-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: REVISED: rsync supplementary groups vulnerability Advisory number: CSSA-2002-014.1 Issue date: 2002 April 16 Cross reference: ______________________________________________________________________________ 1. Problem Description Supplementary groups to which the rsync daemon belongs (such as root) were not removed from the server process before it performed work as an unprivileged uid and gid. The rsync daemon was also compiled with a vulnerable version of the zlib library. This package corrects both these issues. This revised advisory adds fixes for OpenLinux 3.1. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to rsync-2.5.0-5.i386.rpm prior to rsync-2.5.0-5.src.rpm OpenLinux 3.1.1 Workstation prior to rsync-2.5.0-5.i386.rpm prior to rsync-2.5.0-5.src.rpm OpenLinux 3.1 Server prior to rsync-2.5.0-5.i386.rpm prior to rsync-2.5.0-5.src.rpm OpenLinux 3.1 Workstation prior to rsync-2.5.0-5.i386.rpm prior to rsync-2.5.0-5.src.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages 12c9cb2e714e3d790963a7a3e750fe4c rsync-2.5.0-5.i386.rpm 4.3 Installation rpm -Fvh rsync-2.5.0-5.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages 5811917f82ec3295cad61d9d7ccf5c30 rsync-2.5.0-5.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS 5.2 Packages 12c9cb2e714e3d790963a7a3e750fe4c rsync-2.5.0-5.i386.rpm 5.3 Installation rpm -Fvh rsync-2.5.0-5.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS 5.5 Source Packages 5811917f82ec3295cad61d9d7ccf5c30 rsync-2.5.0-5.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 6.2 Packages 04dbd6f53d21ae359c61cc2f04d4c63e rsync-2.5.0-5.i386.rpm 6.3 Installation rpm -Fvh rsync-2.5.0-5.i386.rpm 6.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 6.5 Source Packages 8f911a22a9863382b08f02a49bc591c2 rsync-2.5.0-5.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS 7.2 Packages 04dbd6f53d21ae359c61cc2f04d4c63e rsync-2.5.0-5.i386.rpm 7.3 Installation rpm -Fvh rsync-2.5.0-5.i386.rpm 7.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 7.5 Source Packages 8f911a22a9863382b08f02a49bc591c2 rsync-2.5.0-5.src.rpm 8. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr862089, fz520415, and erg711995. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 10. Acknowledgements Ethan Benson discovered and researched this vulnerability. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy8gNUACgkQbluZssSXDTFP3ACdESMP/LE/GROsJch+3yc4XRwA RGcAoKriVmTbSm9n0IIgqklrBKQk/U64 =euQE -----END PGP SIGNATURE-----