Immunix Secured OS 7.3, 7+ rsync update

[Immunix Security Team <security () immunix com>]

[Outlook and Notes users, please ensure your Out Of Office messages are
not sent in response to public mail lists. It is annoying. Thank you.]

[Virus Scanner administrators: (a) GPG signatures are not an executable
format; (b) as most virii forge From: and From_ headers, it makes no
sense to rely on either header for error recovery purposes -- please
configure your scanners to discard during the SMTP conversation instead.
Thank you.]

[TMDA users: Please whitelist public mail lists. Thank you.]

-----------------------------------------------------------------------
        Immunix Secured OS Security Advisory

Packages updated:       rsync
Affected products:      Immunix OS 7.3, 7+
Bugs fixed:             CAN-2003-0962
Date:                   Fri Dec  5 2003
Advisory ID:            IMNX-2003-73-001-01
Author:                 Seth Arnold <sarnold () immunix com>
-----------------------------------------------------------------------

Description:
  The rsync team has alerted us to a remotely exploitable heap overflow
  that is being actively exploited. As the overflow is on the heap,
  StackGuard offers no protection to this vulnerability.

  There are two methods this vulnerability could be exploited; the first
  is through a publicly visible rsync server, typically on TCP port 873.
  The second is through an ssh or rsh connection to the remote host.

  We would like to thank Timo Sirainen, Mike Warfield, Paul Russell,
  Andrea Barisani, Andrew Tridgell, and Martin Pool.

  References: http://samba.anu.edu.au/rsync/
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962

  Immunix 7.3 users may use our up2date service to install fixed
  packages: you may run either "up2date" within X, and follow the
  directions, or run "up2date -u" to ensure your system is current.

Package names and locations:
  Precompiled binary packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm
  Source packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm

  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm
  Source packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm

Immunix OS 7+ md5sums:
  b7d479e4bc02f2791b7346638d1ddff7  7+/Updates/RPMS/rsync-2.5.2-2_imnx_1.i386.rpm
  7c2b5b94085aff4e24dbd4ba99e7f459  7+/Updates/SRPMS/rsync-2.5.2-2_imnx_1.src.rpm

Immunix OS 7.3 md5sums:
  d30c6376229aed5adb0db859989bc53d  7.3/Updates/RPMS/rsync-2.5.4-2_imnx_2.i386.rpm
  a1a1bc710f98efd8a88127fb8904fa98  7.3/Updates/SRPMS/rsync-2.5.4-2_imnx_2.src.rpm


GPG verification:                                                               
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 7+ will not be officially supported after March 1 2004.
  ImmunixOS 7.0 is no longer officially supported.
  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security () immunix com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

Attachment: _bin
Description: