lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061115084854.GA17382@tsunami.trustix.net>
Date: Wed, 15 Nov 2006 08:48:54 +0000
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2006-0063 - multi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0063

Package names:	   bind, openssh, rpm, texinfo
Summary:           Multiple vulnerabilities
Date:              2006-11-15
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  bind
  BIND (Berkeley Internet Name Domain) is an implementation of the DNS
  (Domain Name System) protocols. BIND includes a DNS server (named),
  which resolves host names to IP addresses, and a resolver library
  (routines for applications to use when interfacing with DNS). A DNS
  server allows clients to name resources or objects and share the
  information with other network machines. The named DNS server can be
  used on workstations as a caching name server, but is generally only
  needed on one machine for an entire network.

  openssh
  Ssh (Secure Shell) a program for logging into a remote machine and for
  executing commands in a remote machine. It is intended to replace
  rlogin and rsh, and provide secure encrypted communications between
  two untrusted hosts over an insecure network. X11 connections and
  arbitrary TCP/IP ports can also be forwarded over the secure channel.
  OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
  it up to date in terms of security and features, as well as removing
  all patented algorithms to seperate libraries (OpenSSL).

  rpm
  The RPM Package Manager is a powerful command line driven package
  management system capable of installing, uninstalling, verifying,
  querying, and updating software packages. Each software package
  consists of an archive of files along with information about the
  package like its version, a description, etc.

  texinfo
  Texinfo is a documentation system that can produce both online
  information and printed output from a single source file. Normally,
  you'd have to write two separate documents: one for online help or
  other online information and the other for a typeset manual or other
  printed work. Using Texinfo, you only need to write one source
  document. Then when the work needs revision, you only have to revise
  one source document. The GNU Project uses the Texinfo file format
  for most of its documentation.

Problem description:
  bind  < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - SECURITY Fix: Raise the minimum safe OpenSSL versions to OpenSSL
    0.9.7l and OpenSSL 0.9.8d. Versions prior to these have known
    security flaws which are exploitable in named. [RT #16391]
  - Change the default RSA exponent from 3 to 65537.

  openssh < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New upstream.
  - SECURITY Fix: A weakness has been reported in OpenSSH, which
    can be exploited by malicious people to bypass certain security
    restrictions. The weakness is caused due to an error within the
    privilege separation monitor, which may weaken the authentication
    process (SA22771).
 
  rpm < TSL 3.0 >
  - SECURITY Fix: A vulnerability has been reported in RPM, caused due
    to a boundary error when processing certain RPM packages. This can
    be exploited to cause a heap-based buffer overflow by e.g. tricking
    a user into querying a specially crafted RPM package.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-5466 to this issue.

  texinfo < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Buffer overflow in the texi2dvi and texindex commands
    allows local users to execute arbitrary code via a crafted Texinfo 
    file.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-4810 to this issue.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0063/>


MD5sums of the packages:
- --------------------------------------------------------------------------
411d41d5b1aca5e654bcd4f7069641cd  3.0/rpms/bind-9.3.2-5tr.i586.rpm
c953e58b0a7c6069a0042ac147197404  3.0/rpms/bind-devel-9.3.2-5tr.i586.rpm
f2cd09a1b89d0ad77a66433a079e036f  3.0/rpms/bind-libs-9.3.2-5tr.i586.rpm
5ac959e3dc072dde6454fd4468e4aa86  3.0/rpms/bind-light-9.3.2-5tr.i586.rpm
7be40d44718f02d019455030a91b7d94  3.0/rpms/bind-light-devel-9.3.2-5tr.i586.rpm
762277c7685bbcf73a82895d11b0b875  3.0/rpms/bind-utils-9.3.2-5tr.i586.rpm
a31460377f74c37ef59e6866d8ad3965  3.0/rpms/openssh-4.5p1-1tr.i586.rpm
51bdca2164f24ea13dc30fa376f94ded  3.0/rpms/openssh-clients-4.5p1-1tr.i586.rpm
b7e24c9e1563205973dea2e20606be62  3.0/rpms/openssh-server-4.5p1-1tr.i586.rpm
183a62996c6cccac693babea153b9392  3.0/rpms/openssh-server-config-4.5p1-1tr.i586.rpm
41cfd916a66e9a71fc5f8d2bccd1b0b3  3.0/rpms/rpm-4.3.2-17tr.i586.rpm
205fdcdfd07dc3e0216eb2cbd2a66165  3.0/rpms/rpm-build-4.3.2-17tr.i586.rpm
073b02bab62058bbdd9a6ea72f71ab59  3.0/rpms/rpm-devel-4.3.2-17tr.i586.rpm
81cf14d0a7d95f3d1487541f5750a9c9  3.0/rpms/rpm-python-4.3.2-17tr.i586.rpm
0603399ce542603ba7f5a197a763dc3d  3.0/rpms/texinfo-4.8-6tr.i586.rpm

1d4dcde48a5a1fe2ab19495e6e808b5f  2.2/rpms/bind-9.3.2-5tr.i586.rpm
bfffb44bef5aa6c2971095319d3b7a9b  2.2/rpms/bind-devel-9.3.2-5tr.i586.rpm
26374574a61e0d51682e23bf56f9239e  2.2/rpms/bind-libs-9.3.2-5tr.i586.rpm
82dc44bb35d9462ac56c0d921374b0be  2.2/rpms/bind-light-9.3.2-5tr.i586.rpm
d8076c50fda7594808523e417a234544  2.2/rpms/bind-light-devel-9.3.2-5tr.i586.rpm
5001689ab4ed15e5d636a4c1d851792d  2.2/rpms/bind-utils-9.3.2-5tr.i586.rpm
9ca9e32b1a1f51d9656fb9b156ff5085  2.2/rpms/openssh-4.5p1-1tr.i586.rpm
0c8462b001eee4c24c57038f18d04638  2.2/rpms/openssh-clients-4.5p1-1tr.i586.rpm
89ac4db62996c6641dfe27897270d719  2.2/rpms/openssh-server-4.5p1-1tr.i586.rpm
061da2194491d15e15c6c72f035b4800  2.2/rpms/openssh-server-config-4.5p1-1tr.i586.rpm
2d82898ad50f90d26dd2c33460eeb80d  2.2/rpms/texinfo-4.8-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFWtFMi8CEzsK9IksRAvS4AJ0SmA4fyUuojQP1ntmopdW/RDRcyQCgpUhC
HrxeCDQJVs1yGubEz3ZzBmw=
=ssBH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ