lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040930085254.GA7841@tsunami.trustix.net>
Date: Thu, 30 Sep 2004 10:52:54 +0200
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSL-2004-0050 - multi


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Bugfix Advisory #2004-0050

Package name:      gettext, ghostscript, glibc, groff, gzip, kerberos5,
                   lvm, mysql, netatalk, openssl, perl, postgresql
Summary:           Insecure tempfile handling
Date:              2004-09-30
Affected versions: Trustix Secure Linux 1.5
                   Trustix Secure Linux 2.0
                   Trustix Secure Linux 2.1
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gettext:
  The GNU gettext package provides a set of tools and documentation for
  producing multi-lingual messages in programs.

  ghostscript:
  ESP Ghostscript is an enhanced version of GNU Ghostscript that includes
  new printer drivers and support for the Common UNIX Printing System.

  glibc:
  The glibc package contains standard libraries which are used by
  multiple programs on the system.

  groff:
  Groff is a document formatting system.  Groff takes standard text and
  formatting commands as input and produces formatted output.

  gzip:
  The gzip package contains the popular GNU gzip data compression
  program.  Gzipped files have a .gz extension.

  kerberos5:
  (MIT) Kerberos is a network authentication protocol. It is designed to
  provide strong authentication for client/server applications by using
  secret-key cryptography.

  lvm:
  Utilities for the Logical Volume Managment.

  mysql:
  MySQL is a true multi-user, multi-threaded SQL (Structured Query
  Language) database server.

  netatalk:
  netatalk is an implementation of the AppleTalk Protocol Suite for Unix/Linux
  systems.

  openssl:
  A C library that provides various crytographic algorithms and protocols,
  including DES, RC4, RSA, and SSL.

  perl:
  Perl is a high-level programming language with roots in C, sed, awk
  and shell scripting.

  postgresql:
  (DBMS) that supports almost all SQL constructs (including
  transactions, subselects and user-defined types and functions).

Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-1.5/>,
  <URI:http://www.trustix.org/errata/trustix-2.0/> and
  <URI:http://www.trustix.org/errata/trustix-2.1/>
  or directly at
  <URI:http://www.trustix.org/errata/2004/0050/>


MD5sums of the packages:
- --------------------------------------------------------------------------
45a8c95fce58d9058266c7fc684fef49  1.5/rpms/glibc-2.1.3-23tr.i586.rpm
568f87dbe62c95a36939ec5ce66f8e71  1.5/rpms/glibc-devel-2.1.3-23tr.i586.rpm
22046b57a4a434f3a949c1803991432f  1.5/rpms/glibc-profile-2.1.3-23tr.i586.rpm
1c3338a7322caf755809f6161143ce71  1.5/rpms/gzip-1.2.4a-20tr.i586.rpm
c9a693bf39619b1c90524edb7f2bcb72  1.5/rpms/gzip-doc-1.2.4a-20tr.i586.rpm
8171ac1ff2073b737ed42cb8d0fdf43b  1.5/rpms/mysql-3.23.58-2tr.i586.rpm
71f10554f54d2f40391e7210c72e6b82  1.5/rpms/mysql-bench-3.23.58-2tr.i586.rpm
3d01168311d3d158d3f65c961236f3ed  1.5/rpms/mysql-client-3.23.58-2tr.i586.rpm
d51904e60fd23faa5f4afea4d4512164  1.5/rpms/mysql-devel-3.23.58-2tr.i586.rpm
b7ab04c6243a8fc74c3acbcec1ed033b  1.5/rpms/mysql-shared-3.23.58-2tr.i586.rpm
6863354cf1c199e02530f7ad80f43550  1.5/rpms/netatalk-1.5pre6-3tr.i586.rpm
cae9ba1fe5dfdfbe4d1d4ce13f782f54  1.5/rpms/netatalk-devel-1.5pre6-3tr.i586.rpm
a97490df21f763c28e2eebd9e10a2886  1.5/rpms/nscd-2.1.3-23tr.i586.rpm
ed91ee649619581eb7c2fc24a3ae011b  1.5/rpms/openssl-0.9.6-17tr.i586.rpm
354cc3d08041d30e437860e04c326b4f  1.5/rpms/openssl-devel-0.9.6-17tr.i586.rpm
8f0d34c62de043995291902c0f3adaab  1.5/rpms/openssl-python-0.9.6-17tr.i586.rpm
80dd37380e5df186fad06373c1350f1c  1.5/rpms/openssl-support-0.9.6-17tr.i586.rpm
d6c028deacf32da3ca1d6e17d0571532  1.5/rpms/postgresql-7.1.3-4tr.i586.rpm
6e6d4b84bf7de98c8392d8140322ad3a  1.5/rpms/postgresql-contrib-7.1.3-4tr.i586.rpm
f8495e4e737d03b997cb9a0ca1c4d619  1.5/rpms/postgresql-devel-7.1.3-4tr.i586.rpm
7d4a9e7f9b25a8f8f8862b89f9955222  1.5/rpms/postgresql-docs-7.1.3-4tr.i586.rpm
e77b2d5f1cb2b9271346d26623245086  1.5/rpms/postgresql-libs-7.1.3-4tr.i586.rpm
4ea88cdd65af71d3e41d7034fc463898  1.5/rpms/postgresql-odbc-7.1.3-4tr.i586.rpm
12019c8c161f35b6fd5eed4b642b7312  1.5/rpms/postgresql-perl-7.1.3-4tr.i586.rpm
2d63a007e344acfaf8aaa9cf95b4716b  1.5/rpms/postgresql-plperl-7.1.3-4tr.i586.rpm
bfee3732c9d4a9c7e473443e2d65a44c  1.5/rpms/postgresql-python-7.1.3-4tr.i586.rpm
df9d56106d8a32eaa1f199b898b82447  1.5/rpms/postgresql-server-7.1.3-4tr.i586.rpm
4bb8bd77fc2b5c8a96cce5c23aff6fff  1.5/rpms/postgresql-tcl-7.1.3-4tr.i586.rpm
3a6e2d3b14f9fa81b8fe798afa2f28af  1.5/rpms/postgresql-test-7.1.3-4tr.i586.rpm

2d365efdb9e4aa4cf29a2c99c50a138b  2.0/rpms/ghostscript-7.05.6-7tr.i586.rpm
9f11a5df0c9682e64d7610f75255eca1  2.0/rpms/ghostscript-cups-7.05.6-7tr.i586.rpm
95f2247e258e48d01b9488c037ff884e  2.0/rpms/glibc-2.3.2-12tr.i586.rpm
60cb0a7a64d0caae17732d50f194a787  2.0/rpms/glibc-devel-2.3.2-12tr.i586.rpm
45ab6618e7332d82ff32352311c46a80  2.0/rpms/glibc-locales-2.3.2-12tr.i586.rpm
5553e2bfdeb9e9d9bc09de80f9c716e5  2.0/rpms/glibc-profile-2.3.2-12tr.i586.rpm
e5380a2d311393043104980e499d2809  2.0/rpms/gzip-1.2.4a-25tr.i586.rpm
cbcc631b02d819e0fab58e73ff21e822  2.0/rpms/gzip-doc-1.2.4a-25tr.i586.rpm
8c1769c386cde1c650d95815a1d92fde  2.0/rpms/lvm-1.0.7-6tr.i586.rpm
3318afbc71d0b194685e569fd77a40b6  2.0/rpms/lvm-devel-1.0.7-6tr.i586.rpm
2eeb296bd2bc522174b31d10a2d59002  2.0/rpms/mysql-4.0.15-4tr.i586.rpm
33a109e9ce9d6cbce9c96c6be2a7e7bd  2.0/rpms/mysql-bench-4.0.15-4tr.i586.rpm
c7f75245ebf665fb17f3e0441cfe744b  2.0/rpms/mysql-client-4.0.15-4tr.i586.rpm
9f0ff1a09a11173938b3774705313890  2.0/rpms/mysql-devel-4.0.15-4tr.i586.rpm
4051a94aaf4cd9a42990c3dc22f41ca3  2.0/rpms/mysql-libs-4.0.15-4tr.i586.rpm
d88508b12e707df7d2139bb2421c1b81  2.0/rpms/mysql-shared-4.0.15-4tr.i586.rpm
d6eec4b3578383a9bfed6f6f474d519a  2.0/rpms/netatalk-1.6.1-4tr.i586.rpm
742e09a7667868faad58c68d32e0be19  2.0/rpms/netatalk-devel-1.6.1-4tr.i586.rpm
9fc3d22daf1d5dcc08169d56b83f8ee1  2.0/rpms/nscd-2.3.2-12tr.i586.rpm
fe5b0ef4ece20af76a162e49bf6019c7  2.0/rpms/openssl-0.9.7c-3tr.i586.rpm
9e105ae2339dfc1fa37bf6d1525699bc  2.0/rpms/openssl-devel-0.9.7c-3tr.i586.rpm
9ad104bfe1dd5a2e6037e10627f2cafe  2.0/rpms/openssl-python-0.9.7c-3tr.i586.rpm
8da1197b37fbe8d3ca5c07afc0fa2a44  2.0/rpms/openssl-support-0.9.7c-3tr.i586.rpm
76a33dbff63b9e29f9e3fb307d40fa83  2.0/rpms/postgresql-7.3.7-2tr.i586.rpm
df42505bb8baafa156d53a6f67efaad5  2.0/rpms/postgresql-contrib-7.3.7-2tr.i586.rpm
340a499753c196073b1e6e6e36413119  2.0/rpms/postgresql-devel-7.3.7-2tr.i586.rpm
023e008bfd16a7cdf944824855dbf593  2.0/rpms/postgresql-docs-7.3.7-2tr.i586.rpm
75d81f3a2e03a18d81b10cac2df9d0bb  2.0/rpms/postgresql-jdbc-7.3.7-2tr.i586.rpm
ae2cfea0fe3ff41f14a9339dd08cff92  2.0/rpms/postgresql-libs-7.3.7-2tr.i586.rpm
63437b3e4a3309873bf51904ea12df3b  2.0/rpms/postgresql-plperl-7.3.7-2tr.i586.rpm
772e3ac54a4c9cf3b2017b2a2d53070c  2.0/rpms/postgresql-python-7.3.7-2tr.i586.rpm
1fd7009c5343646a234e4a4a3fed8e50  2.0/rpms/postgresql-server-7.3.7-2tr.i586.rpm
482048c03abd627c7429f93876811845  2.0/rpms/postgresql-tcl-7.3.7-2tr.i586.rpm
51f32198a43dd20012ab0f91e6b4e60e  2.0/rpms/postgresql-test-7.3.7-2tr.i586.rpm

ec265e893348961d6cd4329999c53860  2.1/rpms/gettext-0.14.1-4tr.i586.rpm
62973098dac776fd9361b4dce5afda54  2.1/rpms/ghostscript-7.07.1-4tr.i586.rpm
25cf1e88b7c4792e477bb37d69e966f1  2.1/rpms/ghostscript-cups-7.07.1-4tr.i586.rpm
e8a339110b1f96e569f4a9f8e0e1abaf  2.1/rpms/glibc-2.3.2-16tr.i586.rpm
511b1b58b22f245c88211607672bdacf  2.1/rpms/glibc-devel-2.3.2-16tr.i586.rpm
c9bd913ed2f139d18ecf5bb61ff6d1e1  2.1/rpms/glibc-locales-2.3.2-16tr.i586.rpm
46679535ffe13a74f37d3d4f942e1832  2.1/rpms/glibc-profile-2.3.2-16tr.i586.rpm
a3ae6a8063a9106c79ea32e9fa7acb4a  2.1/rpms/groff-1.19-4tr.i586.rpm
17e6c907c4f8028b675d0237621fd514  2.1/rpms/groff-perl-1.19-4tr.i586.rpm
21c8a0cf623c495a7a8d75a99b69d6bf  2.1/rpms/gzip-1.2.4a-29tr.i586.rpm
1b67905b9f48d35e5ca97e2ee0e13d94  2.1/rpms/gzip-doc-1.2.4a-29tr.i586.rpm
95b50a74d6ad0743fdb7c316a20aa5b2  2.1/rpms/kerberos5-1.3.4-3tr.i586.rpm
209b535eb4ca968fe2ffc6a9878992a7  2.1/rpms/kerberos5-devel-1.3.4-3tr.i586.rpm
59f1c3c860309a386b5924aed2e9ce12  2.1/rpms/kerberos5-libs-1.3.4-3tr.i586.rpm
6bc0eb7d1e8fe66b28d85ec70064bd70  2.1/rpms/lvm-1.0.8-5tr.i586.rpm
8f2b68ee856c4e377784334fa02cea3e  2.1/rpms/lvm-devel-1.0.8-5tr.i586.rpm
364f7bf0e7274f384846b2937ceec3d0  2.1/rpms/mysql-4.0.18-4tr.i586.rpm
d2e330fe6b256ad552dac8931b161036  2.1/rpms/mysql-bench-4.0.18-4tr.i586.rpm
f590dc29f9f987b24c6bcf935a42423a  2.1/rpms/mysql-client-4.0.18-4tr.i586.rpm
6200e159e8d0848164c05aaaf993106c  2.1/rpms/mysql-devel-4.0.18-4tr.i586.rpm
e4ce6592451d80c398c9845c04debe20  2.1/rpms/mysql-libs-4.0.18-4tr.i586.rpm
9577e9a77a6121147ba4dd946c8e0e99  2.1/rpms/mysql-shared-4.0.18-4tr.i586.rpm
009d5c3b4e7c3cc75c839f01c31f48ad  2.1/rpms/netatalk-1.6.4-4tr.i586.rpm
ea511f7d0fd4568dca098a9b5d615ff1  2.1/rpms/netatalk-devel-1.6.4-4tr.i586.rpm
38120d41f419a8b8669931c53e8ea820  2.1/rpms/nscd-2.3.2-16tr.i586.rpm
a8e0bc165cf6672b9d9bce58ee3e3acd  2.1/rpms/openssl-0.9.7c-14tr.i586.rpm
1848d42461a0ef401166f98426a2075e  2.1/rpms/openssl-devel-0.9.7c-14tr.i586.rpm
48dc7af55744ec2e034f48167e879492  2.1/rpms/openssl-python-0.9.7c-14tr.i586.rpm
064af7679aa49a3eccbe089dfdb237f5  2.1/rpms/openssl-support-0.9.7c-14tr.i586.rpm
992e194c501f0c2c9817f24d52d28bcc  2.1/rpms/perl-5.8.3-4tr.i586.rpm
94feb3de588ac79e79fb1724cbaee2c2  2.1/rpms/perl-devel-5.8.3-4tr.i586.rpm
a9bd22fad9bf23b420e441c3d51e3231  2.1/rpms/perl-doc-5.8.3-4tr.i586.rpm
67e5c035bc08851e25c9d435d4d55004  2.1/rpms/postgresql-7.4.5-2tr.i586.rpm
de45accc3063b562dee56a4493a26299  2.1/rpms/postgresql-contrib-7.4.5-2tr.i586.rpm
43fae82c44f05c52f2891384509b54ca  2.1/rpms/postgresql-devel-7.4.5-2tr.i586.rpm
ab675e0bc19637b96de27c0f591ac69b  2.1/rpms/postgresql-docs-7.4.5-2tr.i586.rpm
ebe61418ddb4ea90eacf4441c80dbce1  2.1/rpms/postgresql-libs-7.4.5-2tr.i586.rpm
1e2980a45b84dd9a3347f881839dd5cb  2.1/rpms/postgresql-plperl-7.4.5-2tr.i586.rpm
2ebb80c67968f6a910da3e8b7d556491  2.1/rpms/postgresql-python-7.4.5-2tr.i586.rpm
e1f81075374516c00554390e93f22039  2.1/rpms/postgresql-server-7.4.5-2tr.i586.rpm
3cdebd25deda05966c9249542abd0ec1  2.1/rpms/postgresql-test-7.4.5-2tr.i586.rpm

b915035e04249893a88bedc5f189c622  e-2/gettext-0.14.1-4tr.i586.rpm
7ec2d0e35f5ba208ff6e3d59cefec399  e-2/ghostscript-7.07.1-4tr.i586.rpm
33c3cca9ac3db08dd0c5f0ca1064a99d  e-2/ghostscript-cups-7.07.1-4tr.i586.rpm
b13f8340e1b34dff14021520b6b7d43f  e-2/glibc-2.3.2-16tr.i586.rpm
c0fe1abcc8e5be03baebf733ce8631b0  e-2/glibc-devel-2.3.2-16tr.i586.rpm
04df790cfae795332527ae964b5c4fa2  e-2/glibc-locales-2.3.2-16tr.i586.rpm
94236927a5e46631bd9dd48cac3c264e  e-2/glibc-profile-2.3.2-16tr.i586.rpm
57b07d62f9a10b6cbe31907de23b1070  e-2/groff-1.19-4tr.i586.rpm
f3884362cb1e4b39b4b567383343f3dd  e-2/groff-perl-1.19-4tr.i586.rpm
cc2a84efe356a6071ae35d56857b8681  e-2/gzip-1.2.4a-29tr.i586.rpm
030512624907ee87af2ed1d647a3453e  e-2/gzip-doc-1.2.4a-29tr.i586.rpm
3ade18f5ae9421442176848633fdd15c  e-2/kerberos5-1.3.4-3tr.i586.rpm
4cc47b280bfb7a031a00d7a66dee96e8  e-2/kerberos5-devel-1.3.4-3tr.i586.rpm
adf9464ad634decbe099064fbecaf7f1  e-2/kerberos5-libs-1.3.4-3tr.i586.rpm
04512cf73dcbe9d54b9e106181e2a811  e-2/lvm-1.0.8-5tr.i586.rpm
6316ae0282bfc85d997626cf6744e9a8  e-2/lvm-devel-1.0.8-5tr.i586.rpm
6cccbc63b7b5c1fcae9bb181143e1318  e-2/mysql-4.0.18-4tr.i586.rpm
27666a2e501793813bc9dc42148bd9b6  e-2/mysql-bench-4.0.18-4tr.i586.rpm
de2740ad29c1969f0ea5d2d34ebcf599  e-2/mysql-client-4.0.18-4tr.i586.rpm
33bc2083ed1209ec954efba6a4707353  e-2/mysql-devel-4.0.18-4tr.i586.rpm
d65bfdf7133175f7bd5c401bd3b59139  e-2/mysql-libs-4.0.18-4tr.i586.rpm
42f874d8602284f29191aca558ebf383  e-2/mysql-shared-4.0.18-4tr.i586.rpm
f02af965cd57cc2fd183309f21fe4c22  e-2/netatalk-1.6.4-4tr.i586.rpm
20e3cf1440606879ba4d6b556aa7ab8a  e-2/netatalk-devel-1.6.4-4tr.i586.rpm
a2ba7827428541ecb7d0f8ddcbe529a9  e-2/nscd-2.3.2-16tr.i586.rpm
30fcbe14e318bf44076cce2de79bf03a  e-2/openssl-0.9.7c-14tr.i586.rpm
afb032c2db3aa479857110576a4b4ee2  e-2/openssl-devel-0.9.7c-14tr.i586.rpm
237c4d3be4b0502bacb6bb62f8ad1219  e-2/openssl-python-0.9.7c-14tr.i586.rpm
91d4a2f7ca0af4e4045a58b461e001ca  e-2/openssl-support-0.9.7c-14tr.i586.rpm
026584480f2cf62da0d8f5599d869e1a  e-2/perl-5.8.3-4tr.i586.rpm
c29e30770548eb45b3f2614ee499705d  e-2/perl-devel-5.8.3-4tr.i586.rpm
645d3dbdc3a0fabe8786cdd6d0ae0088  e-2/perl-doc-5.8.3-4tr.i586.rpm
800cb76b2fd2369f7488a0eed7121d07  e-2/postgresql-7.4.5-2tr.i586.rpm
d1097857f946811422931a5668b4b12b  e-2/postgresql-contrib-7.4.5-2tr.i586.rpm
87dd66f11cf132a6656215c38b9b0adf  e-2/postgresql-devel-7.4.5-2tr.i586.rpm
992d8e1cc1238498fb601a4de5bbc2d0  e-2/postgresql-docs-7.4.5-2tr.i586.rpm
fbca6f40d53f8fb9c7a0e80d1ae3abae  e-2/postgresql-libs-7.4.5-2tr.i586.rpm
3be10e635f7ad8c2c700f1b220dd071b  e-2/postgresql-plperl-7.4.5-2tr.i586.rpm
261d824257c0c26e5465b8105a98f840  e-2/postgresql-python-7.4.5-2tr.i586.rpm
ec0394f4f18c06bc210a14001395db38  e-2/postgresql-server-7.4.5-2tr.i586.rpm
f7b47c6615133e35006aba64e2579e2d  e-2/postgresql-test-7.4.5-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBW8Goi8CEzsK9IksRAqamAKCNmTzaQ/1vI3BZpGPjU2nvmqxzKQCdE3Eh
aAYCN6k/irfZJ1l9KJ1VdcY=
=zsdN
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ