Date: Fri, 4 Aug 2006 15:08:18 +0100
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0044 - multi
Message-ID: <20060804140818.GA12118@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0044
Package names: apache, gnupg, libtiff
Summary: Multiple vulnerabilities
Date: 2006-08-04
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
apache
Apache is a full featured web server that is freely available, and also
happens to be the most widely used. Built with loadable modules
(all standard modules enabled). This verion is intended as a
replacement for a standard apache, the configuration files provided
with apache and apache-ssl are unchanged.
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in compliance
with the OpenPGP specification (RFC2440).
libtiff
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.
Problem description:
apache < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: A vulnerability has been reported in Apache HTTP Server,
which potentially can be exploited by malicious people to compromise
a vulnerable system. The vulnerability is caused by a off-by-one error
in mod_rewrite within the ldap scheme handling and can be exploited
to cause a one-byte buffer overflow.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-3747 to this issue.
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Evgeny Legerov has reported a vulnerability in GnuPG,
caused due to an input validation error in parse_packet.c when
handling certain message packets. This can be exploited to cause
GnuPG to consume large amounts of memory or crash via an overly
long comment length in a message packet. This can further be
exploited to cause an integer overflow, which leads to possible
memory corruption and crashes GnuPG.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-3746 to this issue.
libtiff < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Tavis Ormandy, Google Security Team has reported some
vulnerabilities in libTIFF, which can be exploited by malicious people
to cause a DoS or potentially compromise a vulnerable system. The
vulnerabilities are caused due to various heap and integer overflows
when processing TIFF images and can be exploited via a specially
crafted TIFF image.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2006-3459, CVE-2006-3460, CVE-2006-3461,
CVE-2006-3462, CVE-2006-3463, CVE-2006-3464 and CVE-2006-3465
these issues.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0044/>
MD5sums of the packages:
- --------------------------------------------------------------------------
58e10eb0a911f601bccce37461b78a26 3.0/rpms/apache-2.0.55-6tr.i586.rpm
4b6d1ea23783ad3451e3c5b47d37596c 3.0/rpms/apache-dbm-2.0.55-6tr.i586.rpm
56aa4269f86037d48004985b43c75f38 3.0/rpms/apache-devel-2.0.55-6tr.i586.rpm
ac6d0f00e57cbc8a8cf9f5ab4f22dc3d 3.0/rpms/apache-html-2.0.55-6tr.i586.rpm
74b83eb0f04125065de9aef381d779b5 3.0/rpms/apache-manual-2.0.55-6tr.i586.rpm
58976e6d0a3294c599ce4207645b7063 3.0/rpms/apache-suexec-2.0.55-6tr.i586.rpm
60e3feed5588956b6addd456ebb46084 3.0/rpms/gnupg-1.4.5-1tr.i586.rpm
617c538b41eb29a1e7c4d9c4dd3a7eff 3.0/rpms/gnupg-utils-1.4.5-1tr.i586.rpm
593e0428f5e19b7aa5b066435458a995 3.0/rpms/libtiff-3.7.3-4tr.i586.rpm
f64821e5b0e83b07edde3d69ffba6fa5 3.0/rpms/libtiff-devel-3.7.3-4tr.i586.rpm
e3cc03fe87aefbb911f1d7aa341d12f8 3.0/rpms/libtiff-docs-3.7.3-4tr.i586.rpm
c25e4d8ff23456ee2107506b1d317bc6 2.2/rpms/apache-2.0.55-5tr.i586.rpm
dbeb192f9dd39888b82d1988bf90b4ce 2.2/rpms/apache-dbm-2.0.55-5tr.i586.rpm
dd9935efecc4d307397e602b56a84464 2.2/rpms/apache-devel-2.0.55-5tr.i586.rpm
c97b60eab43dc496ad8a07a3f704f06a 2.2/rpms/apache-html-2.0.55-5tr.i586.rpm
41ac31626a1d3c1119abf9235d0cfbce 2.2/rpms/apache-manual-2.0.55-5tr.i586.rpm
78bff5e45937c5681d41f9db5dd36aa6 2.2/rpms/apache-suexec-2.0.55-5tr.i586.rpm
9f4b7cda6d7b07fac29d08d6e78297ec 2.2/rpms/gnupg-1.2.6-4tr.i586.rpm
317c80f0edc6f851916cc0ab6f95cf4f 2.2/rpms/gnupg-utils-1.2.6-4tr.i586.rpm
69645d7b4ef2406eca3c01247ef3aa19 2.2/rpms/libtiff-3.7.3-4tr.i586.rpm
ecd83df2149e912bf906dee0fb10eb0c 2.2/rpms/libtiff-devel-3.7.3-4tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFE004fi8CEzsK9IksRAjQxAKCKKmqGCgUvxEmjWKaRFX7pvaXzzgCeMm5+
pyqriuorNv9SE8gRbx1ZnX0=
=3Eol
-----END PGP SIGNATURE-----