Date: Fri, 19 Jan 2007 15:17:32 +0000
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2007-0003 - multi
Message-ID: <20070119151732.GA31015@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0003
Package names: bzip2, kerberos5, squid, wget, xorg-x11
Summary: Multiple vulnerabilities
Date: 2007-01-19
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
bzip2
Bzip2 is a freely available, patent-free, high quality data compressor.
Bzip2 compresses files to within 10 to 15 percent of the capabilities
of the best techniques available. However, bzip2 has the added benefit
of being approximately two times faster at compression and six times
faster at decompression than those techniques. Bzip2 is not the fastest
compression utility, but it does strike a balance between speed and
compression capability.
kerberos5
(MIT) Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by using
secret-key cryptography. A free implementation of this protocol is
available from the Massachusetts Institute of Technology. Kerberos is
available in many commercial products as well.
squid
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,non-blocking,
I/O-driven process. Squid keeps meta data and especially hot objects
cached in RAM, caches DNS lookups, supports non-blocking DNS lookups,
and implements negative caching of failed requests.
wget
GNU Wget is a file retrieval utility which can use either the HTTP or
FTP protocols. Wget features include the ability to work in the
background while you're logged out, recursive retrieval of directories,
file name wildcard matching, remote file timestamp storage and
comparison, use of Rest with FTP servers and Range with HTTP servers
to retrieve files over slow or unstable connections, support for Proxy
servers, and configurability.
xorg-x11
X.org X11 is an open source implementation of the X Window System. It
provides the basic low level functionality which full fledged graphical
user interfaces (GUIs) such as GNOME and KDE are designed upon.
Problem description:
bzip2 < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Fixes a race condition which allows local users to
modify permissions of arbitrary files via a hard link attack on a
file while it is being decompressed, whose permissions are changed
by bzip2 after the decompression is complete.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0953 to this issue.
kerberos5 < TSL 3.0 >
- SECURITY Fix: The RPC library used in Kerberos administration daemon
(kadmind) and other products that use this library, calls an
uninitialized function pointer in freed memory, which allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via unspecified vectors.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-6143 to this issue.
squid < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: An error in handling of certain FTP URL requests can
be exploited to crash Squid by visiting a specially crafted FTP URL
via the proxy.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2007-0247 to this issue.
wget < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: The ftp_syst function in ftp-basic.c allows remote
attackers to cause a denial of service (application crash) via a
malicious FTP server with a large number of blank 220 responses
to the SYST command.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-6719 to this issue.
xorg-x11 < TSL 3.0 >
- SECURITY Fix: Sean Larsson has reported some vulnerabilities in
X.Org X11, caused due to input validation errors within the
"ProcRenderAddGlyphs()" function of the "Renderer" extension and
the "ProcDbeGetVisualInfo()" and "ProcDbeSwapBuffers()" functions
of the "DBE" extension. This can be exploited to cause a memory
corruption by sending specially crafted X requests to the X server.
The Common Vulnerabilities and Exposures project has assigned the
names CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103 to these issues.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2007/0003/>
MD5sums of the packages:
- --------------------------------------------------------------------------
fe7ecb95a9a6f6d416dd094392c949a3 3.0/rpms/bzip2-1.0.3-5tr.i586.rpm
4ca273ff50829042fc05af99e77043a4 3.0/rpms/bzip2-devel-1.0.3-5tr.i586.rpm
1120e40b652adcaf0904ba6468135a04 3.0/rpms/bzip2-libs-1.0.3-5tr.i586.rpm
399892b75bdb07266d9875b5732e8b11 3.0/rpms/kerberos5-1.4.1-7tr.i586.rpm
0e71777994740c7442c02b44ebd2f92f 3.0/rpms/kerberos5-devel-1.4.1-7tr.i586.rpm
5908022e3f1af696a9f4dfc8fab96374 3.0/rpms/kerberos5-libs-1.4.1-7tr.i586.rpm
5bafb3a10443f4db613adb6e5a387043 3.0/rpms/squid-2.5.STABLE14-1tr.i586.rpm
ff34dd1e35b711058b1c49a0922159a4 3.0/rpms/wget-1.10.2-3tr.i586.rpm
d9c827e23c22b1959559f03b9bcfa029 3.0/rpms/xorg-x11-6.8.2-13tr.i586.rpm
08501e3d6af75b7f0667f15dd5b91699 3.0/rpms/xorg-x11-devel-6.8.2-13tr.i586.rpm
3b5046737825c5d5bf2040a2d82d342b 3.0/rpms/xorg-x11-doc-6.8.2-13tr.i586.rpm
4f2b3e7920bc8323c626f095a4c83e5d 3.0/rpms/xorg-x11-fonts-100dpi-6.8.2-13tr.i586.rpm
9b4acaf57db6ce286a79b2f7c9a7733c 3.0/rpms/xorg-x11-fonts-6.8.2-13tr.i586.rpm
09436523f4bd9bf89a76cf6d57451d8f 3.0/rpms/xorg-x11-fonts-75dpi-6.8.2-13tr.i586.rpm
fcb9cbb97a1d6c72bc562be5ada529af 3.0/rpms/xorg-x11-fonts-cid-6.8.2-13tr.i586.rpm
14e4cac1b9e73f4f41904aceedd04263 3.0/rpms/xorg-x11-fonts-cyrillic-6.8.2-13tr.i586.rpm
d83fbb25db379888e9d9f5b58a9c31dd 3.0/rpms/xorg-x11-fonts-otf-6.8.2-13tr.i586.rpm
d15b6873d14f3e48dc0c1a78e2132307 3.0/rpms/xorg-x11-fonts-speedo-6.8.2-13tr.i586.rpm
aa9f70e561a0c1526fa5b1e6282f978b 3.0/rpms/xorg-x11-fonts-ttf-6.8.2-13tr.i586.rpm
685eeccb0d6b5d9cad0f8b1b9e1b436b 3.0/rpms/xorg-x11-fonts-type1-6.8.2-13tr.i586.rpm
d3c5bd8804263fa76a56275f806f9d7e 3.0/rpms/xorg-x11-libs-6.8.2-13tr.i586.rpm
912762ff505961c45976bad623bd6533 3.0/rpms/xorg-x11-sdk-6.8.2-13tr.i586.rpm
273b5eeaf4deb1bdd48727e3ba54440b 2.2/rpms/bzip2-1.0.3-4tr.i586.rpm
75b9d8dd81a0f629b0536bb5bd75a707 2.2/rpms/bzip2-devel-1.0.3-4tr.i586.rpm
2c5abc363e957263d3d658f565048d81 2.2/rpms/bzip2-libs-1.0.3-4tr.i586.rpm
8d1e074fe8e3964eb74811304d6e1eb4 2.2/rpms/squid-2.5.STABLE14-2tr.i586.rpm
d8a38ee2fc6ccd5fdeb9d9a19d0fc431 2.2/rpms/wget-1.10.2-2tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFsNjKi8CEzsK9IksRAlAAAJ4sngnGndQEYE8f//MTwBB8qtDwlwCgte0B
cweWPOKhaJuQld3TPuZXEDs=
=rsgv
-----END PGP SIGNATURE-----