COMMAND

    GNQS

SYSTEMS AFFECTED

    GNQS 3.50.6 and 3.50.7

PROBLEM

    Philippe Andersson posted following.   A large  security hole  was
    uncovered last month in Generic-NQS ver. 3.50.6 and 3.50.7.   This
    hole leads to immediate local root compromise.

    On the  request of  GNQS Maintainer,  Stuart Herbert  Philipe will
    not release  the actual  exploit technique,  since it  would allow
    any 5-year old with an shell account on the affected system(s)  to
    gain root in no time.  Credit for the discovery goes to Gilbert
    Mets.

SOLUTION

    All users of vulnerable versions are requested to upgrade to  ver.
    3.50.8 or later ASAP.  The updated package can be downloaded from:

        http://ftp.gnqs.org/pub/gnqs/latest/production/Generic-NQS-3.50.9.tar.gz

    Users of previous versions are not vulnerable.  The fix introduced
    in  ver.  3.50.8  will  also  log  any  attempt  at exploiting the
    vulnerability.  For FreeBSD:

        1) Upgrade  your  entire  ports  collection  and  rebuild  the
           generic-nqs port.

        2) Reinstall a  new package dated  after the correction  date,
           obtained from:
              ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/generic-nqs-3.50.9.tgz
              ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/generic-nqs-3.50.9.tgz
              ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/generic-nqs-3.50.9.tgz
              ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/generic-nqs-3.50.9.tgz
              ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/generic-nqs-3.50.9.tgz

        3) download a new port skeleton for the generic-nqs port from:
              http://www.freebsd.org/ports/
           and use it to rebuild the port.

        4) Use the portcheckout utility to automate option (3)  above.
           The     portcheckout     port      is     available      in
           /usr/ports/devel/portcheckout  or   the  package   can   be
           obtained from:
              ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz