Changes in Version 3.08 of SETI@home . . . Precautionary security release 3.08

[theNorse]

? April 4, 2003 ?

There is a software update with a precautionary security fix.
To obtain it, go the the download page.

DOWNLOAD Page


Changes in Version 3.08 of SETI@home . . .
[Precautionary security release 3.08 for several platforms is available]

"Version 3.08 is a precautionary security release. There was a potential buffer
overrun in the networking code of the client that is fixed with version 3.08.
Note that to exploit this vulnerability, a potential attacker would have to trick
the client into contacting a fake server rather than the actual SETI@home server.
To our knowledge, no SETI@home client has ever been attacked in this manner.
Thanks go to Berend-Jan Wever for finding this bug and demonstrating the
exploit and to Steffen Zahn for helping to track it down in the code."
[ Berend-Jan Wever ]

SETI@home (INFO - Changes)

Copyright ©2001 SETI@home






norse

 

[Confused]

Thanks for info 🙂

However, this is only an update to the GUI client, however most of us are, or should be, using the CLI client, which is still on Version 3.03



Confused

 

[theNorse]

😀 yes (we) are using the CLI

- *but* there are some that are using the Screensaver :Q









. . . and PS - you are welcome Sir!
norse

 

[theNorse]

. . . actually - i just recently met quite a number of SETI@home crunchers
that didn't even realize that their E-Mail address' were showing @ SETI
(in their Profile) and *They* are the one's that created said Profile 😀

so how many cruncher's @ TeAm AnandTech (are) using the GUI ???

personally i do not know - but i figure they come here to this Forum -
they can find the fix - and as an added Note - most of the crunchers
@ SETI don't even know about the Main Page @ SETI . . . makes me
wonder how they got to be crunchers in the first place . . .





norse

 

[Smoke]

Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver

The one I've highlighted is the most used client. Should we all change?

Additional Information

I just checked the TS Queue and it appears "all" {edit: most} clients have the following message in YELLOW:

Message from Seti WARNING: Platform i386-winnt-cmdline not found; continuing in test mode.
Message time Sun 2003 Apr 06 6:15:01am (8 hr 16 min ago)

This makes it pretty obvious that they want us to use the "new" CLI CLIENT. That causes me a significant problem. 🙁

BTW, the newest setiathome-3.03.i386-winnt-cmdline.exe is also down-loadable from the embedded link in the Join TeAm AnandTech SETI sig-line that many of us carry. S@H warns to NOT download the CLIENTS from unknown sources. I can verify that the above mentioned CLIENT is the authentic version but use at your own risk. 😉

 

[Wiz]

WHere do you look in your Q to see that message?
I'm running SetiQueue myself and I see no such messages.

 

[Smoke]

Under REPORTS open up CLIENTS

Not every CLIENT on the TS QUEUE has the notation but most of them do. :Q

 

[Wiz]

I've only got 5 in my list but none of them have that note on them. Weird!

 

[theNorse]

eh Smoke -
i'm using CLI under WinME . . . i don't need this upgrade - right ?

😕

Download a command-line version for UNIX, WinNT, OS/2, BeOS, Mac OS X Server, OpenVMS, etc

Command-line Client Software . . .

"Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge, no SETI@home client has ever been attacked in this manner"

norse

 

[Wiz]

The Winnt cli client is for all Win32 OS's

 

[Rattledagger]

Hmm, looks like we all should upgrade soon, since it's not only gui-clients that's new...

setiathome-3.08.sparc-sun-solaris2.6.tar
setiathome-3.08.i686-pc-linux-gnu.tar

I guess more clients will follow next week...


edit to fix the links...

 

[Ken g6]

There are no 3.08 clients listed on the download page yet.😕 You getting them from the FTP directly?

Edit: And as Wiz said in the other (other) thread, "Repost!" 😀

 

[Spacehead]

Out of curiosity, if you use an add-on to cache & send WU's(SETI Q, Driver, etc) the CLI isn't communicating directly with the S@H server anyway, right? So wouldn't the add-on have to be spoofed into communicating with a fake server?
I wonder if it's just those that use the CLI alone that may be vulnerable? Any thought?

 

[theNorse]

<bump> 4 Space . . .:light:

 

[Assimilator1]

I wouldn't recommend upgrading to v3.08 unless we are forced to!

Early results (see v3.08 CLi thread) on my SDR XP1800 @1.88GHz rig shows 0.417 WUs going from about 3hrs 35mins to about 4hrs!:|
There's no extra science so why the longer WU times?😕.

See other thread for latest info & more detail