lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031206002416.GD21486@wirex.com>
Date: Fri, 5 Dec 2003 16:24:16 -0800
From: Immunix Security Team <security@...unix.com>
To: bugtraq@...urityfocus.com
Subject: Immunix Secured OS 7.3, 7+ rsync update

[Outlook and Notes users, please ensure your Out Of Office messages are
not sent in response to public mail lists. It is annoying. Thank you.]

[Virus Scanner administrators: (a) GPG signatures are not an executable
format; (b) as most virii forge From: and From_ headers, it makes no
sense to rely on either header for error recovery purposes -- please
configure your scanners to discard during the SMTP conversation instead.
Thank you.]

[TMDA users: Please whitelist public mail lists. Thank you.]

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	rsync
Affected products:	Immunix OS 7.3, 7+
Bugs fixed:		CAN-2003-0962
Date:			Fri Dec  5 2003
Advisory ID:		IMNX-2003-73-001-01
Author:			Seth Arnold <sarnold@...unix.com>
-----------------------------------------------------------------------

Description:
  The rsync team has alerted us to a remotely exploitable heap overflow
  that is being actively exploited. As the overflow is on the heap,
  StackGuard offers no protection to this vulnerability.

  There are two methods this vulnerability could be exploited; the first
  is through a publicly visible rsync server, typically on TCP port 873.
  The second is through an ssh or rsh connection to the remote host.

  We would like to thank Timo Sirainen, Mike Warfield, Paul Russell,
  Andrea Barisani, Andrew Tridgell, and Martin Pool.

  References: http://samba.anu.edu.au/rsync/
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962

  Immunix 7.3 users may use our up2date service to install fixed
  packages: you may run either "up2date" within X, and follow the
  directions, or run "up2date -u" to ensure your system is current.

Package names and locations:
  Precompiled binary packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm
  Source packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm

  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm
  Source packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm

Immunix OS 7+ md5sums:
  b7d479e4bc02f2791b7346638d1ddff7  7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm
  7c2b5b94085aff4e24dbd4ba99e7f459  7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm

Immunix OS 7.3 md5sums:
  d30c6376229aed5adb0db859989bc53d  7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm
  a1a1bc710f98efd8a88127fb8904fa98  7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm


GPG verification:                                                               
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 7+ will not be officially supported after March 1 2004.
  ImmunixOS 7.0 is no longer officially supported.
  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@...unix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ