Date: Fri, 21 Jul 2006 15:17:38 +0200
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0042 - multi
Message-ID: <20060721131738.GA8458@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0042
Package names: gnupg, kernel, samba
Summary: Multiple vulnerabilities
Date: 2006-07-21
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in compliance
with the OpenPGP specification (RFC2440).
kernel
The kernel package contains the Linux kernel (vmlinuz), the core of your
Trustix Secure Linux operating system. The kernel handles the basic
functions of the operating system: memory allocation, process
allocation, device input and output, etc.
samba
Samba provides an SMB server which can be used to provide network
services to SMB (sometimes called "Lan Manager") clients, including
various versions of MS Windows, OS/2, and other Linux machines. Samba
uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI
(Microsoft Raw NetBIOS frame) protocol.
Problem description:
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: A vulnerability has been reported in GnuPG, cause due
to an input validation error within "parse-packet.c" when handling
the length of a message packet. This can be exploited to cause gpg
to consume large amount of memory or crash via an overly large packet
length in a message packet. This can be further exploited to cause an
integer overflow which leads to a possible memory corruption that
crashes gpg.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-3082 to this issue.
kernel < TSL 3.0 >
- New upstream.
- Upgraded 3ware 9xxx RAID driver, Bug #1823.
- SECURITY FIX: A vulnerability has been reported in the Linux kernel,
which can be exploited by malicious, local users to gain escalated
privileges. The vulnerability is caused due to a race condition in
"/proc" when changing file status. Successful exploitation allows
execution of arbitrary code with root privileges.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-3626 to this issue.
samba < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: A vulnerability has been reported in Samba, caused due
to an error when handling a lot of share connection requests. This
can be exploited to cause smbd to exhaust memory resources via a
large number of share connections.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-3403 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0042/>
MD5sums of the packages:
- --------------------------------------------------------------------------
f86810db08844c94b81fd105e664fe01 3.0/rpms/gnupg-1.4.4-1tr.i586.rpm
63bfe9bd1aec22b236da29ccbf8a4655 3.0/rpms/gnupg-utils-1.4.4-1tr.i586.rpm
166a291d8ada662af9ec23e022f10f45 3.0/rpms/kernel-2.6.17.6-1tr.i586.rpm
685242b444e0d1d778ec768a4a96f15f 3.0/rpms/kernel-doc-2.6.17.6-1tr.i586.rpm
d31937a2a5adf40196bc85370d441127 3.0/rpms/kernel-headers-2.6.17.6-1tr.i586.rpm
f07a32eeade28a2d0420df161e95fb58 3.0/rpms/kernel-smp-2.6.17.6-1tr.i586.rpm
a7e3cd4f1c9bcd6d4dca4aeb17ca0738 3.0/rpms/kernel-smp-headers-2.6.17.6-1tr.i586.rpm
66ff5b16345091c8870a202405cbeb3f 3.0/rpms/kernel-source-2.6.17.6-1tr.i586.rpm
5f1b3333e0e4ca35f47f753471da4602 3.0/rpms/kernel-utils-2.6.17.6-1tr.i586.rpm
d84b4f9c672459d3d8aa8d31ccb41831 3.0/rpms/samba-3.0.22-2tr.i586.rpm
13f99d5c950dfe7068937b3e9a26d84a 3.0/rpms/samba-client-3.0.22-2tr.i586.rpm
845519745dc778ae2e6420f5b6fbe130 3.0/rpms/samba-common-3.0.22-2tr.i586.rpm
e942e48ac256273d6dccb28b4ed5c3e4 3.0/rpms/samba-devel-3.0.22-2tr.i586.rpm
60c46bad4adc0d51b0c78852e47db908 3.0/rpms/samba-mysql-3.0.22-2tr.i586.rpm
870f8111fbe4cea1623678c977e97514 2.2/rpms/gnupg-1.2.6-3tr.i586.rpm
2276e7687268bf607d378ab05665e2c7 2.2/rpms/gnupg-utils-1.2.6-3tr.i586.rpm
bb3b9c56f4fd44ac10e7dda01a5c69df 2.2/rpms/samba-3.0.22-2tr.i586.rpm
ebf3d7854e10c8bb65b4a307bd9cf5ae 2.2/rpms/samba-client-3.0.22-2tr.i586.rpm
75db20c88bdf7e35077ab70c628a3f6d 2.2/rpms/samba-common-3.0.22-2tr.i586.rpm
f22d5e489fb365fa2d72aac15ab5cb32 2.2/rpms/samba-devel-3.0.22-2tr.i586.rpm
5ba89867dd0ef342d480e61c9a53b124 2.2/rpms/samba-mysql-3.0.22-2tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFEwNHmi8CEzsK9IksRAnwVAJ9Z6VoyOrmgzNq9jxXNa4fMBT0M3QCgqbUc
W9m229UX0fkyL4HxqAMjwHA=
=o9l8
-----END PGP SIGNATURE-----