User: Password:
|
|
Subscribe / Log in / New account

Immunix alert IMNX-2003-73-001-01 (rsync)

From:  Immunix Security Team <security@immunix.com>
To:  lwn@lwn.net
Subject:  Immunix Secured OS 7.3, 7+ rsync update
Date:  Fri, 5 Dec 2003 16:24:34 -0800

[Outlook and Notes users, please ensure your Out Of Office messages are not sent in response to public mail lists. It is annoying. Thank you.] [Virus Scanner administrators: (a) GPG signatures are not an executable format; (b) as most virii forge From: and From_ headers, it makes no sense to rely on either header for error recovery purposes -- please configure your scanners to discard during the SMTP conversation instead. Thank you.] [TMDA users: Please whitelist public mail lists. Thank you.] ----------------------------------------------------------------------- Immunix Secured OS Security Advisory Packages updated: rsync Affected products: Immunix OS 7.3, 7+ Bugs fixed: CAN-2003-0962 Date: Fri Dec 5 2003 Advisory ID: IMNX-2003-73-001-01 Author: Seth Arnold <sarnold@immunix.com> ----------------------------------------------------------------------- Description: The rsync team has alerted us to a remotely exploitable heap overflow that is being actively exploited. As the overflow is on the heap, StackGuard offers no protection to this vulnerability. There are two methods this vulnerability could be exploited; the first is through a publicly visible rsync server, typically on TCP port 873. The second is through an ssh or rsh connection to the remote host. We would like to thank Timo Sirainen, Mike Warfield, Paul Russell, Andrea Barisani, Andrew Tridgell, and Martin Pool. References: http://samba.anu.edu.au/rsync/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962 Immunix 7.3 users may use our up2date service to install fixed packages: you may run either "up2date" within X, and follow the directions, or run "up2date -u" to ensure your system is current. Package names and locations: Precompiled binary packages for Immunix 7.3 are available at: http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm Source packages for Immunix 7.3 are available at: http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm Precompiled binary packages for Immunix 7+ are available at: http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm Source packages for Immunix 7+ are available at: http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm Immunix OS 7+ md5sums: b7d479e4bc02f2791b7346638d1ddff7 7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm 7c2b5b94085aff4e24dbd4ba99e7f459 7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm Immunix OS 7.3 md5sums: d30c6376229aed5adb0db859989bc53d 7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm a1a1bc710f98efd8a88127fb8904fa98 7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm GPG verification: Our public keys are available at http://download.immunix.org/GPG_KEY Immunix, Inc., has changed policy with GPG keys. We maintain several keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for Immunix 7.3 package signing, and 1B7456DA for general security issues. NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 7+ will not be officially supported after March 1 2004. ImmunixOS 7.0 is no longer officially supported. ImmunixOS 6.2 is no longer officially supported. Contact information: To report vulnerabilities, please contact security@immunix.com. Immunix attempts to conform to the RFP vulnerability disclosure protocol http://www.wiretrip.net/rfp/policy.html.


(Log in to post comments)


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds