-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0070

Package names:	   gnupg, proftpd
Summary:           Multiple vulnerabilities
Date:              2006-12-08
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gnupg
  GnuPG is a complete and free replacement for PGP. Because it does not
  use IDEA it can be used without any restrictions. GnuPG is in
  compliance with the OpenPGP specification (RFC2440).

  proftpd
  ProFTPd is an enhanced FTP server with a focus toward simplicity,
  security, and ease of configuration. It features a very Apache-like
  configuration syntax, and a highly customizable server infrastructure,
  including support for multiple 'virtual' FTP servers, anonymous FTP,
  and permission-based directory visibility.

Problem description:
  gnupg  < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - SECURITY Fix: Tavis Ormandy has reported a vulnerability in GnuPG,
    caused due to an error within the decryption of malformed OpenPGP
    messages. This can be exploited to corrupt memory when decrypting
    a specially crafted OpenPGP message.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-6235 to this issue.

  proftpd < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New upstream.
  - SECURITY Fix: Stack-based buffer overflow in the sreplace function
    allows remote attackers to cause a denial of service, as
    demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-5815 to this issue.
  - NOTE: In November 2006, the role of CommandBufferSize was originally
    associated with CVE-2006-5815, but this was an error stemming from
    an initial vague disclosure. Correct CVE: CVE-2006-6171.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
 
 


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
 


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
 

  The advisory itself is available from the errata pages at
 and 
 
  or directly at
 


MD5sums of the packages:
- --------------------------------------------------------------------------
ee2eef6713179355672262613d3403da  3.0/rpms/gnupg-1.4.6-1tr.i586.rpm
23d7fab414ea6fa3845a64769d4d2a32  3.0/rpms/gnupg-utils-1.4.6-1tr.i586.rpm
9df93256a549caaea20d633f94e58b7a  3.0/rpms/proftpd-1.3.0a-1tr.i586.rpm

502a38c702fc23c6276881cc94e58c25  2.2/rpms/gnupg-1.2.6-6tr.i586.rpm
889af38ab3db8e0108c7182741dad2ef  2.2/rpms/gnupg-utils-1.2.6-6tr.i586.rpm
05d9558463b738c5afb827d33e349b22  2.2/rpms/proftpd-1.2.10-12tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFeXq1i8CEzsK9IksRAlNhAJ9+j0vDrpnku25AS/i6rCLZBUskLACePw1w
2eUgqths9PwMtBbNzcFYrpo=lhTY
-----END PGP SIGNATURE-----