Bugtraq mailing list archives
Security Update: Denial of Service against irc-BX
From: support () PHOENIX CALDERASYSTEMS COM (Technical Support)
Date: Fri, 7 Jul 2000 16:43:47 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: Denial of Service against irc-BX Advisory number: CSSA-2000-022.0 Issue date: 2000 July, 6 Cross reference: ______________________________________________________________________________ 1. Problem Description The IRC client irc-BX (otherwise known as B*tchX) will accept bogus data from other IRC users that causes it to crash, and possibly even to execute malicious code. An exploit has been published that will result in a crash of the IRC client. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 All packages previous to irc-BX-75p3-5 OpenLinux eServer 2.3 All packages previous to and OpenLinux eBuilder irc-BX-75p3-5 OpenLinux eDesktop 2.4 All packages previous to irc-BX-1.0-3 3. Solution Workaround: none known The proper solution is to upgrade to the fixed packages. 4. OpenLinux Desktop 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification 1cdc1f1b8cd3ddb8f9547bd3b983d931 RPMS/irc-BX-75p3-5.i386.rpm 8a3affcbb25d22bf909845b0a3d93794 SRPMS/irc-BX-75p3-5.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F irc-BX-75p3-5.i386.rpm 5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification 8d006667e597c6e89cdec61fb85ab878 RPMS/irc-BX-75p3-5.i386.rpm 8a3affcbb25d22bf909845b0a3d93794 SRPMS/irc-BX-75p3-5.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F irc-BX-75p3-5.i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification f13cf49d7e8eea02c2194865a37755db RPMS/irc-BX-1.0c16-3.i386.rpm 53423f8eb8efc5cd23f11d861218a45a SRPMS/irc-BX-1.0c16-3.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F irc-BX-1.0c16-3.i386.rpm Please ignore any messages about being unable to remove directories during the upgrade. 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 7137. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5ZZQa18sy83A/qfwRAsvVAKClrU2t9+O3e9p6oWCHY8PRq8YPLgCfXkP9 lvnDqoc5itTANKDm1h++Svo= =0ot7 -----END PGP SIGNATURE-----
Current thread:
- ftpd and setproctitle() Theo de Raadt (Jul 06)
- Re: ftpd and setproctitle() Kris Kennaway (Jul 06)
- More Detailed Info on the BitchX Format Bugs RoboHak (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs RoboHak (Jul 09)
- opieftpd setproctitle() patches Kris Kennaway (Jul 10)
- Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability Ussr Labs (Jul 10)
- Security Update: Denial of Service against irc-BX Technical Support (Jul 07)
- Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies Lincoln Yeoh (Jul 08)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: ftpd and setproctitle() D. J. Bernstein (Jul 07)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- Re: ftpd and setproctitle() Firstname Lastname (Jul 10)
- BitchX update Vincent Danen (Jul 07)
- Re: ftpd and setproctitle() Pavel Kankovsky (Jul 08)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- ANNOUNCE: PScan, a simple security scanner. Alan DeKok (Jul 07)
- <Possible follow-ups>
- Re: ftpd and setproctitle() Roger Espel Llima (Jul 07)
- Re: ftpd and setproctitle() Adam McKenna (Jul 07)
- Security Update: symlink attack on makewhatis script possible Technical Support (Jul 07)
(Thread continues...)