RHEL 2.1 : mgetty (RHSA-2003:008)

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated Mgetty packages are now available to fix a possible buffer
overflow and a permissions problem.

Mgetty is a getty replacement for use with data and fax modems.

Mgetty can be configured to run an external program to decide whether
or not to answer an incoming call based on Caller ID information.
Versions of Mgetty prior to 1.1.29 would overflow an internal buffer
if the caller name reported by the modem was too long.

Additionally, the faxspool script supplied with versions of Mgetty
prior to 1.1.29 used a simple permissions scheme to allow or deny fax
transmission privileges. This scheme was easily circumvented because
the spooling directory used for outgoing faxes was world-writable.

All users of Mgetty should upgrade to these errata packages, which
contain Mgetty 1.1.30 and are not vulnerable to these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2002-1391.html
https://www.redhat.com/security/data/cve/CVE-2002-1392.html
http://search.alphanet.ch/cgi-bin/search.cgi?msgid=
http://rhn.redhat.com/errata/RHSA-2003-008.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 12349 ()

Bugtraq ID:

CVE ID: CVE-2002-1391
CVE-2002-1392