Debian: HylaFAX unauthorised access fix

    Date11 Jan 2005
    CategoryDebian
    7270
    Posted ByJoe Shakespeare
    Patrice Fournier discovered a vulnerability in the authorisation subsystem of hylafax, a flexible client/server fax system. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorised access to the fax system.
    
    --------------------------------------------------------------------------
    Debian Security Advisory DSA 634-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                             Martin Schulze
    January 11th, 2005                      http://www.debian.org/security/faq
    --------------------------------------------------------------------------
    
    Package        : hylafax
    Vulnerability  : weak hostname and username validation
    Problem-Type   : local/remote
    Debian-specific: no
    CVE ID         : CAN-2004-1182
    
    Patrice Fournier discovered a vulnerability in the authorisation
    subsystem of hylafax, a flexible client/server fax system.  A local or
    remote user guessing the contents of the hosts.hfaxd database could
    gain unauthorised access to the fax system.
    
    Some installations of hylafax may actually utilise the weak hostname
    and username validation for authorized uses.  For example, hosts.hfaxd
    entries that may be common are
    
      192.168.0
      username:uid:pass:adminpass
      user@host
    
    After updating, these entries will need to be modified in order to
    continue to function.  Respectively, the correct entries should be
    
      192.168.0.[0-9]+
      username@:uid:pass:adminpass
      user@host
    
    Unless such maching of "username" with "otherusername" and "host" with
    "hostname" is desired, the proper form of these entries should include
    the delimiter and markers like this
    
      @192.168.0.[0-9]+$
      ^username@:uid:pass:adminpass
      ^user@host$
    
    For the stable distribution (woody) this problem has been fixed in
    version 4.1.1-3.1.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 4.2.1-1.
    
    We recommend that you upgrade your hylafax packages.
    
    
    Upgrade Instructions
    --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.0 alias woody
    --------------------------------
    
      Source archives:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-3.1.dsc
          Size/MD5 checksum:      739 1f06652425050fe27826e5cc1a6c23ff
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-3.1.diff.gz
          Size/MD5 checksum:   115695 79a4e2c1a5c4d0fc8920b8c86b67d3ba
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1.orig.tar.gz
          Size/MD5 checksum:  1287689 1ed081750be70a800708699b7568e17e
    
      Architecture independent components:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.1.1-3.1_all.deb
          Size/MD5 checksum:   318204 e8e94228255e35a1b5ccec1605405a53
    
      Alpha architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_alpha.deb
          Size/MD5 checksum:   556274 9e1f383c7d6949a4dd8b36c661ea62fd
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_alpha.deb
          Size/MD5 checksum:  1362416 61b25a20d4627904e2d04355724ec7b5
    
      ARM architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_arm.deb
          Size/MD5 checksum:   445564 53d052214836978819eda025cb0556af
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_arm.deb
          Size/MD5 checksum:  1095574 e109dd83be65856939e4ad9d708e70ff
    
      Intel IA-32 architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_i386.deb
          Size/MD5 checksum:   462598 57fb47be9b22cc74f4d72fd1e8230e29
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_i386.deb
          Size/MD5 checksum:  1132694 9f8aa28b677b3a6c57182e54d6908262
    
      Intel IA-64 architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_ia64.deb
          Size/MD5 checksum:   615696 89157ac78717f6a487a996dccf7e204d
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_ia64.deb
          Size/MD5 checksum:  1491800 95a9c52342251ed55f79ffb5baeda567
    
      HP Precision architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_hppa.deb
          Size/MD5 checksum:   501548 ff673c6c47e8d64ea0ec9e2b02d51cb5
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_hppa.deb
          Size/MD5 checksum:  1231206 aad630516c55efd0ba9843fae532af30
    
      Motorola 680x0 architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_m68k.deb
          Size/MD5 checksum:   451214 ba331696f8fdaf75794aa43bee08363d
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_m68k.deb
          Size/MD5 checksum:  1100004 dbe19e34a750650e659d26424e3b8b66
    
      PowerPC architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_powerpc.deb
          Size/MD5 checksum:   450314 30e9b943f372fa583fa040300e8fab8e
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_powerpc.deb
          Size/MD5 checksum:  1104150 7ac3cb5c8abd26531e733401bff8c585
    
      IBM S/390 architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_s390.deb
          Size/MD5 checksum:   441190 f965904a1dd15e4fd1f6b79be39eedc2
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_s390.deb
          Size/MD5 checksum:  1086806 8c7900e8c59149f95dd6f12bc5f02d9f
    
      Sun Sparc architecture:
    
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.1_sparc.deb
          Size/MD5 checksum:   433580 b05f2aa9f1a6f3ef907b05a5921ed232
        http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.1_sparc.deb
          Size/MD5 checksum:  1082482 e2dce8bb66267336dca745dab65836ac
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"22","type":"x","order":"1","pct":55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.5,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":32.5,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.