lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060623121438.GA24662@tsunami.trustix.net>
Date: Fri, 23 Jun 2006 14:14:38 +0200
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2006-0037 - multi


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0037

Package names:	   kernel, netpbm
Summary:           Multiple vulnerabilities
Date:              2006-06-23
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0

- --------------------------------------------------------------------------
Package description:
  kernel
  The kernel package contains the Linux kernel (vmlinuz), the core of your
  Trustix Secure Linux operating system.  The kernel handles the basic
  functions of the operating system:  memory allocation, process 
  allocation, device input and output, etc.

  netpbm
  The netpbm package contains a library of functions which support
  programs for handling various graphics file formats, including .pbm
  (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps),
  .ppm (portable pixmaps) and others.

Problem description:
  kernel < TSL 3.0 > 
  - New upstream.
  - Module qlogicfc successfully replaced with qla2xxx.
  - Added scsi_transport_spi to initrd module list.
  - SECURITY FIX: A race condition error in the "posix-cpu-timers.c"
    script that does not prevent another CPU from attaching the timer
    to an exiting process, which could be exploited by attackers to
    cause a denial of service.
  - Flaw due to errors in "powerpc/kernel/signal_32.c" and
    "powerpc/kernel/signal_32.c", which could allow userspace to
    provoke a machine check on 32-bit kernels.
  - An infinite loop in "netfilter/xt_sctp.c", which could be exploited
    by attackers to exhaust all available memory resources, creating
    a denial of service condition.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-2445, CVE-2006-2448 and
    CVE-2006-3085 to this issue.

  netpbm < TSL 3.0 > < TSL 2.2 >
  - SECURITY Fix: A vulnerability has been reported in NetPBM, caused due
    to an off-by-one boundary error within "pamtofits". This can be
    exploited to cause a single byte buffer overflow when processing
    a specially crafted input file. 

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0037/>


MD5sums of the packages:
- --------------------------------------------------------------------------
ae7e3694eba27ec7af20bfadc1638315  3.0/rpms/kernel-2.6.17.1-1tr.i586.rpm
cfbc555e5e86ba415ab094e974f2b6f2  3.0/rpms/kernel-doc-2.6.17.1-1tr.i586.rpm
c1423efc2597311d2b3b1a8ee38ab290  3.0/rpms/kernel-headers-2.6.17.1-1tr.i586.rpm
6ec505e5241a5eb46ff8b543a414c581  3.0/rpms/kernel-smp-2.6.17.1-1tr.i586.rpm
d49930ce1311746c267597ac746307d8  3.0/rpms/kernel-smp-headers-2.6.17.1-1tr.i586.rpm
02e00fa5331718396926d0a3731dfe38  3.0/rpms/kernel-source-2.6.17.1-1tr.i586.rpm
f41bb3d37a2c4aa544f1f6e4febaccbe  3.0/rpms/kernel-utils-2.6.17.1-1tr.i586.rpm
50b0ae6413722d2a1bdae33351681f91  3.0/rpms/netpbm-10.30-2tr.i586.rpm
3920883cc71f6cb001fc6af104ccc683  3.0/rpms/netpbm-devel-10.30-2tr.i586.rpm
4a18575d3cec2782273cdfd273d83cc7  3.0/rpms/netpbm-progs-10.30-2tr.i586.rpm

005b2a0731b52605636428d177347f89  2.2/rpms/netpbm-10.30-2tr.i586.rpm
f8f08954e91ea373d461baf65b0a85d1  2.2/rpms/netpbm-devel-10.30-2tr.i586.rpm
ac86b308ccf229ee6715619b38b07fac  2.2/rpms/netpbm-progs-10.30-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEm9gei8CEzsK9IksRAgXJAKCVD4qbnQLqeHaWorWTfbxcYB2OOgCghASq
1Ke12Cjkrp5R5OeqqkS/W9M=
=e1Sg
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ