| Description: | Description:
The remote host is missing updates announced in
advisory CLA-2004:835.
Ethereal[1] is a powerful network traffic analyzer with a graphical
user interface (GUI).
This update fixes several vulnerabilities[2] in Ethereal:
CVE-2004-0176: Stefan Esser discovered thirteen buffer overflows in
the dissector of the NetFlow, IGAP, EIGRP, PGM, IrDA, BGP, ISUP, and
TCAP protocol dissectors[3].
CVE-2004-0365: Jonathan Heussser discovered a denial of service
vulnerability in the RADIUS protocol dissector[4].
CVE-2004-0367: A zero-length presentation protocol selector can be
exploited to cause a denial of service[5].
These vulnerabilities can be exploited by a attacker who is able to
insert crafted packets in the wire being monitored by ethereal or
make an user open a trace file with such packets inside. When reading
this data, Ethereal will crash (characterizing a denial of service
condition) or, in the case of the buffer overflow vulnerabilities,
may execute arbitrary code with the privileges of the user running it
(usually root).
Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'
http://www.ethereal.com/
http://www.ethereal.com/appnotes/enpa-sa-00013.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0367
http://www.securityspace.com/smysecure/catid.html?in=CLA-2004:835
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002004
Risk factor : Medium
CVSS Score:
5.0
|
