lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030807064220.GA1868@wirex.com>
Date: Wed, 6 Aug 2003 23:42:20 -0700
From: Immunix Security Team <security@...unix.com>
To: security@...unix.com
Subject: Immunix Secured OS 7+ wu-ftpd update

[Please do not set your mail system to send out-of-office autoreplies on
public mail lists. It is inconsiderate. Whichever mail list you received
this mail from should include headers that you can use to select whether
vacation(1) or procmail(1) should respond. procmail users, please see
procmailex(5). Outlook users should contact their system administrators.
Mail administrators, please configure your virus scanners to not report
PGP/MIME attachments as a virus. It isn't. Thanks.]

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	wu-ftpd
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2003-0466
Date:			Wed Aug  6 2003
Advisory ID:		IMNX-2003-7+-019-01
Author:			Seth Arnold <sarnold@...unix.com>
-----------------------------------------------------------------------

Description:
  Janusz Niewiadomski has discovered an off-by-one vulnerability in
  wu-ftpd's fb_realpath function; this function is called with arguments
  occasionally on the stack and occasionally statically allocated.
  Therefore, StackGuard's protection should not be relied upon to
  prevent exploitation of this vulnerability, though it may mitigate a
  specific exploit, should one appear.

  It is beleived this flaw is remotely exploitable. It is not known at
  this time if the Immunix GLibC system library is vulnerable to a
  similar flaw.

  Immunix would like to thank Janusz for working with vendors to solve
  this issue in a timely manner.

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/wu-ftpd-2.6.1-6_imnx_8.i386.rpm

Immunix OS 7+ md5sums:
  d1811ef4c936fa80f59cd0ce916acfa8  wu-ftpd-2.6.1-6_imnx_8.i386.rpm


GPG verification:                                                               
  Our public key is available at http://download.immunix.org/GPG_KEY

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@...unix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ