lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060605062150.GA19715@tsunami.trustix.net>
Date: Mon, 5 Jun 2006 08:21:50 +0200
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2006-0032 - multi


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0032

Package names:	   kernel, postgresql
Summary:           Multiple vulnerabilities
Date:              2006-06-05
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  kernel
  The kernel package contains the Linux kernel (vmlinuz), the core of your
  Trustix Secure Linux operating system.  The kernel handles the basic
  functions of the operating system: memory allocation, process allocation,
  device input and output, etc.

  postgresql 
  PostgreSQL is an advanced Object-Relational database management system
  (DBMS) that supports almost all SQL constructs (including transactions,
  subselects and user-defined types and functions). The postgresql package
  includes the client programs and libraries that you'll need to access a
  PostgreSQL DBMS server. These PostgreSQL client programs are programs
  that directly manipulate the internal structure of PostgreSQL databases
  on a PostgreSQL server. These client programs can be located on the same
  machine with the PostgreSQL server, or may be on a remote machine which
  accesses a PostgreSQL server over a network connection. This package 
  contains the docs in HTML for the whole package, as well as command-line
  utilities for managing PostgreSQL databases on a PostgreSQL server.

Problem description:
  kernel < TSL 3.0 >
  - New Upstream.
  - SECURITY Fix: Pavel Kankovsky discovered that the getsockopt()
    function, when called with an SO_ORIGINAL_DST argument, does not
    properly clear the returned structure, so that a random piece of
    kernel memory is exposed to the user. This could potentially
    reveal sensitive data like passwords or encryption keys.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-1343 to this issue.

  postgresql < TSL 3.0 > < TSL 2.2 > < TSEL 2 > 
  - New Upstream.
  - SECURITY Fix: Akio Ishida and Yasuo Ohgaki have reported vulnerabilities
    in PostgreSQL, which potentially can be exploited by malicious people
    to conduct SQL injection attacks.
  - The first issue is due to an input validation error when handling a
    parameter containing invalidly-encoded multibyte characters, which
    could be exploited by malicious people to bypass standard string-escaping
    methods and conduct SQL injection attacks via a supposedly secure script.
  - The second issue is due to an error when escaping ASCII single quote "'"
    characters (by turning them into "\'") and operating in multibyte
    encodings that allow using the "0x5c" ASCII code (backslash) as the
    trailing byte of a multibyte character, which could be exploited by
    attackers to inject arbitrary SQL queries.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2006-2313 and CVE-2006-2314 to these issues. 

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0032/>


MD5sums of the packages:
- --------------------------------------------------------------------------
121d183196f68f2cf0103f3633bb20c6  3.0/rpms/kernel-2.6.16.19-1tr.i586.rpm
9ed54909e98391d7b186a82faf51bd60  3.0/rpms/kernel-doc-2.6.16.19-1tr.i586.rpm
9d4639a8e76244bbe32418e09a714173  3.0/rpms/kernel-headers-2.6.16.19-1tr.i586.rpm
fc5fbb21717f9aae313837d25f30a1e2  3.0/rpms/kernel-smp-2.6.16.19-1tr.i586.rpm
7b05468af17a0f85c0f00491acba4b29  3.0/rpms/kernel-smp-headers-2.6.16.19-1tr.i586.rpm
91ee589decd8b3a59ed3d2bcdb92679e  3.0/rpms/kernel-source-2.6.16.19-1tr.i586.rpm
c4cb02088d94c56a1b651f35a282af38  3.0/rpms/kernel-utils-2.6.16.19-1tr.i586.rpm
e17cebe683877da8bf30eb623dc253b9  3.0/rpms/postgresql-8.0.8-1tr.i586.rpm
950f2cb976a8ff0dd2c6d70256133d9c  3.0/rpms/postgresql-contrib-8.0.8-1tr.i586.rpm
a50d9d2df08b4e7ac72c6478a2a43618  3.0/rpms/postgresql-devel-8.0.8-1tr.i586.rpm
7d2cc5c1426db73d740e87dd93b4e760  3.0/rpms/postgresql-docs-8.0.8-1tr.i586.rpm
227dade49aeb6e0abe404ef576a4f583  3.0/rpms/postgresql-libs-8.0.8-1tr.i586.rpm
b4036f0a5450324187ed2f60523a40ee  3.0/rpms/postgresql-plperl-8.0.8-1tr.i586.rpm
dba05d0337f9e58669fd32fbf649cc0d  3.0/rpms/postgresql-python-8.0.8-1tr.i586.rpm
137ddd05f7dab3132621a8692dc7972d  3.0/rpms/postgresql-server-8.0.8-1tr.i586.rpm
b26364b4ce735d71a8270546abe120f3  3.0/rpms/postgresql-test-8.0.8-1tr.i586.rpm

0b1e0479135bed99d63897eacd2a78f0  2.2/rpms/postgresql-8.0.8-1tr.i586.rpm
843397887082044cde3a5854a65f392e  2.2/rpms/postgresql-contrib-8.0.8-1tr.i586.rpm
74e6e516a27734fa9547abe30d78b26c  2.2/rpms/postgresql-devel-8.0.8-1tr.i586.rpm
6b63e60bdc3617150a3f579dd660d20e  2.2/rpms/postgresql-docs-8.0.8-1tr.i586.rpm
2abc3b93aea9a0f83484e44b5cb0b50e  2.2/rpms/postgresql-libs-8.0.8-1tr.i586.rpm
49d10191fca0468cf1c05125e5b9b9fb  2.2/rpms/postgresql-plperl-8.0.8-1tr.i586.rpm
efe2ca04380d377e4c5a5b76e6e469ad  2.2/rpms/postgresql-python-8.0.8-1tr.i586.rpm
a9a537c752b145d160859ba950666562  2.2/rpms/postgresql-server-8.0.8-1tr.i586.rpm
7a434f65a08759a9d834cd28e86e14ca  2.2/rpms/postgresql-test-8.0.8-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEg8QEi8CEzsK9IksRAl/rAKCRzNCw8qN8d68AtCoME7IZvyL5XwCfci9t
npimE11TaUGrBkojgxjSv0Y=
=GZFm
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ