OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Immunix Security Team (securitywirex.com)
Date: Fri Aug 24 2001 - 19:25:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----------------------------------------------------------------------
            Immunix OS Security Advisory

    Packages updated: sendmail
    Affected products: Immunix OS 7.0
    Bugs fixed: immunix/1615, immunix/1690
    Date: Thu Aug 23 2001
    Advisory ID: IMNX-2001-70-032-01
    Author: Seth Arnold <sarnoldwirex.com>
    -----------------------------------------------------------------------

    Description:
      This update fixes two problems with sendmail. The first is a fairly
      serious problem handing command line arguments that can lead to root
      privileges, discovered by Cade Cairns. The second is a race condition
      with the signal handling, discovered by Michal Zalewski, with root
      access a possibility.

      StackGuard protection from the first problem is minimal -- while it
      may prevent trivial exploits from running, StackGuard should not be
      counted an effective defense against this problem.

      We recommend users upgrade their sendmail as soon as possible. While
      Immunix OS 6.2 sendmail is not vulnerable to this problem (per Dave
      Ahmed's bugtraq post), we have not researched this issue -- Immunix OS
      6.2 is no longer officially supported.

      References: http://www.securityfocus.com/archive/1/187126
      http://www.securityfocus.com/archive/1/187127
      http://www.securityfocus.com/bid/3163

    Package names and locations:
      Precompiled binary packages for Immunix 7.0 are available at:
      http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sendmail-8.11.6-1_imnx.i386.rpm
      http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sendmail-cf-8.11.6-1_imnx.i386.rpm
      http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sendmail-doc-8.11.6-1_imnx.i386.rpm

      Source package for Immunix 7.0 is available at:
      http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/sendmail-8.11.6-1_imnx.src.rpm

    Immunix OS 7.0 md5sums:
      175d5a88678d02f1f50d788919e1e689 RPMS/sendmail-8.11.6-1_imnx.i386.rpm
      c999d8a7a9d4954085a38208bd7d3585 RPMS/sendmail-cf-8.11.6-1_imnx.i386.rpm
      b1ea88228ebb54e10f4e9c2ea95fb41d RPMS/sendmail-doc-8.11.6-1_imnx.i386.rpm
      27873e65dadafb724d8384140ba9d1f2 SRPMS/sendmail-8.11.6-1_imnx.src.rpm

    GPG verification:
      Our public key is available at <http://wirex.com/security/GPG_KEY>.
      *** NOTE *** This key is different from the one used in advisories
      IMNX-2001-70-020-01 and earlier.

    Online version of all Immunix 6.2 updates and advisories:
      http://immunix.org/ImmunixOS/6.2/updates/

    Online version of all Immunix 7.0-beta updates and advisories:
      http://immunix.org/ImmunixOS/7.0-beta/updates/

    Online version of all Immunix 7.0 updates and advisories:
      http://immunix.org/ImmunixOS/7.0/updates/

    NOTE:
      Ibiblio is graciously mirroring our updates, so if the links above are
      slow, please try:
        ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
      or one of the many mirrors available at:
        http://www.ibiblio.org/pub/Linux/MIRRORS.html

    Contact information:
      To report vulnerabilities, please contact securitywirex.com. WireX
      attempts to conform to the RFP vulnerability disclosure protocol
      <http://www.wiretrip.net/rfp/policy.html>.

    _______________________________________________
    Immunix-announce mailing list
    Immunix-announcewirex.com
    http://mail.wirex.com/mailman/listinfo/immunix-announce

    _______________________________________________
    Immunix-users mailing list
    Immunix-usersmail.wirex.com
    http://mail.wirex.com/mailman/listinfo/immunix-users