|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0070
Package names: gnupg, proftpd
Summary: Multiple vulnerabilities
Date: 2006-12-08
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in
compliance with the OpenPGP specification (RFC2440).
proftpd
ProFTPd is an enhanced FTP server with a focus toward simplicity,
security, and ease of configuration. It features a very Apache-like
configuration syntax, and a highly customizable server infrastructure,
including support for multiple 'virtual' FTP servers, anonymous FTP,
and permission-based directory visibility.
Problem description:
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Tavis Ormandy has reported a vulnerability in GnuPG,
caused due to an error within the decryption of malformed OpenPGP
messages. This can be exploited to corrupt memory when decrypting
a specially crafted OpenPGP message.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-6235 to this issue.
proftpd < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New upstream.
- SECURITY Fix: Stack-based buffer overflow in the sreplace function
allows remote attackers to cause a denial of service, as
demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-5815 to this issue.
- NOTE: In November 2006, the role of CommandBufferSize was originally
associated with CVE-2006-5815, but this was an error stemming from
an initial vague disclosure. Correct CVE: CVE-2006-6171.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from