Debian Linux (others?) running super version 3.9.6 through version 3.11.6


    Internet Security  Systems has  discovered a  vulnerability in the
    system  administration  utility,  "Super".    Super  is  used   by
    administrators to  allow certain  users to  execute commands  with
    root privileges.   The vulnerability  is distributed  with  Debian
    Linux.  It  may allow local  attackers to compromise  root access.
    Super is a GNU copylefted package that is distributed with  recent
    Debian Linux distributions, but it can be installed and configured
    for many  Unix variants.   It is  intended to  be an  alternate to
    setuid scripts, which are inherently dangerous.  A buffer overflow
    exists in Super that may allow attackers to take advantage of  its
    setuid configuration to gain root access.

    According to William  Deich, super v3.9.6  - v3.11.6 contains  two
    known buffer overflow problems.  The specific problem demonstrated
    by ISS to gain local root access was not introduced until  _after_
    3.9.6,  but  all  versions  in  that  range had one problem or the
    other.  (In the usual  manner of buffer overflows, the  exploit is
    almost trivial if you know what to attack).


    Super 3.11.9 is available at:

    The new version of Super will be available soon on the mirror:

    Please refer to  these locations for  fixes which are  included in
    Super version 3.11.7.  In mean time:

	# chmod 755 /usr/bin/super

    Also, for pure Debian users: