Il ven, 2003-04-25 alle 11:19, David Ramsden ha scritto: > Noticed on vil.mcafee.com that a proof of concept exploit for Snort to > exploit the vuln. found in v1.8 through to 1.9.1.
up to 2.0rc1 as reported by cert > What's the status of a patch from Debian Security? No DSA yet either. > I know this has been brought up a few times already but now an exploit > exists in the wild. don't know if the debian package is affected, however it should > As a workaround, I could disable snort (granted) but also, how can I use > /etc/apt/preferences to update /just/ snort to a non-vuln. version from > another branch (unstable/testing)? What line do I need in > /etc/apt/sources.list? And how easy is it to downgrade to the stable > version if something goes wrong or a patch is released from Debian? don't do it... unstable/snort depends on a libc version not available in stable, and maybe there are some other unresolved dependencies... instead get the deb-src and try to recompile... i think it's not so linear, but it should work... in the meantime (from the cert advisory): > Disable affected preprocessor modules > > Sites that are unable to immediately upgrade affected Snort sensors > may prevent exploitation of this vulnerability by commenting out the > affected preprocessor modules in the "snort.conf" configuration file. > > To prevent exploitation of VU#139129, comment out the following line: > > preprocessor stream4_reassemble > > To prevent exploitation of VU#916785, comment out the following line: > > preprocessor rpc_decode: 111 32771 > > After commenting out the affected modules, send a SIGHUP signal to the > affected Snort process to update the configuration. Note that > disabling these modules may have adverse affects on a sensor's ability > to correctly process RPC record fragments and TCP packet fragments. In > particular, disabling the "stream4" preprocessor module will prevent > the Snort sensor from detecting a variety of IDS evasion attacks. Regards, Gian Piero. PS: about the pinning question, please read the apt-howto
