|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0003
Package names: bzip2, kerberos5, squid, wget, xorg-x11
Summary: Multiple vulnerabilities
Date: 2007-01-19
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
bzip2
Bzip2 is a freely available, patent-free, high quality data compressor.
Bzip2 compresses files to within 10 to 15 percent of the capabilities
of the best techniques available. However, bzip2 has the added benefit
of being approximately two times faster at compression and six times
faster at decompression than those techniques. Bzip2 is not the fastest
compression utility, but it does strike a balance between speed and
compression capability.
kerberos5
(MIT) Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by using
secret-key cryptography. A free implementation of this protocol is
available from the Massachusetts Institute of Technology. Kerberos is
available in many commercial products as well.
squid
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,non-blocking,
I/O-driven process. Squid keeps meta data and especially hot objects
cached in RAM, caches DNS lookups, supports non-blocking DNS lookups,
and implements negative caching of failed requests.
wget
GNU Wget is a file retrieval utility which can use either the HTTP or
FTP protocols. Wget features include the ability to work in the
background while you're logged out, recursive retrieval of directories,
file name wildcard matching, remote file timestamp storage and
comparison, use of Rest with FTP servers and Range with HTTP servers
to retrieve files over slow or unstable connections, support for Proxy
servers, and configurability.
xorg-x11
X.org X11 is an open source implementation of the X Window System. It
provides the basic low level functionality which full fledged graphical
user interfaces (GUIs) such as GNOME and KDE are designed upon.
Problem description:
bzip2 < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Fixes a race condition which allows local users to
modify permissions of arbitrary files via a hard link attack on a
file while it is being decompressed, whose permissions are changed
by bzip2 after the decompression is complete.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0953 to this issue.
kerberos5 < TSL 3.0 >
- SECURITY Fix: The RPC library used in Kerberos administration daemon
(kadmind) and other products that use this library, calls an
uninitialized function pointer in freed memory, which allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via unspecified vectors.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-6143 to this issue.
squid < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: An error in handling of certain FTP URL requests can
be exploited to crash Squid by visiting a specially crafted FTP URL
via the proxy.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2007-0247 to this issue.
wget < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: The ftp_syst function in ftp-basic.c allows remote
attackers to cause a denial of service (application crash) via a
malicious FTP server with a large number of blank 220 responses
to the SYST command.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-6719 to this issue.
xorg-x11 < TSL 3.0 >
- SECURITY Fix: Sean Larsson has reported some vulnerabilities in
X.Org X11, caused due to input validation errors within the
"ProcRenderAddGlyphs()" function of the "Renderer" extension and
the "ProcDbeGetVisualInfo()" and "ProcDbeSwapBuffers()" functions
of the "DBE" extension. This can be exploited to cause a memory
corruption by sending specially crafted X requests to the X server.
The Common Vulnerabilities and Exposures project has assigned the
names CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103 to these issues.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from