Yellow Dog Linux Security Advisory: YDU-20020606-5

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Thu, 6 Jun 2002 20:00:39 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	xchat		
Issue Date: 	June 06, 2002	
Priority:	medium
Advisory ID: 	YDU-20020606-5


1. 	Topic:

	Updated xchat packages are available.


2. 	Problem:

	"XChat is a popular cross-platform IRC client. 

	Versions of XChat prior to 1.8.9 do not filter the response from an IRC
	server when a /dns query is executed. Because XChat resolves hostnames by
	passing the configured resolver and hostname to a shell, an IRC server may
	return a maliciously formatted response that executes arbitrary commands
	with the privileges of the user running XChat.

	All users of XChat are advised to update to these errata packages
	containing XChat version 1.8.9 which is not vulnerable to this issue."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install xchat

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
		rpm -Fvh xchat-1.8.9-2a.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
d3d8742b3eb43b9a39f0c439b1f7b560  ppc/xchat-1.8.9-2a.ppc.rpm
16470f640f09a40e4e54801fab0702bd  SRPMS/xchat-1.8.9-2a.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml