lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041122150335.GA12063@tsunami.trustix.net>
Date: Mon, 22 Nov 2004 16:03:35 +0100
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2004-0061 - multi


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0061

Package name:      apache, kernel, sudo
Summary:           Multiple vulnerabilities
Date:              2004-11-19
Affected versions: Trustix Secure Linux 1.5
                   Trustix Secure Linux 2.0
                   Trustix Secure Linux 2.1
                   Trustix Secure Linux 2.2
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  apache:
  Apache is a full featured web server that is freely available, and also
  happens to be the most widely used.

  kernel:
  The kernel package contains the Linux kernel (vmlinuz), the core of your
  Trustix Secure Linux operating system.  The kernel handles the basic
  functions of the operating system:  memory allocation, process allocation,
  device input and output, etc.

  sudo:
  Sudo (superuser do) allows a system administrator to give certain
  users (or groups of users) the ability to run some (or all) commands
  as root while logging all commands and arguments.

Problem description:
  apache:
  An issue was discovered where the field length limit was not enforced
  for certain malicious requests. This could lead to a remote denial of
  service attack.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0942 to this issue.

  kernel:
  Fixes a number of errors in binfmt_elf and smbfs.

  sudo:
  Liam Helmer discovered an input validation flaw in sudo. When the
  standard shell "bash" starts up, it searches the environment for
  variables with a value beginning with "()". For each of these
  variables a function with the same name is created, with the function
  body filled in from the environment variable's value.

  A malicious user with sudo access to a shell script that uses bash can
  use this feature to substitute arbitrary commands for any
  non-fully-qualified programs called from the script. Therefore this
  flaw can lead to privilege escalation.

  Martin Schulze informed us that our previous sudo update did not fix
  this problem.  This update does.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-1.5/>,
  <URI:http://www.trustix.org/errata/trustix-2.0/>,
  <URI:http://www.trustix.org/errata/trustix-2.1/> and
  <URI:http://www.trustix.org/errata/trustix-2.2/>
  or directly at
  <URI:http://www.trustix.org/errata/2004/0061/>


MD5sums of the packages:
- --------------------------------------------------------------------------
ce524b7e53155bdc7fe3eab03fafefa2  2.2/rpms/apache-2.0.52-6tr.i586.rpm
5eda96825c747f6483acf3c9efd72a2d  2.2/rpms/apache-dbm-2.0.52-6tr.i586.rpm
7a8b867d8d438109d379f51fb3c17e13  2.2/rpms/apache-devel-2.0.52-6tr.i586.rpm
daa504074b2e919c373a3ef244c2f100  2.2/rpms/apache-html-2.0.52-6tr.i586.rpm
305508a8c57f21263faf14ceca39ee74  2.2/rpms/apache-manual-2.0.52-6tr.i586.rpm
d761ff215de2da048e3b3f2045ab071f  2.2/rpms/kernel-2.4.28-3tr.i586.rpm
265b761928d89bbe3ec0aa203e31fd03  2.2/rpms/kernel-BOOT-2.4.28-3tr.i586.rpm
bd8ec5e45d18018ef90e99af722c19c5  2.2/rpms/kernel-doc-2.4.28-3tr.i586.rpm
1c6c9f1fdeb5b9475670a8d5cf908897  2.2/rpms/kernel-smp-2.4.28-3tr.i586.rpm
34fae5ce921173e41557e8d1a823e126  2.2/rpms/kernel-source-2.4.28-3tr.i586.rpm
5197b26068445c8ab700538aa11e4a16  2.2/rpms/kernel-utils-2.4.28-3tr.i586.rpm
521afaf1f5fe44810291dfb978292443  2.2/rpms/sudo-1.6.8p3-1tr.i586.rpm

981e712485fbe0da396a15e8500c7a78  2.1/rpms/apache-2.0.52-0.2tr.i586.rpm
6d3cb2da219496e1ebdf2c2727d668cb  2.1/rpms/apache-dbm-2.0.52-0.2tr.i586.rpm
fa724ae82b3b03d43754b74b7862717f  2.1/rpms/apache-devel-2.0.52-0.2tr.i586.rpm
8071ac288b4822fec7e7f9b65d8590f6  2.1/rpms/apache-manual-2.0.52-0.2tr.i586.rpm
9c369e1f1eaf12d5e3d1633b2acda03b  2.1/rpms/kernel-2.4.28-0.4tr.i586.rpm
4f0893eec835789ba06cab34e1dd1c3a  2.1/rpms/kernel-BOOT-2.4.28-0.4tr.i586.rpm
11d906fcd5222c4d965e295469642ae2  2.1/rpms/kernel-doc-2.4.28-0.4tr.i586.rpm
621bbac2dae545711a649011af98f216  2.1/rpms/kernel-firewall-2.4.28-0.4tr.i586.rpm
67daf2ac4d2558d57fc3fb9cc0475210  2.1/rpms/kernel-firewallsmp-2.4.28-0.4tr.i586.rpm
e0d05c9e5b7d9098b827dbdbc8274b69  2.1/rpms/kernel-smp-2.4.28-0.4tr.i586.rpm
8fc9d50763e5adffaf5b292d032c366d  2.1/rpms/kernel-source-2.4.28-0.4tr.i586.rpm
980daa4d0a570756f9e3513c47fd5a51  2.1/rpms/kernel-utils-2.4.28-0.4tr.i586.rpm
f22e81752cefab42f0d52a4bb161d158  2.1/rpms/sudo-1.6.8p3-0.2tr.i586.rpm

0a6d4a8e8a69918ecac3ddd30a4783a0  2.0/rpms/apache-2.0.52-0.1tr.i586.rpm
1992909bb152af0dbc7bad156eb340f0  2.0/rpms/apache-devel-2.0.52-0.1tr.i586.rpm
66df56ea916c3d79d1abfae70bd98dec  2.0/rpms/apache-manual-2.0.52-0.1tr.i586.rpm
269e733f7f0fffa27abebe16d744fff0  2.0/rpms/kernel-2.4.28-0.3tr.i586.rpm
78be2e5ba65be262cb782373d4b0575c  2.0/rpms/kernel-BOOT-2.4.28-0.3tr.i586.rpm
a92699864657495dbcb1fe2952cebd4a  2.0/rpms/kernel-doc-2.4.28-0.3tr.i586.rpm
1211c08928a8bc34a7e09ba63133076f  2.0/rpms/kernel-firewall-2.4.28-0.3tr.i586.rpm
21c6d693d0d0a9a858112daf8eaddbae  2.0/rpms/kernel-firewallsmp-2.4.28-0.3tr.i586.rpm
db7b41ff14fdba75814dce2647be42e2  2.0/rpms/kernel-smp-2.4.28-0.3tr.i586.rpm
c27d91c3787381c929df2cdcf6b5a9ad  2.0/rpms/kernel-source-2.4.28-0.3tr.i586.rpm
b9ed35a68f5737247aab5daa54762414  2.0/rpms/kernel-utils-2.4.28-0.3tr.i586.rpm
a37e9ffe21d7ac3ce6583f048c06d8c9  2.0/rpms/sudo-1.6.8p3-0.1tr.i586.rpm

e25882790cc1557fa803355a783107cd  1.5/rpms/sudo-1.6.8p3-0.1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBoftwi8CEzsK9IksRAsQCAJ9D2IgrebbmKQ22PH3vxoWTK/vjYACdFfxK
BVUeCjtr8DZ3ep1QqoH7mDM=
=1RcX
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ