Date: Fri, 13 Jan 2006 14:57:11 +0100
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0002 - multi
Message-ID: <20060113135711.GA23333@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0002
Package names: clamav, cups, fetchmail, mod_auth_pgsql, sudo
Summary: Multiple vulnerabilities
Date: 2006-01-13
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
clamav
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning).
The package provides a flexible and scalable multi-threaded daemon,
a command line scanner, and a tool for automatic updating via Internet.
The programs are based on a shared library distributed with package,
which you can use with your own software.
cups
The Common UNIX Printing System provides a portable printing layer for
UNIX(R) operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.
fetchmail
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.
mod_auth_pgsql
The mod_auth_pgsql module consists an authorization handler that uses
an PostgreSQL server as the basis for authorizations.
sudo
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.
Problem description:
clamav < TSL 3.0 > < TSL 2.2 >
- New Upstream.
- SECURITY Fix: Fixes possible heap based buffer overflow in libclamav/upx.c.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-0162 to this issue.
cups < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Chris Evans has reported some vulnerabilities in xpdf,
which can be exploited by malicious people to cause a DoS.
- Integer overflow error exists in "Stream.cc:StreamPredictor::StreamPredictor()"
and "Stream.cc::CCITTFaxStream::CCITTFaxStream()" when calculating buffer
sizes for memory allocation. This can potentially be exploited to
overflow the allocated heap memory.
- An infinite loop error exists in "Stream.cc::DCTStream::readMarker()"
when handling certain malformed input files. This can potentially be
exploited to cause a DoS.
- Missing validation of input parameters in
"Stream.cc:DCTStream::readHuffmanTables()" and
"Stream.cc:DCTStream::readScanInfo()" can cause out-of-bounds memory access.
This can potentially be exploited to overwrite certain memory.
- Some potential integer overflow error exists in "JBIG2Stream.cc".
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2005-3624, CVE-2005-3625, CVE-2005-3626 and CVE-2005-3627
to these issues.
fetchmail < TSL 3.0 > < TSL 2.2 >
- New Upstream.
- SECURITY Fix: A vulnerability has been reported in Fetchmail caused due
to a null pointer dereferencing error when handling a message without
email headers. This can be exploited to crash Fetchmail when the
upstream mail server sends a message without headers.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-4348 to this issue.
mod_auth_pgsql < TSL 3.0 >
- New Upstream.
- SECURITY Fix: iDEFENSE has reported a format string flaw in
mod_auth_pgsql. This could allow a remote unauthenticated attacker to
execute arbitrary code as the httpd process.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2005-3656 to this issue.
sudo < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY FIX: A vulnerability has been reported in Sudo caused due to
an error within the environment cleaning. This can be exploited by a
user with sudo access to a perl script to load and execute arbitrary
library files via the "PERLLIB", "PERL5LIB" and the "PERL5OPT"
environment variables.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2005-4158 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0002/>
MD5sums of the packages:
- --------------------------------------------------------------------------
c4054d2f4cd71398414e998cc284d59a 3.0/rpms/clamav-0.88-1tr.i586.rpm
8bd316759f4d2bcf7f02416ba6940a9b 3.0/rpms/clamav-devel-0.88-1tr.i586.rpm
5e0710e5ea16f2e1275d44bf457f75dc 3.0/rpms/cups-1.1.23-11tr.i586.rpm
e3620b786bedf32c448e2a39dcb157e6 3.0/rpms/cups-devel-1.1.23-11tr.i586.rpm
b38886f3c90753ac58e0232c9bb58571 3.0/rpms/cups-libs-1.1.23-11tr.i586.rpm
824b16f362cc986645dfd3f5d9ac4550 3.0/rpms/cups-samba-1.1.23-11tr.i586.rpm
7422c1de49b6ccd89d876238d7005317 3.0/rpms/fetchmail-6.2.5.5-1tr.i586.rpm
c5171f6d58768c65a86d7185eb3d9d40 3.0/rpms/mod_auth_pgsql-2.0.3-1tr.i586.rpm
1bf904fee4e276445eb875702189f78a 3.0/rpms/sudo-1.6.8p9-3tr.i586.rpm
5a812456fff8b160a0431cd87be387ab 2.2/rpms/clamav-0.88-1tr.i586.rpm
df00ab8b447b4970cb93c801a35ebcff 2.2/rpms/clamav-devel-0.88-1tr.i586.rpm
52bfa93ec82d8587b8e4bbfac95108a4 2.2/rpms/cups-1.1.23-7tr.i586.rpm
790ea1fb94322873ca5ee91b1e0086bd 2.2/rpms/cups-devel-1.1.23-7tr.i586.rpm
f435ad4abb0c96947925a404d82be8e3 2.2/rpms/cups-libs-1.1.23-7tr.i586.rpm
a91491ec0fc827cb6dd55ad2fd0e943f 2.2/rpms/fetchmail-6.2.5.5-1tr.i586.rpm
03eebacbceda0a9133a30b094327521d 2.2/rpms/sudo-1.6.8p9-3tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDx6Ydi8CEzsK9IksRAtY2AKCyEvYST41i469Ok7UFzxg65CmTvwCfd1Xc
p9RvRQo/TJHnRd+w8hqJXx4=
=y2zE
-----END PGP SIGNATURE-----