 282487d62fa99a54900b540261c399f8 IA-32: arpwatch-2.1a13-10.RHEL4.i386.rpm 915ffa5eb69ac30ef880db7a7d118eb1 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 tcpdump-3.8.2-10.RHEL4.i386.rpm 54c561a0af5fa0f8d30693a58af3478f IA-64: arpwatch-2.1a13-10.RHEL4.ia64.rpm 0249f1f82c2b0d2991e08256ba45efb9 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.ia64.rpm effeaf9e1937b5fbc16e291fc7c47a79 tcpdump-3.8.2-10.RHEL4.ia64.rpm cbd5cd10732b1e8a66854f35f09342a6 PPC: arpwatch-2.1a13-10.RHEL4.ppc.rpm a11bc11bfac3d410a351ca3b47485025 libpcap-0.8.3-10.RHEL4.ppc.rpm 3a3cbe9a5f59a067b94acfec2524a180 libpcap-0.8.3-10.RHEL4.ppc64.rpm e6ba2d5dd9271a85001918c91d2afe57 tcpdump-3.8.2-10.RHEL4.ppc.rpm 47a75b07dfed82a17420cf3b23814d43 s390: arpwatch-2.1a13-10.RHEL4.s390.rpm 095b4699cc2b62e1dac9f4d00e97b47f libpcap-0.8.3-10.RHEL4.s390.rpm 1f810b00fc409bcf612e062d7c274c22 tcpdump-3.8.2-10.RHEL4.s390.rpm fbbad5da43b5df92bf533ffef59e1249 s390x: arpwatch-2.1a13-10.RHEL4.s390x.rpm 2f9a9af8bbc8430415d12aaf266b1e10 libpcap-0.8.3-10.RHEL4.s390.rpm 1f810b00fc409bcf612e062d7c274c22 libpcap-0.8.3-10.RHEL4.s390x.rpm d2b5e5a8764736d74c8ef214b95c59f1 tcpdump-3.8.2-10.RHEL4.s390x.rpm 1655c64e87224852fc8093860ceb474b x86_64: arpwatch-2.1a13-10.RHEL4.x86_64.rpm b28de5bc7cd4a6b6accd48c0bf6edb59 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.x86_64.rpm dacdf9f4f40a12cf36d89a0ed3249187 tcpdump-3.8.2-10.RHEL4.x86_64.rpm ef7dc19abecc70943533bde89c3e7f59 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: tcpdump-3.8.2-10.RHEL4.src.rpm 282487d62fa99a54900b540261c399f8 IA-32: arpwatch-2.1a13-10.RHEL4.i386.rpm 915ffa5eb69ac30ef880db7a7d118eb1 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 tcpdump-3.8.2-10.RHEL4.i386.rpm 54c561a0af5fa0f8d30693a58af3478f IA-64: arpwatch-2.1a13-10.RHEL4.ia64.rpm 0249f1f82c2b0d2991e08256ba45efb9 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.ia64.rpm effeaf9e1937b5fbc16e291fc7c47a79 tcpdump-3.8.2-10.RHEL4.ia64.rpm cbd5cd10732b1e8a66854f35f09342a6 x86_64: arpwatch-2.1a13-10.RHEL4.x86_64.rpm b28de5bc7cd4a6b6accd48c0bf6edb59 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.x86_64.rpm dacdf9f4f40a12cf36d89a0ed3249187 tcpdump-3.8.2-10.RHEL4.x86_64.rpm ef7dc19abecc70943533bde89c3e7f59 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: tcpdump-3.8.2-10.RHEL4.src.rpm 282487d62fa99a54900b540261c399f8 IA-32: arpwatch-2.1a13-10.RHEL4.i386.rpm 915ffa5eb69ac30ef880db7a7d118eb1 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 tcpdump-3.8.2-10.RHEL4.i386.rpm 54c561a0af5fa0f8d30693a58af3478f IA-64: arpwatch-2.1a13-10.RHEL4.ia64.rpm 0249f1f82c2b0d2991e08256ba45efb9 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.ia64.rpm effeaf9e1937b5fbc16e291fc7c47a79 tcpdump-3.8.2-10.RHEL4.ia64.rpm cbd5cd10732b1e8a66854f35f09342a6 x86_64: arpwatch-2.1a13-10.RHEL4.x86_64.rpm b28de5bc7cd4a6b6accd48c0bf6edb59 libpcap-0.8.3-10.RHEL4.i386.rpm 243f6883db13135f88f6692ad3280e34 libpcap-0.8.3-10.RHEL4.x86_64.rpm dacdf9f4f40a12cf36d89a0ed3249187 tcpdump-3.8.2-10.RHEL4.x86_64.rpm ef7dc19abecc70943533bde89c3e7f59 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 159208 - CAN-2005-1267 tcpdump BGP DoS References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1267 -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2005:505-03 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-209: HP-UX Trusted System Remote Unauthorized Access P-210: bzip2 P-211: PostgreSQL Security Vulnerabilities P-212: HP OpenView Radia Notify Daemon Security Vulnerabilities P-213: GNU “mailutils” Contains Several Vulnerabilities P-214: rpc.mountd security issues in IRIX 6.5.25-6.5.27 P-215: Apple Security Update 2005-006 P-216: Potential Security Risk with Macromedia eLicensing Client Activation Code P-217: gzip Security Update P-218: gEdit Security Update