Confirmed and patch blessed in http://www.securityfocus.com/archive/1/365100/2004-06-01/2004-06-07/0 This applies at least to Red Hat Linux 9. ------- Additional Comments From marcdeslauriers 2004-06-04 13:57:43 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages for 7.3 and 9: Changelog: * Fri Jun 04 2004 Marc Deslauriers <marcdeslauriers> 2.3.1-19.legacy - - Added patch for format string vulnerability (FL #1719) 7.3: c46da2908063ec8bd88ab4cb52b7d3bf91b514d0 tripwire-2.3.1-18.legacy.i386.rpm 47958d4e6ee33b738145ffdd12649e72eecb2e5c tripwire-2.3.1-18.legacy.src.rpm 9: aff57cf7b697be76e28564f7d4de947b3c91c790 tripwire-2.3.1-19.legacy.i386.rpm 3b1025a1fb78d59621298f1cad0a7c377b29e6c4 tripwire-2.3.1-19.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/tripwire-2.3.1-18.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/tripwire-2.3.1-18.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/tripwire-2.3.1-19.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/tripwire-2.3.1-19.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwQwoLMAs/0C4zNoRAhlLAJ0VX4oSDwvlMe5+fZoVOn8fQOSAXACfQfKu 0eUHb+/OVnEhe88C3/uSLHc= =Y2Q5 -----END PGP SIGNATURE----- ------- Additional Comments From jonny.strom 2004-06-05 22:54:02 ---- I did a QA on the RH9 packages. SHA1 is ok. Installs ok. I did a wery basic fuctionallity testing and it seems to be ok. The patch and the spec file looks ok. I wote for publish. ------- Additional Comments From hbo 2004-06-07 14:58:15 ---- Change URL to Security Focus approved form. The followup should be accessed at http://www.securityfocus.com/archive/1/365100, too. ------- Additional Comments From bugs.michael 2004-06-15 08:46:37 ---- fedora.us will bump tripwire version from tripwire-2.3.1-18.fdr.3 to tripwire-2.3.1-20.fdr.1 for FC1/FC2, so these two legacy updates won't be newer ------- Additional Comments From marcdeslauriers 2004-06-15 14:31:01 ---- Oups! Sorry for breaking that...I never thought to look for tripwire in the fedora.us packages... ------- Additional Comments From jkeating 2004-06-16 17:53:24 ---- Pushed to updates-testing: http://download.fedoralegacy.org/redhat/ b266219a8b7d05e35e2dba5c7a33bb15d518f7ad 7.3/updates-testing/SRPMS/tripwire-2.3.1-20.legacy.7x.src.rpm e7649912f208a73276c16cffcb4dfb19e23bad9c 7.3/updates-testing/i386/tripwire-2.3.1-20.legacy.7x.i386.rpm c65f628b723c3280d2cce0484ba5e8163081e1e8 9/updates-testing/SRPMS/tripwire-2.3.1-20.legacy.9.src.rpm 321d6537458ef99779be8f5377ea94695c6e1b5f 9/updates-testing/i386/tripwire-2.3.1-20.legacy.9.i386.rpm ------- Additional Comments From bugs.michael 2004-06-17 05:25:49 ---- Thanks for ignoring/overlooking comment 4. :-/ Please keep release version lower than FC1/FC2. Prior to the vulnerability rh73 contained: tripwire-2.3.1-10.i386.rpm rh9 contained: tripwire-2.3.1-17.i386.rpm fc1 contained: tripwire-2.3.1-18.fdr.3.1.i386.rpm So there is no need to bump the version to 20.legacy.X ------- Additional Comments From tripwire-devel.co.uk 2004-06-17 18:18:59 ---- For those not CC:'d to bug 1308, please read this: https://bugzilla.fedora.us/show_bug.cgi?id=1308#c45 It would be great if we could sync our methods, and start using policy diffs for each release. The diffs are primarily aimed at *new* critical files unique to each release, but could also be stripped redundant entries. Actually I'd prefer both: twpol-<distro>.txt twpol-<distro>-added.diff twpol-<distro>-removed.diff That way it is always crystal clear what part of the filesystem has changed, and how. To establish a baseline, I'll be using the policy from tripwire-2.3.1-17.src.rpm and running it against a policy validator for FC1 and FC2 systems. I'm starting work on some more scripts, including a policy diffs creator, so I'll let you know when that's done. Meanwhile I'd appreciate some feedback on this idea, and input on new critical files on RH Legacy systems (compared to the original policy). I've made a basic policy validator, along with some other Tripwire scripts, available here: http://www.genesis-x.nildram.co.uk/filez/tripwire-scripts-2.3.1-18.fdr.8.sea.bin.tar.bz2 Thanks. K. ------- Additional Comments From marcdeslauriers 2004-09-08 11:12:57 ---- In response to comment 8: Unfortunately, i don't think Fedora Legacy has any volunteers to make policy diffs right now. If someone steps up to do this, great. But in the meantime, Fedora Legacy packages will only have security patches. ------- Additional Comments From marcdeslauriers 2004-09-08 11:14:45 ---- These packages need to be pushed back to updates-testing with decreased release tags so as not to conflict with the FC packages from fedora.us. The version numbers that should be used are: 7.3: tripwire-2.3.1-18.legacy.i386.rpm tripwire-2.3.1-18.legacy.src.rpm 9: tripwire-2.3.1-19.legacy.i386.rpm tripwire-2.3.1-19.legacy.src.rpm ------- Additional Comments From mule 2004-09-09 07:49:59 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 321d6537458ef99779be8f5377ea94695c6e1b5f tripwire-2.3.1-20.legacy.9.i386.rpm c65f628b723c3280d2cce0484ba5e8163081e1e8 tripwire-2.3.1-20.legacy.9.src.rpm For Red Hat 9: * builds from source * installs I've have been using this package on a production server since August 25, 2004 with no problems... I would agree with all of comment #10... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQJe9TsaUa9pp4VIRAoLpAJ9Vr89jFyZ+7NW0sH0q+lXxng9DTwCg+fwI k5UKeSVMWTLQG8ogDLaN5/w= =LqMR -----END PGP SIGNATURE----- ------- Additional Comments From mule 2004-09-14 04:11:13 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would like to give folks a gentle nudge to resolve any versioning issues with the current tripwire packages in updates-tesing. Please use comment #7 as a reference. Would it be possible to redo the versions in updates-testing from tripwire-2.3.1-20.legacy.7x tripwire-2.3.1-20.legacy.9 to tripwire-2.3.1-10.1.legacy.7x tripwire-2.3.1-17.1.legacy.9 or such to keep the version lower than tripwire-2.3.1-18.fdr.3.1 in FC1? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBRvvpTsaUa9pp4VIRAj27AKDn0TnnsCpTV60EHIuiSrY0k5Kq2ACgxisJ apK4Jwryfc/6MR22Ux77DYk= =yqhX -----END PGP SIGNATURE----- ------- Additional Comments From bugs.michael 2004-09-14 04:35:39 ---- Fedora Core 1, fedora.us testing repository: tripwire-2.3.1-18.fdr.3.1.i386.rpm 30-Nov-2003 tripwire-2.3.1-20.fdr.1.1.i386.rpm 15-Jun-2004 20.legacy would be higher than 20.fdr ------- Additional Comments From marcdeslauriers 2004-10-03 12:37:06 ---- Built new packages and pushed to updates-testing. ------- Additional Comments From bugs.michael 2004-10-03 13:04:18 ---- Please don't ignore the comments in this ticket. Your tripwire-2.3.1-20.legacy.9.i386.rpm breaks the upgrade path to Fedora Core 1 and 2. ------- Additional Comments From bugs.michael 2004-10-03 13:09:49 ---- Um, Marc, there are no new packages in updates-testing yet. ------- Additional Comments From marcdeslauriers 2004-10-03 14:35:02 ---- Michael, I didn't ignore the comments, they are the reason I built new packages. Here are the version numbers I used: tripwire-2.3.1-10.1.legacy.7x tripwire-2.3.1-17.1.legacy.9 They will appear in updates-testing in tonights sync, and I will release the notification tomorrow morning. ------- Additional Comments From mule 2004-10-08 05:24:20 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In doing the QA for the Red Hat 9 packages I came across an issue with the tripwire.spec file. The file contains the duplicate line: Patch4: tripwire-mkstemp.patch Also, please post the sha1sums for the new packages -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBZrBATsaUa9pp4VIRAivrAJsF8T4O3t+alPg3OSiAlbWNtaENywCgx+F6 V1941yyUBU1ODKN+ZkTO8KA= =kQfw -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-09 10:06:29 ---- In response to comment 18: New packages were pushed to updates-testing to fix the duplicate patch entry. Here are the sha1sums: 1b2a8875e86492065f53db69d04de4a452fb1c5f 7.3/updates-testing/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm 3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 7.3/updates-testing/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5 9/updates-testing/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm 263704b1799204e8ee98b4329cddf7b492d8fff2 9/updates-testing/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm ------- Additional Comments From mule 2004-10-09 16:07:50 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5 tripwire-2.3.1-17.2.legacy.9.i386.rpm 263704b1799204e8ee98b4329cddf7b492d8fff2 tripwire-2.3.1-17.2.legacy.9.src.rpm For Red Hat 9: * Checked spec file - OK * Checked tripwire-2.3.1-2-formatstring.patch - OK * Builds from source - OK * Installs - OK * Ran tripwire check and update - OK VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBaJZFTsaUa9pp4VIRAuuWAJ0dUpsH+Q9I5YE8LBc7MKwZpjKkJwCfbn9j /BCtDnjzqCoD65xrUY1BrCc= =bE+B -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-10-20 05:48:05 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1b2a8875e86492065f53db69d04de4a452fb1c5f tripwire-2.3.1-10.1.legacy.7x.i386.rpm3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 tripwire-2.3.1-10.1.legacy.7x.src.rpm - libraries match with tripwire-2.3.1-10 (rh) - package installs/upgrades fine - source-built package looks good - tripwire initializes and runs fine after upgrade ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdoigyQ+yTHz+jJkRAscgAKCn2xXgMGepDlWhn/r7BtxTqUBScQCfbn7t tbC6S8lY6q9YgXKf/9+7Gm4= =8Tuz -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-24 03:42:54 ---- Packages were pushed to official updates. ------- Additional Comments From jimpop 2005-01-05 09:49:57 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +VERIFIED 73 Tested and verified on RH73. Full functionality (--init, --interactive, --update, etc) tested extensively over 3 month period on a server experiencing daily (hourly?) changes to monitored config files, etc. 1b2a8875e86492065f53db69d04de4a452fb1c5f tripwire-2.3.1-10.1.legacy.7x.i386.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFB3EL6uhh7yV/E9I4RAtGOAJ9OtFi4H+/qz/RqxYBOTyf93WsLhwCfUAAl dAclQwo4T5PN/4ujdPtjiL0= =VEY8 -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:25 ------- This bug previously known as bug 1719 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1719 Originally filed under the Fedora Legacy product and Package request component. Bug depends on bug(s) 1308. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.