From: Crispin Cowan <crispin@wirex.com> Subject: Immunix OS Security Advisory Procedures Date: Wed, 30 May 2001 16:51:32 -0700 WireX will shortly be releasing some new security advisories. However, we are changing our security announcement procedures. Hence forth, advisories will be sent from "security@wirex.com", and updates will be signed with WireX's new corporate GPG key: pub 1024D/AD1454CB 2001-05-24 WireX Communications, Inc. <security@wirex.com> Key fingerprint = 8E4B 16B8 6D72 E044 1204 E502 5507 162F AD14 54CB The full key can be found here http://www.wirex.com/security/GPG_KEY Crispin P.S. My apologies for the many copies of the FormatGuard announcement you may have received. That was an unforseen consequence of my cross-posting the announcement to separate moderated mailing lists. Never do that :-) -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com//Products/Immunix/purchase.html
From: Immunix Security Team <security@wirex.com> Subject: Immunix OS Security update for man Date: Wed, 30 May 2001 16:38:18 -0700 ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: man, mktemp (Immunix OS 6.2 only) Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs fixed: immunix/1609, immunix/1610 Date: May 30, 2001 Advisory ID: IMNX-2001-70-021-01 Author: Steve Beattie <steve@wirex.com> ----------------------------------------------------------------------- Description: Tim Robbins and zenith parsec found a buffer overflow in the version of man included in all versions of Immunix OS. See http://marc.theaimsgroup.com/?l=linux-security-audit&m=97135291522462&w=2 and http://www.securityfocus.com/archive/1/184534. Because this buffer overflow does not occur on the stack, StackGuard does not prevent this from being exploited. Immunix OS 6.2 users should note that they need to apply the mktemp update as well. The updated mktemp package provides the "-d" parameter to safely create temporary directories. Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/man-1.5i-0.6x.1_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/mktemp-1.5-2.1.6x_StackGuard.i386.rpm Source packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/man-1.5i-0.6x.1_StackGuard.src.rpm http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/mktemp-1.5-2.1.6x_StackGuard.src.rpm Precompiled binary package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/man-1.5i-4_imnx.i386.rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/man-1.5i-4_imnx.src.rpm md5sums of the packages: b2ed443a2dab767c66e3b0d94a767fad RPMS/man-1.5i-0.6x.1_StackGuard.i386.rpm 6503f8ae90b9a83755706da5234673d5 RPMS/mktemp-1.5-2.1.6x_StackGuard.i386.rpm 64dfb48daae15d5143b1c24f076cdddd SRPMS/man-1.5i-0.6x.1_StackGuard.src.rpm 3e5ee1a9a956a1c9e012c7220d1f2cea SRPMS/mktemp-1.5-2.1.6x_StackGuard.src.rpm a7d9953587bfefbddb712adb4d209d0c RPMS/man-1.5i-4_imnx.i386.rpm 204ad8f23b33c4adf744aa1afa90c5bd SRPMS/man-1.5i-4_imnx.src.rpm GPG verification: Our public key is available at . *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerabilty disclosure protocol .
From: Immunix Security Team <security@wirex.com> Subject: Immunix OS Security update for kerberos Date: Wed, 30 May 2001 16:44:32 -0700 ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: kerberos Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs fixed: immunix/1608 Date: May 30, 2001 Advisory ID: IMNX-2001-70-022-01 Author: Steve Beattie <steve@wirex.com> ----------------------------------------------------------------------- Description: Mario Lorenz discovered a possible buffer overflow in the kerberos gssapi-aware ftpd in the krb5-workstation package that is included in all versions of Immunix OS. It is believed at this time that StackGuard prevents the exploitation of this vulnerability; however, in the absence of an exploit to test against, we recommend that all users of the kerberos packages update their installation. Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-configs-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-devel-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-libs-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-server-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-workstation-1.1.1-27_StackGuard.i386.rpm Source package for Immunix 6.2 is available at: http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/krb5-1.1.1-27_StackGuard.src.rpm Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-devel-1.2.2-5_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-libs-1.2.2-5_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-server-1.2.2-5_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-workstation-1.2.2-5_imnx.i386.rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/krb5-1.2.2-5_imnx.src.rpm md5sums of the packages: 5a80bb7ae841d639f07d7ecc3c124abe RPMS/krb5-configs-1.1.1-27_StackGuard.i386.rpm 7831c1c54c3b85e056630499f9bb2862 RPMS/krb5-devel-1.1.1-27_StackGuard.i386.rpm f356fc7d91019677ca8b86d206ed28e7 RPMS/krb5-libs-1.1.1-27_StackGuard.i386.rpm 28d9a8ba22faca300cdaf19ef3cc3448 RPMS/krb5-server-1.1.1-27_StackGuard.i386.rpm a5c4ab4fa7ecc266e8cee8501bc82a98 RPMS/krb5-workstation-1.1.1-27_StackGuard.i386.rpm 08c2ab7b98b4316024adf7ea1dd646de SRPMS/krb5-1.1.1-27_StackGuard.src.rpm fef3bf7dd342623807c2e9fb97c8ae30 RPMS/krb5-devel-1.2.2-5_imnx.i386.rpm 0b9e6ee3220f178af40d75035037f936 RPMS/krb5-libs-1.2.2-5_imnx.i386.rpm 1d389553d0d5228cc9399da39439e36e RPMS/krb5-server-1.2.2-5_imnx.i386.rpm 72039c3984c4ecfb2d9d46cfe227703b RPMS/krb5-workstation-1.2.2-5_imnx.i386.rpm 76360a0760506443d0ca8689f6246720 SRPMS/krb5-1.2.2-5_imnx.src.rpm GPG verification: Our public key is available at . *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerabilty disclosure protocol .
From: Immunix Security Team <security@wirex.com> Subject: Immunix OS Security update for GnuPG Date: Wed, 30 May 2001 16:52:59 -0700 ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: gnupg Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs fixed: immunix/1611 Date: May 30, 2001 Advisory ID: IMNX-2001-70-023-01 Author: Steve Beattie <steve@wirex.com> Obsoletes: IMNX-2001-70-018-01 ----------------------------------------------------------------------- Description: fish stiqz of Synnergy Networks recently discovered a format flaw in the version of GnuPG included in all versions of Immunix OS. Please see http://www.securityfocus.com/archive/1/187352 for more information. Because the flaw occurs in a call to the gnupg internal function tty_printf, FormatGuard does not protect against this vulnerability. A new version of GnuPG, 1.0.6, has been released to fix this problem. All Immunix OS users are encouraged to upgrade to this latest version. Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/gnupg-1.0.6-2_StackGuard.i386 Source packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/gnupg-1.0.6-2_StackGuard.src Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/gnupg-1.0.6-2_imnx.i386.rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/gnupg-1.0.6-2_imnx.src.rpm md5sums of the packages: 9bc5c1cba1400a2e9f613115c0da92f3 RPMS/gnupg-1.0.6-2_StackGuard.i386.rpm 8fcd9b378857badf918458e244660a2b SRPMS/gnupg-1.0.6-2_StackGuard.src.rpm d4287ebc816e721bf8c31705ba2e8c4b RPMS/gnupg-1.0.6-2_imnx.i386.rpm 1649ce1f3e569c4cee66c202d1f359e6 SRPMS/gnupg-1.0.6-2_imnx.src.rpm GPG verification: Our public key is available at . *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerabilty disclosure protocol .