Date: Fri, 9 Jun 2006 15:04:15 +0200
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0034 - multi
Message-ID: <20060609130415.GA19873@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0034
Package names: binutils, mysql, spamassassin
Summary: Multiple vulnerabilities
Date: 2006-06-09
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
binutils
Binutils is a collection of utilities necessary for compiling programs.
It includes the assembler and linker, as well as a number of other
miscellaneous programs for dealing with executable formats.
mysql
MySQL is a true multi-user, multi-threaded SQL (Structured Query
Language) database server. MySQL is a client/server implementation
that consists of a server daemon (mysqld) and many different client
programs/libraries.
spamassassin
SpamAssassin provides you with a way to reduce, if not completely
eliminate, Unsolicited Bulk Email (or "spam") from your incoming email.
It can be invoked by a MDA such as sendmail or postfix, or can be called
from a procmail script, .forward file, etc. It uses a
genetic-algorithm-evolved scoring system to identify messages which look
spammy, then adds headers to the message so they can be filtered by the
user's mail reading software. This distribution includes the
spamd/spamc components which considerably speeds processing of mail.
Problem description:
binutils < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: A vulnerability has been identified which could be
exploited by attackers to execute arbitrary code or cause a denial of
service. This flaw is due to a buffer overflow error in the libbfd
library ["bfd/tekhex.c"] when processing a file containing malformed
a Tektronix Hex Format (TekHex) record, which could be exploited by
attackers to crash an affected application or compromise a vulnerable
system via a malicious file.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-2362 to this issue.
mysql < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: A vulnerability has been reported in MySQL caused due to
an error within the server when parsing a query string that is escaped
with the "mysql_real_escape_string()" function. This can potentially be
exploited in an environment that uses multi-byte character encoding to
bypass SQL injection escaping.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-2753 to this issue.
spamassassin < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: A vulnerability has been reported in SpamAssassin, which
can be exploited by malicious people to compromise a vulnerable system.
SpamAssassin when running with vpopmail and the paranoid (-P) switch,
allows remote attackers to execute arbitrary commands via a crafted
message that is not properly handled when invoking spamd with the
virtual pop username.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-2447 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0034/>
MD5sums of the packages:
- --------------------------------------------------------------------------
e5d36360dfbfa074e1480dc1f20f060a 3.0/rpms/binutils-2.15-9tr.i586.rpm
ae7a7ac7b28361e0b4866fbb14b4fe85 3.0/rpms/mysql-4.1.15-3tr.i586.rpm
d1c5361b148fbc225cdc2fe5083477d8 3.0/rpms/mysql-bench-4.1.15-3tr.i586.rpm
376598136637b4b04efe505366a1c515 3.0/rpms/mysql-client-4.1.15-3tr.i586.rpm
834102be2e1ef0941e553b9627aa6806 3.0/rpms/mysql-devel-4.1.15-3tr.i586.rpm
2202c240e186908fae14fae836bfa60b 3.0/rpms/mysql-libs-4.1.15-3tr.i586.rpm
2f1c1541d60670f804252ced853b80f8 3.0/rpms/mysql-shared-4.1.15-3tr.i586.rpm
e09e7ff8bd1fe45e6d1a3f676873a9b0 3.0/rpms/perl-mail-spamassassin-3.0.4-4tr.i586.rpm
af3f9a1d10e36d28ad0ba368007fb1b7 3.0/rpms/spamassassin-3.0.4-4tr.i586.rpm
b894444c51725cc13ac2a2dd0def953f 3.0/rpms/spamassassin-tools-3.0.4-4tr.i586.rpm
4138d728aef7d2bb5c116bc8a08f7ae7 2.2/rpms/binutils-2.14-5tr.i586.rpm
0faa12b1394f4a1269f0da709a82fad7 2.2/rpms/mysql-4.1.15-3tr.i586.rpm
3d9378b316813244009cc1ac58dcd1dd 2.2/rpms/mysql-bench-4.1.15-3tr.i586.rpm
637fd6a197d6d6eedea6c4fb921bfad2 2.2/rpms/mysql-client-4.1.15-3tr.i586.rpm
5ad3e585a25ee8856edb5cb2afcdbd89 2.2/rpms/mysql-devel-4.1.15-3tr.i586.rpm
65bf216cd847eca7164903b2cb65bc3c 2.2/rpms/mysql-libs-4.1.15-3tr.i586.rpm
02ce609f25f24220156e1ccc0dfa6c93 2.2/rpms/mysql-shared-4.1.15-3tr.i586.rpm
c2306f4beb6eaeee01e30b43cfeec9eb 2.2/rpms/perl-mail-spamassassin-3.0.4-4tr.i586.rpm
c77a38e270702bc7f31f2281c11ff649 2.2/rpms/spamassassin-3.0.4-4tr.i586.rpm
ffe6baa13507c9d93b0f1d14c8d98f18 2.2/rpms/spamassassin-tools-3.0.4-4tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEiW5Xi8CEzsK9IksRAiCwAKCWSDDcujnzIT8UTupHxQgbmt4XmwCfaluq
q7FEKnhtyq2QHzhfcCnFaiw=
=nwXF
-----END PGP SIGNATURE-----