USN-412-1: GeoIP vulnerability
24 January 2007
GeoIP vulnerability
Releases
Details
Dean Gaudet discovered that the GeoIP update tool did not validate the
filename responses from the update server. A malicious server, or
machine-in-the-middle system posing as a server, could write to arbitrary
files with user privileges.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 6.10
-
geoip-bin
-
1.3.17-1ubuntu0.1
Ubuntu 6.06
-
geoip-bin
-
1.3.14-2ubuntu0.1
Ubuntu 5.10
-
geoip-bin
-
1.3.10-1ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.