109071 2003-08-07 23:21 /60 rader/ Immunix Security Team <security@immunix.com>
Importerad: 2003-08-07 23:21 av Brevbäraren
Extern mottagare: security@immunix.com
Mottagare: Bugtraq (import) <5921>
Ärende: Immunix Secured OS 7+ wu-ftpd update
------------------------------------------------------------
[Please do not set your mail system to send out-of-office autoreplies
on public mail lists. It is inconsiderate. Whichever mail list you
received this mail from should include headers that you can use to
select whether vacation(1) or procmail(1) should respond. procmail
users, please see procmailex(5). Outlook users should contact their
system administrators. Mail administrators, please configure your
virus scanners to not report PGP/MIME attachments as a virus. It
isn't. Thanks.]
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: wu-ftpd
Affected products: Immunix OS 7+
Bugs fixed: CAN-2003-0466
Date: Wed Aug 6 2003
Advisory ID: IMNX-2003-7+-019-01
Author: Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------
Description:
Janusz Niewiadomski has discovered an off-by-one vulnerability in
wu-ftpd's fb_realpath function; this function is called with arguments
occasionally on the stack and occasionally statically allocated.
Therefore, StackGuard's protection should not be relied upon to
prevent exploitation of this vulnerability, though it may mitigate a
specific exploit, should one appear.
It is beleived this flaw is remotely exploitable. It is not known at
this time if the Immunix GLibC system library is vulnerable to a
similar flaw.
Immunix would like to thank Janusz for working with vendors to solve
this issue in a timely manner.
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/wu-ftpd-2.6.1-6_imnx_8.i386.rpm
Immunix OS 7+ md5sums:
d1811ef4c936fa80f59cd0ce916acfa8 wu-ftpd-2.6.1-6_imnx_8.i386.rpm
GPG verification:
Our public key is available at http://download.immunix.org/GPG_KEY
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@immunix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol
http://www.wiretrip.net/rfp/policy.html.
(109071) /Immunix Security Team <security@immunix.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 109072
109072 2003-08-07 23:21 /9 rader/ Immunix Security Team <security@immunix.com>
Importerad: 2003-08-07 23:21 av Brevbäraren
Extern mottagare: security@immunix.com
Mottagare: Bugtraq (import) <5922>
Bilaga (text/plain) till text 109071
Ärende: Bilaga till: Immunix Secured OS 7+ wu-ftpd update
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj8x9MwACgkQVQcWL60UVMtulACfeZJdPGyvnDQmT8a+nVSXoZCc
t5EAoIhQYXuAt5t5To0iCNYRQBze2h2B
=k98l
-----END PGP SIGNATURE-----
(109072) /Immunix Security Team <security@immunix.com>/