I am the maintainer of the LPRng package for the Debian GNU/Linux
distribution. I have noticed in your advisory that Debian does not have
an entry in the Vendor Inofrmation appendix and would like to correct
that. I apologise for the very late notice.
In our stable distribution, LPRng versions below 3.6.12-7 are
vulnerable and it is highly recommended to upgrade to 3.6.12-8 (3.6.12-7
has a serious non-security related bug). Please note that it is Debian
policy to back-port serious bug fixes to our stable distribution as we
have done in this case.
In unstable/testing distribution, LPRng version below 3.6.24-3 are
vulnerable. It is recommended to upgrade to at least 3.6.26-1 or
better. 3.6.24-3 fixes the syslog security bug (as mentioned in this
advisory) while 3.6.26-1 fixes a NLSPATH/gettext security bug.
Both of these versions have been available since mid October.
Finally, I have some comments about other versions.
I am not sure that it is a good idea to recommend 3.6.25 from Patrick,
you may want to check with him but an odd number implies test code.
My suggestion is 3.6.26
Also I believe there is no such version 3.6.24 from RedHat. RedHat
uses the same numbering system as Debian. Putting 3.6.24
confuses people as RedHat's 3.6.24-1 IS vulnerable (equivalent to Debian
3.6.24-1 and -2) but RedHat's 3.6.24-2 IS NOT vulnerable (equivalent to Debian
3.6.24-3).
FYI 3.6.24-2 means that Debian/RedHat have made a localised change.
Anything with a -1 version means a largely unchanged version from what
we get from Patrick Powell.
- Craig
Debian LPRng maintainer
--
Craig Small VK2XLZ GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.eye-net.com.au/ <[EMAIL PROTECTED]>
MIEEE <[EMAIL PROTECTED]> Debian developer <[EMAIL PROTECTED]>
PGP signature
