6180496 2001-03-06 12:08 -0800 /70 rader/ Greg KH <greg@WIREX.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-06 22:28 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: greg@WIREX.COM
Mottagare: Bugtraq (import) <15780>
Ärende: Immunix OS Security update for joe
------------------------------------------------------------
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: joe
Affected products: Immunix OS 6.2 and 7.0-beta
Bugs Fixed: immunix/1329
Date: March 6, 2001
Advisory ID: IMNX-2001-70-005-01
Author: Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------
Description:
The version of joe shipped in Immunix OS 6.2 and 7.0-beta looks for a
configuration file in the current working directory, the user's home
directory and in /etc/joe. A malicious user could create their own
.joerc configuration file and try to get other users to use it. If
this happens, the user could execute malicious commands with their own
user id and privilege. This problem was originally reported by WKIT
Security AB and more information on it can be found at
http://www.wkit.com/content/eng/advisories/wsir0202.txt
Immunix 7.0 does not install the joe package by default but
provides it in the extras/unsupported directory so it is not
vulnerable unless the joe package has been installed manually by
the system administrator.
Packages have been created and released that fix this problem.
Package names and locations:
Precompiled binary package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/joe-2.8-43.62_StackGuard.i386.rpm
Source package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/joe-2.8-43.62_StackGuard.src.rpm
Precompiled binary package for Immunix 7.0-beta and 7.0 is available at:
http://immunix.org/ImmunixOS/7.0/updates/RPMS/joe-2.8-43.7_imnx.i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://immunix.org/ImmunixOS/7.0/updates/SRPMS/joe-2.8-43.7_imnx.src.rpm
md5sums of the packages:
af4179632fec1a6bf165f3c36323d1ec joe-2.8-43.62_StackGuard.i386.rpm
70a5925864e02b8ac3118d20aec97d7f joe-2.8-43.62_StackGuard.src.rpm
ae0d34096476456ac3df90358d9b7723 joe-2.8-43.7_imnx.i386.rpm
5ca9476b3284b9d559dd786ea0c43dca joe-2.8-43.7_imnx.src.rpm
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
(6180496) --------------------------------(Ombruten)
Bilaga (application/pgp-signature) i text 6180497
6180497 2001-03-06 12:08 -0800 /10 rader/ Greg KH <greg@WIREX.COM>
Importerad: 2001-03-06 22:28 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: greg@WIREX.COM
Mottagare: Bugtraq (import) <15781>
Bilaga (text/plain) till text 6180496
Ärende: Bilaga till: Immunix OS Security update for joe
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6pUPBAl5ylTeuKpURAlneAJ4s/EUf3f6OQCGbz33MKO3Eiz0o2gCgnVLh
H/hgyzKcM2mHHaQJ7jI4Bi8=
=HD8F
-----END PGP SIGNATURE-----
(6180497) ------------------------------------------