lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070205082257.GA15999@tsunami.trustix.net>
Date: Mon, 5 Feb 2007 08:22:57 +0000
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2007-0005 - multi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0005

Package names:	   bind, ed, elinks
Summary:           Multiple vulnerabilities
Date:              2007-02-05
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  bind
  BIND (Berkeley Internet Name Domain) is an implementation of the DNS
  (Domain Name System) protocols. BIND includes a DNS server (named),
  which resolves host names to IP addresses, and a resolver library
  (routines for applications to use when interfacing with DNS).  A DNS
  server allows clients to name resources or objects and share the
  information with other network machines.  The named DNS server can be
  used on workstations as a caching name server, but is generally only
  needed on one machine for an entire network.

  ed
  Ed is a line-oriented text editor, used to create, display, and modify
  text files (both interactively and via shell scripts). For most
  purposes, ed has been replaced in normal usage by full-screen editors
  (emacs and vi, for example).

  elinks
  ELinks is a program for browsing the web in text mode. It provide a
  feature-rich text mode browser with an open patches/features inclusion
  policy and active development. One of these features is that ELinks
  includes Links-Lua which adds scripting capabilities to ELinks.

Problem description:
  bind < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - SECURITY Fix: Some vulnerabilities have been reported in ISC BIND,
    which can be exploited by malicious people to cause a DoS. An
    unspecified error may cause the named daemon to dereference a
    freed fetch context.
  - Another vulnerability in ISC BIND allows remote attackers to cause
    a denial of service (exit) via a type * (ANY) DNS query response
    that contains multiple RRsets, which triggers an assertion error,
    aka the "DNSSEC Validation" vulnerability.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2007-0493 and CVE-2007-0494 to these issues.

  ed < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New upstream.
  - SECURITY FIX: A vulnerability has been identified in the 
    "open_sbuf()" [buf.c] function that handles temporary files in an
    insecure manner, which could allow malicious users to conduct
    symlink attacks and create or overwrite arbitrary files with the
    privileges of the user invoking the vulnerable application.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-6939 to this issue.

  elinks < TSL 3.0 >
  - New upstream.
  - SECURITY Fix: Teemu Salmela has discovered a vulnerability, which
    is caused due to an error in the validation of "smb://" URLs when
    Links runs smbclient commands. This can be exploited to download
    and overwrite local files or upload local files to an SMB share
    by injecting smbclient commands in the "smb://" URL.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2006-5925 to this issue.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2007/0005/>


MD5sums of the packages:
- --------------------------------------------------------------------------
3112dfc593ecb6394aeb7fb4867e4e30  3.0/rpms/bind-9.3.4-1tr.i586.rpm
8cc8c0d73f9b1457cda994fd82a52b87  3.0/rpms/bind-devel-9.3.4-1tr.i586.rpm
75c261426a6d4e77b45c98eacfacddfb  3.0/rpms/bind-libs-9.3.4-1tr.i586.rpm
87e5993a7e5b045958b9a78e104c736f  3.0/rpms/bind-light-9.3.4-1tr.i586.rpm
f0fc46061ecd0740470b4503d0c7a065  3.0/rpms/bind-light-devel-9.3.4-1tr.i586.rpm
a61e7ad79cd98d3bb31d91a6d455dff1  3.0/rpms/bind-utils-9.3.4-1tr.i586.rpm
d0eafdde540e1328041ac0e89efad7e7  3.0/rpms/ed-0.4-1tr.i586.rpm
8f4d1769a53918324b04534f67e3b5d7  3.0/rpms/elinks-0.11.2-1tr.i586.rpm

0fc22c7b4599c72184e3bd9e0a0aaa8c  2.2/rpms/bind-9.3.4-1tr.i586.rpm
cf5e701cffa3feb11f12c0f274d67d6c  2.2/rpms/bind-devel-9.3.4-1tr.i586.rpm
2d6d1c3b345a593a23266effdd613076  2.2/rpms/bind-libs-9.3.4-1tr.i586.rpm
8d549fba3a2aa68d555e45edb7bdf102  2.2/rpms/bind-light-9.3.4-1tr.i586.rpm
bbf737edf58f73089f5dc00a37f823f9  2.2/rpms/bind-light-devel-9.3.4-1tr.i586.rpm
89f3cd943fd8f183bcc0adedace27451  2.2/rpms/bind-utils-9.3.4-1tr.i586.rpm
18b1ada8a24e8670cb40ac282e531c4a  2.2/rpms/ed-0.4-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFxuZni8CEzsK9IksRAu8EAJ4+0Nrd7rnGh5XhMAPrHcEcWuFhAACfeyb/
TaacJQ18NUY1H10niVwO1jw=
=F39l
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ