linux, säkerhet

11056376 2003-12-04 13:13 -0700 /45 rader/ Daniel Robbins <drobbins@gentoo.org>
Sänt av: gentoo-announce-return-177-11451=lyskom.lysator.liu.se@gentoo.org
Importerad: 2003-12-04 21:26 av Brevbäraren
Extern mottagare: gentoo-announce@gentoo.org
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: lwn@lwn.net
Mottagare: Gentoo (-) mailimport <274>
Mottagare: Bugtraq (import) <30186>
    Sänt:     2003-12-04 21:27
Ärende: [gentoo-announce] GLSA: exploitable heap overflow in rsync (200312-03)
------------------------------------------------------------
- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-03
- ---------------------------------------------------------------------------

GLSA:        200312-03
summary:     exploitable heap overflow in rsync
severity:    high
date:        2003-12-04
exploit:     remote
affected:    <2.5.6*
fixed:       >=2.5.7

DESCRIPTION:

Rsync version 2.5.6 contains a vulnerability that can be used to run
arbitrary code. The Gentoo infrastructure team has some reasonably
good forensic evidence that this exploit may have been used in
combination with the Linux kernel brk vulnerability (see GLSA
200312-02) to exploit a rsync.gentoo.org rotation server (see
GLSA-200312-01.)

Please see http://lwn.net/Articles/61541/ for the security advisory
released by the rsync development team.

SOLUTION:

To address this vulnerability, all Gentoo users should:

  Read GLSA-200312-02 and ensure that all systems are upgraded to a
  version of the Linux kernel without the brk vulnerability

  Upgrade to version 2.5.7 of rsync. This can be done by typing:
  
  	emerge sync;
  	emerge >=net-misc/rsync-2.5.7

  Review your /etc/rsyncd.conf configuration file; ensure that the
  use chroot="no" command is commented out or removed, or change use
  chroot="no" to use chroot="yes". Then, if necessary, restart rsyncd
  by typing:
  
  	/etc/init.d/rsyncd restart

//end
(11056376) /Daniel Robbins <drobbins@gentoo.org>/(Ombruten)
Se även inlägg 11056413 /Mathias Wittlock (Vill ha mer prylar!)/ [*]
Bilaga (application/pgp-signature) i text 11056377
Kommentar i text 11056395 av Mathias Wittlock (Vill ha mer prylar!)
11056377 2003-12-04 13:13 -0700 /9 rader/ Daniel Robbins <drobbins@gentoo.org>
Bilagans filnamn: "signature.asc"
Importerad: 2003-12-04 21:26 av Brevbäraren
Extern mottagare: gentoo-announce@gentoo.org
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: lwn@lwn.net
Mottagare: Gentoo (-) mailimport <275>
Bilaga (application/pgp-signature) till text 11056376
Ärende: Bilaga (signature.asc) till: [gentoo-announce] GLSA: exploitable heap overflow in rsync (200312-03)
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/z5VbffezrJ9WV/IRAlL+AJ0Yje1U4dZyDSujuGOoyRNbZKoA6gCfTscF
rkZK6+eQLsOGGb9iGWG/s7c=
=tFWF
-----END PGP SIGNATURE-----
(11056377) /Daniel Robbins <drobbins@gentoo.org>/---