From security@wirex.com Fri Oct 19 22:20:51 2001 From: Immunix Security Team To: security-alerts@linuxsecurity.com, bugtraq@securityfocus.com, linux-security-announce@seifried.org, immunix-announce@immunix.org Date: Fri, 19 Oct 2001 18:32:57 -0700 Subject: Immunix OS update Linux Kernel ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: kernel-2.2.19 Affected products: Immunix OS 7.0 and 6.2 Bugs fixed: immunix/1760 Date: Fri Oct 19 2001 Advisory ID: IMNX-2001-70-035-01 Author: Seth Arnold ----------------------------------------------------------------------- Description: Rafal Wojtczuk has found two serious flaws in the Linux kernel, both versions 2.2.19 and 2.4.11 are affected. The problems include deeply nested symlinks spending arbitrary amounts of time in kernel code, and yet another ptrace vulnerability. This release of kernel 2.2.19-8_imnx comes with two patches to fix the problems, supplied in Rafal's bugtraq post. We expect these patches to be included in 2.2.20 when it is released, but in the meantime we are making updated 2.2.19 packages available for our users. Note that kernel installs are different than other .rpms -- usually, one would want to use: rpm -ivh kernel-2.2.19-8_imnx.i386.rpm then check the /boot directory, /etc/lilo.conf file, and re-run lilo to install the new kernel. A reboot is required to complete the installation. References: http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21 Package names and locations: Precompiled binary packages for Immunix 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-2.2.19-8_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-2.2.19-8_imnx.i586.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-2.2.19-8_imnx.i686.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-BOOT-2.2.19-8_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-doc-2.2.19-8_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-pcmcia-cs-2.2.19-8_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-smp-2.2.19-8_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-smp-2.2.19-8_imnx.i586.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-smp-2.2.19-8_imnx.i686.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-source-2.2.19-8_imnx.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/kernel-utils-2.2.19-8_imnx.i386.rpm Source package for Immunix 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/kernel-2.2.19-8_imnx.src.rpm Immunix OS 7.0 md5sums: f344f706fca87a2170c84cd17048ad48 RPMS/kernel-2.2.19-8_imnx.i386.rpm 5f5a63ff9b9231a4d7de82eaac924fa1 RPMS/kernel-2.2.19-8_imnx.i586.rpm 4517a2b0d8cfbc84627e63e238ab81af RPMS/kernel-2.2.19-8_imnx.i686.rpm 36213cde1c21b52ad67257820bc90c9b RPMS/kernel-BOOT-2.2.19-8_imnx.i386.rpm cde7b782750a0cfdd7b6fa3b6702522c RPMS/kernel-doc-2.2.19-8_imnx.i386.rpm e81b411f1e247ba4283c6f2497bacab4 RPMS/kernel-pcmcia-cs-2.2.19-8_imnx.i386.rpm 865a80d27ba7af3ee04db38cc0ddfca5 RPMS/kernel-smp-2.2.19-8_imnx.i386.rpm 19cd3923f379b32c8e14b66e392f42a0 RPMS/kernel-smp-2.2.19-8_imnx.i586.rpm f11780c3f4fd1eac59ffa16f23d02795 RPMS/kernel-smp-2.2.19-8_imnx.i686.rpm 3d291b0157735ff65ff5c8df2c3c15c8 RPMS/kernel-source-2.2.19-8_imnx.i386.rpm 09fded8efc7baf5031c2fb03a200c5d8 RPMS/kernel-utils-2.2.19-8_imnx.i386.rpm 97959b471e5eeb8e34cdad380cd03ab7 SRPMS/kernel-2.2.19-8_imnx.src.rpm GPG verification: Our public key is available at . *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 6.2 is no longer officially supported. Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerability disclosure protocol . [Part 2, Application/PGP-SIGNATURE 248bytes] [Unable to print this part]