View Issue Details

IDProjectCategoryView StatusLast Update
0000038administrationsecuritypublic2005-02-23 16:14
Reporterherrold 
PrioritylowSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000038: Gentoo exploit vector
DescriptionVendor-sec confidential

The Gentoo exploit vector appears to have have been a crafted rsync exploit
using do_brk() hole in userspace client.

Please [Greg, Lance] confirm that each caosity host you admin has been patched
with the revised 2.4.24 kernel. Obviously all clients which you access caosity
from by SSH (directly or in a chain of connections) also need to so updated.

I also need to invalidate the installer choice if it is not updated yet.

Finally a lookup from package to package maintainer, so I can find the rsync
maintainer interface is needed. I will RFE seperately.

-- Russ
TagsNo tags attached.

Activities

herrold

herrold

2003-12-04 11:01

reporter   ~0000143

Last edited: 1970-01-01 00:00

Add Greg CC
herrold

herrold

2003-12-04 11:02

reporter   ~0000144

Last edited: 1970-01-01 00:00

Add Lance to cc
lance@uklinux.net

lance@uklinux.net

2003-12-04 11:32

reporter   ~0000145

Last edited: 1970-01-01 00:00

mirror.caosity.og I have installed updated kernel - needs reboot to load
caosity.org,caosforge.net,temple.caosity.org are vservers that use weird kernel
will need to raise ticket for support

Do I understand that you need local access for that exploit, or is remote anon
rsync vulnerable ??

lance@uklinux.net

lance@uklinux.net

2003-12-04 12:02

reporter   ~0000146

Last edited: 1970-01-01 00:00

mirror.caosity.org now rebooted and running 2.4.20-24.7

expect lots of stuff from tripwire ...
lance@uklinux.net

lance@uklinux.net

2003-12-04 12:11

reporter   ~0000147

Last edited: 1970-01-01 00:00

To avoid the possibility of ssh exploits being exploitable etc, I intend to
firewall ssh on mirror. (and other caos servers) to only be available from
listed static ips.

Please advise static ip to be listed.

Initially restricted to ld,gmk,orc
herrold

herrold

2003-12-04 12:15

reporter   ~0000148

Last edited: 1970-01-01 00:00

Yes: remote anon rsync IS (appears to be) vulnerable in the 12/2003 Gentoo case
herrold

herrold

2003-12-04 12:17

reporter   ~0000149

Last edited: 1970-01-01 00:00

As to IP list, I will advise -- I am going to set up a VPN endpoint which will
appear to be static.

-- Russ Herrold
herrold

herrold

2005-02-23 16:14

reporter   ~0000150

Last edited: 1970-01-01 00:00

long since overtaken by events - closing

Issue History

Date Modified Username Field Change
2003-12-04 11:01 herrold CC => greg@caosity.org
2003-12-04 11:02 herrold CC => lance@uklinux.net
2003-12-04 12:17 herrold Status NEW => ASSIGNED
2005-02-23 16:14 herrold Status ASSIGNED => RESOLVED
2005-02-23 16:14 herrold Resolution => FIXED