Date: Wed, 30 May 2001 16:38:18 -0700
From: Immunix Security Team <[email protected]>
To: [email protected]Subject: Immunix OS Security update for man
--UoPmpPX/dBe4BELn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: man, mktemp (Immunix OS 6.2 only)
Affected products: Immunix OS 6.2, 7.0-beta, and 7.0
Bugs fixed: immunix/1609, immunix/1610
Date: May 30, 2001
Advisory ID: IMNX-2001-70-021-01
Author: Steve Beattie <[email protected]>
-----------------------------------------------------------------------
Description:=20
Tim Robbins and zenith parsec found a buffer overflow in
the version of man included in all versions of Immunix OS. See
http://marc.theaimsgroup.com/?l=3Dlinux-security-audit&m=3D971352915224=
62&w=3D2
and http://www.securityfocus.com/archive/1/184534. Because this
buffer overflow does not occur on the stack, StackGuard does not
prevent this from being exploited.
Immunix OS 6.2 users should note that they need to apply the mktemp
update as well. The updated mktemp package provides the "-d"
parameter to safely create temporary directories.
Package names and locations:
Precompiled binary packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/man-1.5i-0.6x.1_=
StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/mktemp-1.5-2.1.6=
x_StackGuard.i386.rpm
Source packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/man-1.5i-0.6x.1=
_StackGuard.src.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/mktemp-1.5-2.1.=
6x_StackGuard.src.rpm
Precompiled binary package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/man-1.5i-4_imnx.=
i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/man-1.5i-4_imnx=
.src.rpm
md5sums of the packages:
b2ed443a2dab767c66e3b0d94a767fad RPMS/man-1.5i-0.6x.1_StackGuard.i386.rpm
6503f8ae90b9a83755706da5234673d5 RPMS/mktemp-1.5-2.1.6x_StackGuard.i386.=
rpm
64dfb48daae15d5143b1c24f076cdddd SRPMS/man-1.5i-0.6x.1_StackGuard.src.rpm
3e5ee1a9a956a1c9e012c7220d1f2cea SRPMS/mktemp-1.5-2.1.6x_StackGuard.src.=
rpm
a7d9953587bfefbddb712adb4d209d0c RPMS/man-1.5i-4_imnx.i386.rpm
204ad8f23b33c4adf744aa1afa90c5bd SRPMS/man-1.5i-4_imnx.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>;.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:=20
To report vulnerabilities, please contact [email protected]. WireX
attempts to conform to the RFP vulnerabilty disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>;.
--UoPmpPX/dBe4BELn
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjsVhGgACgkQVQcWL60UVMuY+ACgjDx0FzhOwA4yTqpDJ1HLhODy
zIoAn1AKY/6Ro/pI3PH9Qi1un7YF7VaA
=aJfx
-----END PGP SIGNATURE-----
--UoPmpPX/dBe4BELn--
