-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: Denial of Service against irc-BX Advisory number: CSSA-2000-022.0 Issue date: 2000 July, 6 Cross reference: ______________________________________________________________________________ 1. Problem Description The IRC client irc-BX (otherwise known as B*tchX) will accept bogus data from other IRC users that causes it to crash, and possibly even to execute malicious code. An exploit has been published that will result in a crash of the IRC client. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 All packages previous to irc-BX-75p3-5 OpenLinux eServer 2.3 All packages previous to and OpenLinux eBuilder irc-BX-75p3-5 OpenLinux eDesktop 2.4 All packages previous to irc-BX-1.0-3 3. Solution Workaround: none known The proper solution is to upgrade to the fixed packages. 4. OpenLinux Desktop 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification 1cdc1f1b8cd3ddb8f9547bd3b983d931 RPMS/irc-BX-75p3-5.i386.rpm 8a3affcbb25d22bf909845b0a3d93794 SRPMS/irc-BX-75p3-5.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F irc-BX-75p3-5.i386.rpm 5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification 8d006667e597c6e89cdec61fb85ab878 RPMS/irc-BX-75p3-5.i386.rpm 8a3affcbb25d22bf909845b0a3d93794 SRPMS/irc-BX-75p3-5.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F irc-BX-75p3-5.i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification f13cf49d7e8eea02c2194865a37755db RPMS/irc-BX-1.0c16-3.i386.rpm 53423f8eb8efc5cd23f11d861218a45a SRPMS/irc-BX-1.0c16-3.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F irc-BX-1.0c16-3.i386.rpm Please ignore any messages about being unable to remove directories during the upgrade. 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 7137. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5ZZQa18sy83A/qfwRAsvVAKClrU2t9+O3e9p6oWCHY8PRq8YPLgCfXkP9 lvnDqoc5itTANKDm1h++Svo= =0ot7 -----END PGP SIGNATURE-----