Gentoo Logo

Xzabite dyndnsupdate: Multiple vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200503-27 / dyndnsupdate
Release Date March 21, 2005
Latest Revision May 22, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-misc/dyndnsupdate <= 0.6.15 All supported architectures

Related bugreports: #84659

Synopsis

Xzabite's dyndnsupdate software suffers from multiple vulnerabilities, potentially resulting in the remote execution of arbitrary code.

2.  Impact Information

Background

dyndnsupdate is a dyndns.org data updater written by Fredrik "xzabite" Haglund.

Description

Toby Dickenson discovered that dyndnsupdate suffers from multiple overflows.

Impact

A remote attacker, posing as a dyndns.org server, could execute arbitrary code with the rights of the user running dyndnsupdate.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

Currently, there is no released version of dyndnsupdate that contains a fix for these issues. The original xzabite.org distribution site is dead, the code contains several other problems and more secure alternatives exist, such as the net-dns/ddclient package. Therefore, the dyndnsupdate package has been hard-masked prior to complete removal from Portage, and current users are advised to unmerge the package:

Code Listing 3.1: Resolution

# emerge --unmerge net-misc/dyndnsupdate

4.  References



Print

Page updated March 21, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.