-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ultramagnetic Advisory #001: January 26th, 2004 http://ultramagnetic.sourceforge.net/advisories/001.html Severity: 9 (High) Document Revision: 1.0 Overview Ultramagnetic is a concurrent fork of the Gaim instant messaging software which adds strong end-to-end encryption and authentication using GnuPG's libgcrypt and anonymous routing with Hacktivismo's Six/Four protocol. Multiple buffer overflow vulnerabilities have been found in the code forked from Gaim. Full details are available at this URL: http://security.e-matters.de/advisories/012004.html Note that these vulnerabilities DO NOT compromise the integrity of the encryption or authentication. Affected Versions All versions prior to Ultramagnetic v0.81 are affected by CAN-2004-0006, CAN-2004-0007, CAN-2004-0008: v0.01 Preview Alpha 1 v0.02 Preview Alpha 2 v0.03 Preview Alpha 3 v0.10 Beta v0.20 Beta v0.40 Beta v0.50 Beta v0.55 Beta v0.60 Beta v0.65 Beta v0.70 Beta v0.80 Beta None of the versions mentioned above are vulnerable to CAN-2004-0005. Solution All users are strongly encouraged to upgrade to Ultramagnetic v0.81 (or later): Source bz2: http://prdownloads.sourceforge.net/ultramagnetic/ ultramagnetic-0.81.tar.bz2?download http://prdownloads.sourceforge.net/ultramagnetic/ ultramagnetic-0.81.tar.bz2.sig?download Linux x86 RPM: http://prdownloads.sourceforge.net/ultramagnetic/ ultramagnetic-0.81-1.i386.rpm?download http://prdownloads.sourceforge.net/ultramagnetic/ ultramagnetic-0.81-1.i386.rpm.sig?download References * E-matters: 12 x Gaim remote overflows: http://security.e-matters.de/advisories/012004.html * CVE: CAN-2004-0006 * CVE: CAN-2004-0007 * CVE: CAN-2004-0008 - -- low halo Defender of Truth and Liberty http://ultramagnetic.sourceforge.net/ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AFB17F6 9AB1 FF04 016F 89A3 5B4E A585 BDBB 5FBE 3AFB 17F6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAFX7Mvbtfvjr7F/YRAnKoAJ43FwGrkJVPnipLlHkrSL+mh1dPUQCfSmNq GzQkzArZc9N9TJVYspHBvKo= =ztmn -----END PGP SIGNATURE-----