linux, säkerhet

7706278 2001-12-19 17:46 -0800  /90 rader/ Immunix Security Team <security@wirex.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-21  03:06  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linsec@lists.seifried.org
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: immunix-announce@immunix.org
Mottagare: Bugtraq (import) <20242>
Ärende: Immunix OS 7.0 glibc update
------------------------------------------------------------
From: Immunix Security Team <security@wirex.com>
To: bugtraq@securityfocus.com, linsec@lists.seifried.org,
 security-alerts@linuxsecurity.com, immunix-announce@immunix.org
Message-ID: <20011219174653.G1091@wirex.com>

-----------------------------------------------------------------------
	Immunix OS Security Advisory

Packages updated:	glibc, nscd
Affected products:	Immunix OS 7.0
Bugs fixed:		immunix/1892, immunix/1893
Date:			Wed Dec 19 2001
Advisory ID:		IMNX-2001-70-037-01
Author:			Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------

Description:
  This update to glibc (and the associated name service cache daemon,
  nscd) fixes two security problems. The first problem is a race
  condition in the fts(3) routines that traverse directory structures
  which allowed malicious users to cause other processes to 'break out
  of' the file heirarchy.  The second problem is in the glob(3) routine;
  it is a combination of a buffer overflow and an incorrectly free()d
  buffer.

  The fts(3) problem was discovered by Nick Cleaton. The glob(3)
  problem was discovered simultaneously by several people, including
  script0r, Flávio Veloso, and Jakub Jelinek. Tom Parker also
  discovered that the glob(3) problem is exploitable. Flávio Veloso
  and Jakub Jelinek helped fix the glob(3) problems, and it appears
  that Kris Kennaway, Todd Miller, and Ulrich Drepper are primarily
  responsible for the fts(3) fixes.

  We recommend all Immunix 7.0 users upgrade glibc and nscd with these
  packages.

  References:
  http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html
  http://www.securityfocus.com/archive/1/245956
  http://lists.progeny.com/archive/progeny-security-announce/2001/msg00024.html

Package names and locations:
  Precompiled binary packages for Immunix 7.0 are available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/glibc-2.2-12_imnx_12.i386.rpm
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/glibc-common-2.2-12_imnx_12.i386.rpm
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/glibc-devel-2.2-12_imnx_12.i386.rpm
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/glibc-profile-2.2-12_imnx_12.i386.rpm
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/nscd-2.2-12_imnx_12.i386.rpm

  Source package for Immunix 7.0 is available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/glibc-2.2-12_imnx_12.src.rpm

Immunix OS 7.0 md5sums: 2a05dcc3e3f58f426e628a5fed0fd2ac
RPMS/glibc-2.2-12_imnx_12.i386.rpm 2d84dd833ceab77f00f452f7543a4b48
RPMS/glibc-common-2.2-12_imnx_12.i386.rpm
43648b8c310bbb080745a6d8a1b35f7e
RPMS/glibc-devel-2.2-12_imnx_12.i386.rpm
ee13dd6fc866d841bfa4d2755397e942
RPMS/glibc-profile-2.2-12_imnx_12.i386.rpm
14822515526ef18387b3e3fdf4b2845a  RPMS/nscd-2.2-12_imnx_12.i386.rpm
7e378043c28aeee30f8270663f5faf82  SRPMS/glibc-2.2-12_imnx_12.src.rpm


GPG verification:                                                               
  Our public key is available at <http://wirex.com/security/GPG_KEY>.           
  *** NOTE *** This key is different from the one used in advisories            
  IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@wirex.com. WireX 
  attempts to conform to the RFP vulnerability disclosure protocol
  <http://www.wiretrip.net/rfp/policy.html>.
(7706278) /Immunix Security Team <security@wirex.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 7706279
7706279 2001-12-19 17:46 -0800  /10 rader/ Immunix Security Team <security@wirex.com>
Importerad: 2001-12-21  03:06  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linsec@lists.seifried.org
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: immunix-announce@immunix.org
Mottagare: Bugtraq (import) <20243>
Bilaga (text/plain) till text 7706278
Ärende: Bilaga till: Immunix OS 7.0 glibc update
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwhQwwACgkQVQcWL60UVMuL5QCff3yTbX259ElmKWWoMvGQi+GT
awsAn16E7YcNR14TGQSht58gHYc3HGbl
=bSuZ
-----END PGP SIGNATURE-----
(7706279) /Immunix Security Team <security@wirex.com>/