Hi, reffering to the mentioned Advisories I would like to know what the latest stable version of Amanda is, that is not affected. I thought that 2.4.2p2 is the latest, as mentioned a week or so ago on this list. Below, only 2.3.0.4 is mentioned. But this wasn't shipped with FreeBSD 4.5.
Thanks for info, a confused Tom http://online.securityfocus.com/archive/1/274215 Package: AMANDA Version: 2.3.0.4 Date: 26/05/2002 Issue: Local and remote overflows Risk: Medium since this is an old package Credits: zillion[at]safemode.org http://www.safemode.org http://www.snosoft.com The Advanced Maryland Automatic Network Disk Archiver (AMANDA) is a backup system which is available for many different Unix-based operating systems. Several setuid and setgid binaries which are installed by this package contain buffer overflow vulnerabilities that can be used to execute shellcode with elevated privileges. Additionally, the amindexd daemon contains a remote overflow bug that can lead to a remote system compromise. The affected version of AMANDA is an old package but is often used due to compatibility problems with newer versions. For example, this package was until recently shipped with the FreeBSD 4.5 ports collection.
