From: "Kurt Seifried" <seifried@securityportal.com> To: "linsec" <linux-security@lists.securityportal.com> Subject: [linsec] Immunix OS Security update for kerberos Date: Wed, 30 May 2001 18:26:28 -0600 Kurt Seifried, seifried@securityportal.com PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.securityportal.com/ ----- Original Message ----- From: "Immunix Security Team" <security@wirex.com> To: <linuxlist@securityportal.com> Sent: Wednesday, May 30, 2001 5:44 PM Subject: Immunix OS Security update for kerberos ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: kerberos Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs fixed: immunix/1608 Date: May 30, 2001 Advisory ID: IMNX-2001-70-022-01 Author: Steve Beattie <steve@wirex.com> ----------------------------------------------------------------------- Description: Mario Lorenz discovered a possible buffer overflow in the kerberos gssapi-aware ftpd in the krb5-workstation package that is included in all versions of Immunix OS. It is believed at this time that StackGuard prevents the exploitation of this vulnerability; however, in the absence of an exploit to test against, we recommend that all users of the kerberos packages update their installation. Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-configs-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-devel-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-libs-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-server-1.1.1-27_StackGuard.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/krb5-workstation-1.1.1-27_StackGuard.i386.rpm Source package for Immunix 6.2 is available at: http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/krb5-1.1.1-27_StackGuard.src.rpm Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-devel-1.2.2-5_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-libs-1.2.2-5_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-server-1.2.2-5_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/krb5-workstation-1.2.2-5_imnx.i386.rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/krb5-1.2.2-5_imnx.src.rpm md5sums of the packages: 5a80bb7ae841d639f07d7ecc3c124abe RPMS/krb5-configs-1.1.1-27_StackGuard.i386.rpm 7831c1c54c3b85e056630499f9bb2862 RPMS/krb5-devel-1.1.1-27_StackGuard.i386.rpm f356fc7d91019677ca8b86d206ed28e7 RPMS/krb5-libs-1.1.1-27_StackGuard.i386.rpm 28d9a8ba22faca300cdaf19ef3cc3448 RPMS/krb5-server-1.1.1-27_StackGuard.i386.rpm a5c4ab4fa7ecc266e8cee8501bc82a98 RPMS/krb5-workstation-1.1.1-27_StackGuard.i386.rpm 08c2ab7b98b4316024adf7ea1dd646de SRPMS/krb5-1.1.1-27_StackGuard.src.rpm fef3bf7dd342623807c2e9fb97c8ae30 RPMS/krb5-devel-1.2.2-5_imnx.i386.rpm 0b9e6ee3220f178af40d75035037f936 RPMS/krb5-libs-1.2.2-5_imnx.i386.rpm 1d389553d0d5228cc9399da39439e36e RPMS/krb5-server-1.2.2-5_imnx.i386.rpm 72039c3984c4ecfb2d9d46cfe227703b RPMS/krb5-workstation-1.2.2-5_imnx.i386.rpm 76360a0760506443d0ca8689f6246720 SRPMS/krb5-1.2.2-5_imnx.src.rpm GPG verification: Our public key is available at <http://wirex.com/security/GPG_KEY>. *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerabilty disclosure protocol <http://www.wiretrip.net/rfp/policy.html>.