Date: Fri, 24 Feb 2006 14:58:54 +0100
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0008 - multi
Message-ID: <20060224135854.GA892@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0008
Package names: gnupg, gnutls, libtasn1, postgresql
Summary: Multiple vulnerabilities
Date: 2006-02-17
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in compliance
with the OpenPGP specification (RFC2440).
gnutls
GnuTLS is a project that aims to develop a library which provides a secure
layer, over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards by the IETF's TLS working group.
libtasn1
This is the ASN.1 library used in GNUTLS.
postgresql
PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions). The
postgresql package includes the client programs and libraries that
you'll need to access a PostgreSQL DBMS server. These PostgreSQL
client programs are programs that directly manipulate the internal
structure of PostgreSQL databases on a PostgreSQL server. These client
programs can be located on the same machine with the PostgreSQL
server, or may be on a remote machine which accesses a PostgreSQL
server over a network connection. This package contains the docs
in HTML for the whole package, as well as command-line utilities for
managing PostgreSQL databases on a PostgreSQL server.
Problem description:
gnupg < TSL 3.0 >
- New Upstream.
- SECURITY Fix: Taviso has reported a verification weakness in gpgv where
some input could lead to gpgv exiting with 0 even if the detached
signature file did not carry any signature.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-0455 to this issue.
gnutls < TSL 3.0 >
- SECURITY Fix: Evgeny Legerov has reported some vulnerabilities in
GnuTLS libtasn1, which potentially can be exploited by malicious
people to cause a DoS. The vulnerabilities are caused due to errors
within the DER decoder in libtasn1. This can be exploited to crash an
application that uses the library via specially-crafted input.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-0645 to this issue.
libtasn1 < TSL 3.0 >
- SECURITY Fix: Evgeny Legerov has reported some vulnerabilities in
libtasn1, which potentially can be exploited by malicious
people to cause a DoS. The vulnerabilities are caused due to errors
within the DER decoder in libtasn1. This can be exploited to crash an
application that uses the library via specially-crafted input.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-0645 to this issue.
postgresql < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Akio Ishida has reported an error in "SET SESSION
AUTHORIZATION" command which can be exploited to crash the server
process, if it has been compiled with Asserts enabled.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-0678 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0008/>
MD5sums of the packages:
- --------------------------------------------------------------------------
c2544a9acc143e0333f1b3bdb5a76ce4 3.0/rpms/gnupg-1.4.2.1-1tr.i586.rpm
d243248ff7d5e96240a6e1000154e83e 3.0/rpms/gnupg-utils-1.4.2.1-1tr.i586.rpm
1aa00bf1bae6186f8364ab7d1285dcaf 3.0/rpms/gnutls-1.2.4-3tr.i586.rpm
fe8caa913f619f9a2e86fbf54b561841 3.0/rpms/gnutls-devel-1.2.4-3tr.i586.rpm
d23ea95c83f3222e29186394beb8ed83 3.0/rpms/libtasn1-0.2.13-5tr.i586.rpm
d8eaf0821570da1102419f4bb8cba82f 3.0/rpms/libtasn1-devel-0.2.13-5tr.i586.rpm
9d4571ffc0f2b5970e56ec7523d6a13f 3.0/rpms/postgresql-8.0.7-1tr.i586.rpm
a7258c3db7f510c7b0fd15aed483fcd7 3.0/rpms/postgresql-contrib-8.0.7-1tr.i586.rpm
fc66f2ba43c175b60d2fbd59051a4150 3.0/rpms/postgresql-devel-8.0.7-1tr.i586.rpm
23e7845018a5ff32c125e87d1429e1c5 3.0/rpms/postgresql-docs-8.0.7-1tr.i586.rpm
14d22a419e0342edf5d5222e6a78d582 3.0/rpms/postgresql-libs-8.0.7-1tr.i586.rpm
17140854e4db6467c8bc1f4d39e675ca 3.0/rpms/postgresql-plperl-8.0.7-1tr.i586.rpm
6085d12cdfc3fba877c5cf2b84d71350 3.0/rpms/postgresql-python-8.0.7-1tr.i586.rpm
231340c0e67bb18ef0888293f4bce31c 3.0/rpms/postgresql-server-8.0.7-1tr.i586.rpm
d2e15d6c13a8c98e31763122bfcdb408 3.0/rpms/postgresql-test-8.0.7-1tr.i586.rpm
e35b5e75c4de1b7bf92d599084d3c27e 2.2/rpms/postgresql-8.0.7-1tr.i586.rpm
e5c4eb03a4ca62b94b398afbbc8dc8a1 2.2/rpms/postgresql-contrib-8.0.7-1tr.i586.rpm
39322b731069634b7fbfc6276f48e149 2.2/rpms/postgresql-devel-8.0.7-1tr.i586.rpm
de0cc43f820b5cc1f0a1a8bb1209af37 2.2/rpms/postgresql-docs-8.0.7-1tr.i586.rpm
695d42913801c7bbeb1e2e36dc500921 2.2/rpms/postgresql-libs-8.0.7-1tr.i586.rpm
eb85225b176e9fdbb125bead116d9e4a 2.2/rpms/postgresql-plperl-8.0.7-1tr.i586.rpm
bedb35855a8a4d8fca66600d569829d1 2.2/rpms/postgresql-python-8.0.7-1tr.i586.rpm
609d4b7fba380f2d6eaed566144ea315 2.2/rpms/postgresql-server-8.0.7-1tr.i586.rpm
16d5848a36b5b6c9a97fafca4749084f 2.2/rpms/postgresql-test-8.0.7-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
iD8DBQFD/wXLi8CEzsK9IksRAsHqAJ96jzuJyZbWAsCdAuykdKAe5V58RQCfWthE
/8FQp2zDKMclU4u50oQ22v0=
=bpro
-----END PGP SIGNATURE-----