lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070119151732.GA31015@tsunami.trustix.net>
Date: Fri, 19 Jan 2007 15:17:32 +0000
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2007-0003 - multi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0003

Package names:	   bzip2, kerberos5, squid, wget, xorg-x11
Summary:           Multiple vulnerabilities
Date:              2007-01-19
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  bzip2
  Bzip2 is a freely available, patent-free, high quality data compressor.
  Bzip2 compresses files to within 10 to 15 percent of the capabilities
  of the best techniques available.  However, bzip2 has the added benefit
  of being approximately two times faster at compression and six times
  faster at decompression than those techniques. Bzip2 is not the fastest
  compression utility, but it does strike a balance between speed and
  compression capability.

  kerberos5
  (MIT) Kerberos is a network authentication protocol. It is designed to
  provide strong authentication for client/server applications by using
  secret-key cryptography.  A free implementation of this protocol is
  available from the Massachusetts Institute of Technology. Kerberos is
  available in many commercial products as well.

  squid
  Squid is a high-performance proxy caching server for Web clients,
  supporting FTP, gopher, and HTTP data objects. Unlike traditional
  caching software, Squid handles all requests in a single,non-blocking,
  I/O-driven process. Squid keeps meta data and especially hot objects
  cached in RAM, caches DNS lookups, supports non-blocking DNS lookups,
  and implements negative caching of failed requests.

  wget
  GNU Wget is a file retrieval utility which can use either the HTTP or
  FTP protocols. Wget features include the ability to work in the
  background while you're logged out, recursive retrieval of directories,
  file name wildcard matching, remote file timestamp storage and
  comparison, use of Rest with FTP servers and Range with HTTP servers
  to retrieve files over slow or unstable connections, support for Proxy
  servers, and configurability.

  xorg-x11
  X.org X11 is an open source implementation of the X Window System. It
  provides the basic low level functionality which full fledged graphical
  user interfaces (GUIs) such as GNOME and KDE are designed upon.
 
Problem description:
  bzip2 < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Fixes a race condition which allows local users to
    modify permissions of arbitrary files via a hard link attack on a
    file while it is being decompressed, whose permissions are changed
    by bzip2 after the decompression is complete.
                                                                                                                           
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CAN-2005-0953 to this issue.

  kerberos5 < TSL 3.0 >
  - SECURITY Fix: The RPC library used in Kerberos administration daemon
    (kadmind) and other products that use this library, calls an
    uninitialized function pointer in freed memory, which allows remote
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via unspecified vectors.
                                                                                                                           
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-6143 to this issue.

  squid < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: An error in handling of certain FTP URL requests can
    be exploited to crash Squid by visiting a specially crafted FTP URL
    via the proxy.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2007-0247 to this issue.

  wget < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: The ftp_syst function in ftp-basic.c allows remote
    attackers to cause a denial of service (application crash) via a
    malicious FTP server with a large number of blank 220 responses
    to the SYST command.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-6719 to this issue.

  xorg-x11 < TSL 3.0 >
  - SECURITY Fix: Sean Larsson has reported some vulnerabilities in
    X.Org X11, caused due to input validation errors within the
    "ProcRenderAddGlyphs()" function of the "Renderer" extension and
    the "ProcDbeGetVisualInfo()" and "ProcDbeSwapBuffers()" functions
    of the "DBE" extension. This can be exploited to cause a memory
    corruption by sending specially crafted X requests to the X server.

    The Common Vulnerabilities and Exposures project has assigned the
    names CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103 to these issues.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2007/0003/>


MD5sums of the packages:
- --------------------------------------------------------------------------
fe7ecb95a9a6f6d416dd094392c949a3  3.0/rpms/bzip2-1.0.3-5tr.i586.rpm
4ca273ff50829042fc05af99e77043a4  3.0/rpms/bzip2-devel-1.0.3-5tr.i586.rpm
1120e40b652adcaf0904ba6468135a04  3.0/rpms/bzip2-libs-1.0.3-5tr.i586.rpm
399892b75bdb07266d9875b5732e8b11  3.0/rpms/kerberos5-1.4.1-7tr.i586.rpm
0e71777994740c7442c02b44ebd2f92f  3.0/rpms/kerberos5-devel-1.4.1-7tr.i586.rpm
5908022e3f1af696a9f4dfc8fab96374  3.0/rpms/kerberos5-libs-1.4.1-7tr.i586.rpm
5bafb3a10443f4db613adb6e5a387043  3.0/rpms/squid-2.5.STABLE14-1tr.i586.rpm
ff34dd1e35b711058b1c49a0922159a4  3.0/rpms/wget-1.10.2-3tr.i586.rpm
d9c827e23c22b1959559f03b9bcfa029  3.0/rpms/xorg-x11-6.8.2-13tr.i586.rpm
08501e3d6af75b7f0667f15dd5b91699  3.0/rpms/xorg-x11-devel-6.8.2-13tr.i586.rpm
3b5046737825c5d5bf2040a2d82d342b  3.0/rpms/xorg-x11-doc-6.8.2-13tr.i586.rpm
4f2b3e7920bc8323c626f095a4c83e5d  3.0/rpms/xorg-x11-fonts-100dpi-6.8.2-13tr.i586.rpm
9b4acaf57db6ce286a79b2f7c9a7733c  3.0/rpms/xorg-x11-fonts-6.8.2-13tr.i586.rpm
09436523f4bd9bf89a76cf6d57451d8f  3.0/rpms/xorg-x11-fonts-75dpi-6.8.2-13tr.i586.rpm
fcb9cbb97a1d6c72bc562be5ada529af  3.0/rpms/xorg-x11-fonts-cid-6.8.2-13tr.i586.rpm
14e4cac1b9e73f4f41904aceedd04263  3.0/rpms/xorg-x11-fonts-cyrillic-6.8.2-13tr.i586.rpm
d83fbb25db379888e9d9f5b58a9c31dd  3.0/rpms/xorg-x11-fonts-otf-6.8.2-13tr.i586.rpm
d15b6873d14f3e48dc0c1a78e2132307  3.0/rpms/xorg-x11-fonts-speedo-6.8.2-13tr.i586.rpm
aa9f70e561a0c1526fa5b1e6282f978b  3.0/rpms/xorg-x11-fonts-ttf-6.8.2-13tr.i586.rpm
685eeccb0d6b5d9cad0f8b1b9e1b436b  3.0/rpms/xorg-x11-fonts-type1-6.8.2-13tr.i586.rpm
d3c5bd8804263fa76a56275f806f9d7e  3.0/rpms/xorg-x11-libs-6.8.2-13tr.i586.rpm
912762ff505961c45976bad623bd6533  3.0/rpms/xorg-x11-sdk-6.8.2-13tr.i586.rpm

273b5eeaf4deb1bdd48727e3ba54440b  2.2/rpms/bzip2-1.0.3-4tr.i586.rpm
75b9d8dd81a0f629b0536bb5bd75a707  2.2/rpms/bzip2-devel-1.0.3-4tr.i586.rpm
2c5abc363e957263d3d658f565048d81  2.2/rpms/bzip2-libs-1.0.3-4tr.i586.rpm
8d1e074fe8e3964eb74811304d6e1eb4  2.2/rpms/squid-2.5.STABLE14-2tr.i586.rpm
d8a38ee2fc6ccd5fdeb9d9a19d0fc431  2.2/rpms/wget-1.10.2-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFsNjKi8CEzsK9IksRAlAAAJ4sngnGndQEYE8f//MTwBB8qtDwlwCgte0B
cweWPOKhaJuQld3TPuZXEDs=
=rsgv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ