Yellow Dog Linux Security Advisory: YDU-20020606-5
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Thu, 6 Jun 2002 20:00:39 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: xchat
Issue Date: June 06, 2002
Priority: medium
Advisory ID: YDU-20020606-5
1. Topic:
Updated xchat packages are available.
2. Problem:
"XChat is a popular cross-platform IRC client.
Versions of XChat prior to 1.8.9 do not filter the response from an IRC
server when a /dns query is executed. Because XChat resolves hostnames by
passing the configured resolver and hostname to a shell, an IRC server may
return a maliciously formatted response that executes arbitrary commands
with the privileges of the user running XChat.
All users of XChat are advised to update to these errata packages
containing XChat version 1.8.9 which is not vulnerable to this issue."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install xchat
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update. (Please use a mirror site)
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
rpm -Fvh xchat-1.8.9-2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
d3d8742b3eb43b9a39f0c439b1f7b560 ppc/xchat-1.8.9-2a.ppc.rpm
16470f640f09a40e4e54801fab0702bd SRPMS/xchat-1.8.9-2a.src.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml