Yellow Dog Linux Security Announcement -------------------------------------- Package: xchat Issue Date: June 06, 2002 Priority: medium Advisory ID: YDU-20020606-5 1. Topic: Updated xchat packages are available. 2. Problem: "XChat is a popular cross-platform IRC client. Versions of XChat prior to 1.8.9 do not filter the response from an IRC server when a /dns query is executed. Because XChat resolves hostnames by passing the configured resolver and hostname to a shell, an IRC server may return a maliciously formatted response that executes arbitrary commands with the privileges of the user running XChat. All users of XChat are advised to update to these errata packages containing XChat version 1.8.9 which is not vulnerable to this issue." (from Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install xchat b) Updating manually... The update can also be retrieved manually from our ftp site below along with the rpm command that should be used to install the update. (Please use a mirror site) ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/ rpm -Fvh xchat-1.8.9-2a.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- d3d8742b3eb43b9a39f0c439b1f7b560 ppc/xchat-1.8.9-2a.ppc.rpm 16470f640f09a40e4e54801fab0702bd SRPMS/xchat-1.8.9-2a.src.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml