linux, säkerhet

11070613 2003-12-05 16:24 -0800 /89 rader/ Immunix Security Team <security@immunix.com>
Importerad: 2003-12-08 17:53 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30224>
Ärende: Immunix Secured OS 7.3, 7+ rsync update
------------------------------------------------------------
From: Immunix Security Team <security@immunix.com>
To: bugtraq@securityfocus.com
Message-ID: <20031206002416.GD21486@wirex.com>

[Outlook and Notes users, please ensure your Out Of Office messages
are not sent in response to public mail lists. It is annoying. Thank
you.]

[Virus Scanner administrators: (a) GPG signatures are not an
executable format; (b) as most virii forge From: and From_ headers,
it makes no sense to rely on either header for error recovery
purposes -- please configure your scanners to discard during the SMTP
conversation instead.  Thank you.]

[TMDA users: Please whitelist public mail lists. Thank you.]

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	rsync
Affected products:	Immunix OS 7.3, 7+
Bugs fixed:		CAN-2003-0962
Date:			Fri Dec  5 2003
Advisory ID:		IMNX-2003-73-001-01
Author:			Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
  The rsync team has alerted us to a remotely exploitable heap overflow
  that is being actively exploited. As the overflow is on the heap,
  StackGuard offers no protection to this vulnerability.

  There are two methods this vulnerability could be exploited; the
  first is through a publicly visible rsync server, typically on TCP
  port 873.  The second is through an ssh or rsh connection to the
  remote host.

  We would like to thank Timo Sirainen, Mike Warfield, Paul Russell,
  Andrea Barisani, Andrew Tridgell, and Martin Pool.

  References: http://samba.anu.edu.au/rsync/
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962

  Immunix 7.3 users may use our up2date service to install fixed
  packages: you may run either "up2date" within X, and follow the
  directions, or run "up2date -u" to ensure your system is current.

Package names and locations:
  Precompiled binary packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm
  Source packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm

  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm
  Source packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm

Immunix OS 7+ md5sums:
  b7d479e4bc02f2791b7346638d1ddff7  7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm
  7c2b5b94085aff4e24dbd4ba99e7f459  7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm

Immunix OS 7.3 md5sums:
  d30c6376229aed5adb0db859989bc53d  7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm
  a1a1bc710f98efd8a88127fb8904fa98  7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm


GPG verification:                                                               
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 7+ will not be officially supported after March 1 2004.
  ImmunixOS 7.0 is no longer officially supported.
  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@immunix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.
(11070613) /Immunix Security Team <security@immunix.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 11070614
11070614 2003-12-05 16:24 -0800 /9 rader/ Immunix Security Team <security@immunix.com>
Importerad: 2003-12-08 17:53 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30225>
Bilaga (application/pgp-signature) till text 11070613
Ärende: Bilaga till: Immunix Secured OS 7.3, 7+ rsync update
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/0SGwn5I6Lxt0VtoRAvX3AJsFLQEdYA8jgGinZVbgSE+i4hr3ewCeNrDR
em3hnD+Ayk0KaIQ55oIscnQ=
=X7MI
-----END PGP SIGNATURE-----
(11070614) /Immunix Security Team <security@immunix.com>/