lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070420152003.GA32194@tsunami.trustix.net>
Date: Fri, 20 Apr 2007 16:20:03 +0100
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2007-0013 - multi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0013

Package names:	   clamav, freeradius, freetype
Summary:           Multiple vulnerabilities
Date:              2007-04-20
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Secure Linux 3.0.5

- --------------------------------------------------------------------------
Package description:
  clamav
  Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
  of this software is the integration with mail servers (attachment
  scanning). The package provides a flexible and scalable multi-threaded
  daemon, a command line scanner, and a tool for automatic updating via
  Internet. The programs are based on a shared library distributed with
  package, which you can use with your own software. Most importantly,
  the virus database is kept up to date.

  freeradius
  The FreeRADIUS Server Project is a high performance and highly 
  configurable GPL'd free RADIUS server. The server is similar in some
  respects to Livingston's 2.0 server. While FreeRADIUS started as a 
  variant of the Cistron RADIUS server, they don't share a lot in common
  any more. It now has many more features than Cistron or Livingston, 
  and is much more configurable.

  freetype
  The FreeType engine is a free and portable TrueType font rendering 
  engine, developed to provide TrueType support for a variety of 
  platforms and environments. FreeType is a library which can open
  and manages font files as well as efficiently load, hint and render
  individual glyphs. FreeType is not a font server or a complete
  text-rendering library.

Problem description:
  clamav < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
  - New Upstream.
  - SECURITY Fix: A file descriptor leak error in the 
    "chm_decompress_stream()" [libclamav/chmunpack.c] function, which
    could be exploited by attackers to crash an affected system via a
    specially crafted CHM file.
  - A buffer overflow error in the "cab_unstore()" [libclamav/cab.c]
    function when processing a negative value read from a CAB file,
    which could be exploited by attackers to crash an affected 
    application or compromise a vulnerable system via a specially
    crafted CAB file.

    The Common Vulnerabilities and Exposures project has assigned the
    names CVE-2007-1745 and CVE-2007-1997 to these issues.

  freeradius < TSL 3.0.5 > < TSL 3.0 >
  - New upstream.
  - SECURITY Fix: A security issue has been reported in FreeRADIUS,
    caused due to a memory leak within the handling of certain 
    malformed diameter format values inside an EAP-TTLS tunnel. This
    can be exploited to exhaust all available memory by sending a 
    large number of malformed authentication requests to a vulnerable
    server.

    The Common Vulnerabilities and Exposures project has assigned the
    name CVE-2007-2028 to this issue.  
  
  freetype < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
  - SECURITY Fix: A vulnerability has been reported in FreeType, caused
    due to an integer overflow when parsing BDF fonts. This can be
    exploited to cause a heap-based buffer overflow via a specially
    crafted BDF font.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2007-1351 to this issue.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/>
  <URI:http://www.trustix.org/errata/trustix-3.0/> and
  <URI:http://www.trustix.org/errata/trustix-3.0.5/>
  or directly at
  <URI:http://www.trustix.org/errata/2007/0013/>


MD5sums of the packages:
- --------------------------------------------------------------------------
363d955717ac1dccab2f36704d7d8b30  3.0.5/rpms/clamav-0.90.2-1tr.i586.rpm
980cad860c1f6512375edc6cec93d108  3.0.5/rpms/clamav-devel-0.90.2-1tr.i586.rpm
d1bd961e80961708351346118fc58e4a  3.0.5/rpms/freeradius-1.1.6-1tr.i586.rpm
daff1cc4dd6e113e40aaf46a7c686123  3.0.5/rpms/freeradius-devel-1.1.6-1tr.i586.rpm
a9247bac22f71b6fecae99a0d3e88d8c  3.0.5/rpms/freeradius-libs-1.1.6-1tr.i586.rpm
08ca9934e8820270d4096f10c9b91bd4  3.0.5/rpms/freeradius-mysql-1.1.6-1tr.i586.rpm
d954323c696e0bdce080573fa9c39d6f  3.0.5/rpms/freeradius-postgresql-1.1.6-1tr.i586.rpm
5fe145ef4aa8bcdf5e66795a5e3c6d24  3.0.5/rpms/freetype-2.2.1-3tr.i586.rpm
722c2ad36610951684f215ed4dd69514  3.0.5/rpms/freetype-devel-2.2.1-3tr.i586.rpm

f94cbd6d3b4e11e876e0b6ec055bfaeb  3.0/rpms/clamav-0.90.2-1tr.i586.rpm
ff07ab09cda1daf2c227203505f93c31  3.0/rpms/clamav-devel-0.90.2-1tr.i586.rpm
7d10b48d37ec11db59d6e69c730273a1  3.0/rpms/freeradius-1.1.6-1tr.i586.rpm
ea7488143685b5e2cb697899939ccb2b  3.0/rpms/freeradius-devel-1.1.6-1tr.i586.rpm
2e4b6fbe915dbf5c2b506d2b5896d025  3.0/rpms/freeradius-libs-1.1.6-1tr.i586.rpm
e8c4e481bd11de4a066e53bf13e6abe7  3.0/rpms/freeradius-mysql-1.1.6-1tr.i586.rpm
01d52910947c479764e667f3ca4bb34a  3.0/rpms/freeradius-postgresql-1.1.6-1tr.i586.rpm
23bbbd55f5c360bb34f476d21c83e450  3.0/rpms/freetype-2.2.1-2tr.i586.rpm
753bd2d95d42faa455521746392a24df  3.0/rpms/freetype-devel-2.2.1-2tr.i586.rpm

7f90f161ac99156d6a515f62f066ac27  2.2/rpms/clamav-0.90.2-1tr.i586.rpm
bedc9ef9bc4ca66095cf91fcc7394af1  2.2/rpms/clamav-devel-0.90.2-1tr.i586.rpm
8f7c962405faaa170de2318287a25e54  2.2/rpms/freetype-2.2.1-2tr.i586.rpm
f9e63c2c865fba85bc3e7ab1841917a7  2.2/rpms/freetype-devel-2.2.1-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFGKNhZi8CEzsK9IksRAs2DAJ0Q3vTXMGsZsuyEatmaRqv7xugO7QCfb5Tm
FspWkR7B85FuSFKiu3w6lAY=
=SzHz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ