Date: Wed, 15 Nov 2006 08:48:54 +0000
From: Trustix Security Advisor <tsl@trustix.org.>
To: bugtraq@securityfocus.com
Subject: TSLSA-2006-0063 - multi
Message-ID: <20061115084854.GA17382@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0063
Package names: bind, openssh, rpm, texinfo
Summary: Multiple vulnerabilities
Date: 2006-11-15
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
bind
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses, and a resolver library
(routines for applications to use when interfacing with DNS). A DNS
server allows clients to name resources or objects and share the
information with other network machines. The named DNS server can be
used on workstations as a caching name server, but is generally only
needed on one machine for an entire network.
openssh
Ssh (Secure Shell) a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to seperate libraries (OpenSSL).
rpm
The RPM Package Manager is a powerful command line driven package
management system capable of installing, uninstalling, verifying,
querying, and updating software packages. Each software package
consists of an archive of files along with information about the
package like its version, a description, etc.
texinfo
Texinfo is a documentation system that can produce both online
information and printed output from a single source file. Normally,
you'd have to write two separate documents: one for online help or
other online information and the other for a typeset manual or other
printed work. Using Texinfo, you only need to write one source
document. Then when the work needs revision, you only have to revise
one source document. The GNU Project uses the Texinfo file format
for most of its documentation.
Problem description:
bind < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Raise the minimum safe OpenSSL versions to OpenSSL
0.9.7l and OpenSSL 0.9.8d. Versions prior to these have known
security flaws which are exploitable in named. [RT #16391]
- Change the default RSA exponent from 3 to 65537.
openssh < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New upstream.
- SECURITY Fix: A weakness has been reported in OpenSSH, which
can be exploited by malicious people to bypass certain security
restrictions. The weakness is caused due to an error within the
privilege separation monitor, which may weaken the authentication
process (SA22771).
rpm < TSL 3.0 >
- SECURITY Fix: A vulnerability has been reported in RPM, caused due
to a boundary error when processing certain RPM packages. This can
be exploited to cause a heap-based buffer overflow by e.g. tricking
a user into querying a specially crafted RPM package.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-5466 to this issue.
texinfo < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Buffer overflow in the texi2dvi and texindex commands
allows local users to execute arbitrary code via a crafted Texinfo
file.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-4810 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>;
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>;
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>;
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>;
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/>; and
<URI:http://www.trustix.org/errata/trustix-3.0/>;
or directly at
<URI:http://www.trustix.org/errata/2006/0063/>;
MD5sums of the packages:
- --------------------------------------------------------------------------
411d41d5b1aca5e654bcd4f7069641cd 3.0/rpms/bind-9.3.2-5tr.i586.rpm
c953e58b0a7c6069a0042ac147197404 3.0/rpms/bind-devel-9.3.2-5tr.i586.rpm
f2cd09a1b89d0ad77a66433a079e036f 3.0/rpms/bind-libs-9.3.2-5tr.i586.rpm
5ac959e3dc072dde6454fd4468e4aa86 3.0/rpms/bind-light-9.3.2-5tr.i586.rpm
7be40d44718f02d019455030a91b7d94 3.0/rpms/bind-light-devel-9.3.2-5tr.i586.rpm
762277c7685bbcf73a82895d11b0b875 3.0/rpms/bind-utils-9.3.2-5tr.i586.rpm
a31460377f74c37ef59e6866d8ad3965 3.0/rpms/openssh-4.5p1-1tr.i586.rpm
51bdca2164f24ea13dc30fa376f94ded 3.0/rpms/openssh-clients-4.5p1-1tr.i586.rpm
b7e24c9e1563205973dea2e20606be62 3.0/rpms/openssh-server-4.5p1-1tr.i586.rpm
183a62996c6cccac693babea153b9392 3.0/rpms/openssh-server-config-4.5p1-1tr.i586.rpm
41cfd916a66e9a71fc5f8d2bccd1b0b3 3.0/rpms/rpm-4.3.2-17tr.i586.rpm
205fdcdfd07dc3e0216eb2cbd2a66165 3.0/rpms/rpm-build-4.3.2-17tr.i586.rpm
073b02bab62058bbdd9a6ea72f71ab59 3.0/rpms/rpm-devel-4.3.2-17tr.i586.rpm
81cf14d0a7d95f3d1487541f5750a9c9 3.0/rpms/rpm-python-4.3.2-17tr.i586.rpm
0603399ce542603ba7f5a197a763dc3d 3.0/rpms/texinfo-4.8-6tr.i586.rpm
1d4dcde48a5a1fe2ab19495e6e808b5f 2.2/rpms/bind-9.3.2-5tr.i586.rpm
bfffb44bef5aa6c2971095319d3b7a9b 2.2/rpms/bind-devel-9.3.2-5tr.i586.rpm
26374574a61e0d51682e23bf56f9239e 2.2/rpms/bind-libs-9.3.2-5tr.i586.rpm
82dc44bb35d9462ac56c0d921374b0be 2.2/rpms/bind-light-9.3.2-5tr.i586.rpm
d8076c50fda7594808523e417a234544 2.2/rpms/bind-light-devel-9.3.2-5tr.i586.rpm
5001689ab4ed15e5d636a4c1d851792d 2.2/rpms/bind-utils-9.3.2-5tr.i586.rpm
9ca9e32b1a1f51d9656fb9b156ff5085 2.2/rpms/openssh-4.5p1-1tr.i586.rpm
0c8462b001eee4c24c57038f18d04638 2.2/rpms/openssh-clients-4.5p1-1tr.i586.rpm
89ac4db62996c6641dfe27897270d719 2.2/rpms/openssh-server-4.5p1-1tr.i586.rpm
061da2194491d15e15c6c72f035b4800 2.2/rpms/openssh-server-config-4.5p1-1tr.i586.rpm
2d82898ad50f90d26dd2c33460eeb80d 2.2/rpms/texinfo-4.8-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFWtFMi8CEzsK9IksRAvS4AJ0SmA4fyUuojQP1ntmopdW/RDRcyQCgpUhC
HrxeCDQJVs1yGubEz3ZzBmw=
=ssBH
-----END PGP SIGNATURE-----
