Yellow Dog Linux Security Announcement -------------------------------------- Package: webalizer Issue Date: December 27, 2002 Priority: low Advisory ID: YDU-20021227-11 1. Topic: Updated webalizer packages are available. 2. Problem: "Updated Webalizer packages which fix an obscure buffer overflow bug in the DNS resolver code are available for [Yellow Dog Linux 2.3]. The Webalizer is a Web server log file analysis program which produces detailed usage reports in HTML format. A buffer overflow in Webalizer versions prior to 2.01-10, when configured to use reverse DNS lookups, may allow remote attackers to execute arbitrary code by connecting to the monitored Web server from an IP address that resolves to a long hostname." (from Red Hat advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install webalizer b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/webalizer-2.01_09-1.72.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 28d302ccf3c02830e1ebd749843e94d3 ppc/webalizer-2.01_09-1.72.ppc.rpm aea905e81cae9fc69f744abcc6c03a5b SRPMS/webalizer-2.01_09-1.72.src.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml