Candidate: CVE-2003-0461 References: MISC:http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html REDHAT:RHSA-2003:238 URL:http://www.redhat.com/support/errata/RHSA-2003-238.html REDHAT:RHSA-2004:188 URL:http://www.redhat.com/support/errata/RHSA-2004-188.html DEBIAN:DSA-358 URL:http://www.debian.org/security/2004/dsa-358 DEBIAN:DSA-423 URL:http://www.debian.org/security/2004/dsa-423 OVAL:OVAL304 URL:http://oval.mitre.org/oval/definitions/data/oval304.html OVAL:OVAL997 URL:http://oval.mitre.org/oval/definitions/data/oval997.html Description: /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Notes: dannf> Here's the patches I used: http://linux.bkbits.net:8080/linux-2.4/cset@41a6020dX1GoVx_Eydy1jUOqc11tpw?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/proc_tty.c http://linux.bkbits.net:8080/linux-2.4/cset@41aca810DvutJ8aEj43OuUqJ4e1EIw?nav=index.html|src/|src/include|src/include/linux|related/include/linux/proc_fs.h Bugs: upstream: released (2.4.29-pre2, 2.6.1) linux-2.6: N/A 2.6.8-sarge-security: N/A 2.4.27-sarge-security: released (2.4.27-1) [025_proc_tty_security.diff] 2.4.19-woody-security: released (2.4.19-4.woody3) 2.4.18-woody-security: released (2.4.18-10) 2.4.17-woody-security: released (2.4.17-1woody4) 2.4.16-woody-security: released (2.4.16-1woody3) 2.4.17-woody-security-hppa: released (32.5) 2.4.17-woody-security-ia64: released (011226.14.1) 2.4.18-woody-security-hppa: released (62.4)