|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0005
Package names: bind, ed, elinks
Summary: Multiple vulnerabilities
Date: 2007-02-05
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
bind
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses, and a resolver library
(routines for applications to use when interfacing with DNS). A DNS
server allows clients to name resources or objects and share the
information with other network machines. The named DNS server can be
used on workstations as a caching name server, but is generally only
needed on one machine for an entire network.
ed
Ed is a line-oriented text editor, used to create, display, and modify
text files (both interactively and via shell scripts). For most
purposes, ed has been replaced in normal usage by full-screen editors
(emacs and vi, for example).
elinks
ELinks is a program for browsing the web in text mode. It provide a
feature-rich text mode browser with an open patches/features inclusion
policy and active development. One of these features is that ELinks
includes Links-Lua which adds scripting capabilities to ELinks.
Problem description:
bind < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Some vulnerabilities have been reported in ISC BIND,
which can be exploited by malicious people to cause a DoS. An
unspecified error may cause the named daemon to dereference a
freed fetch context.
- Another vulnerability in ISC BIND allows remote attackers to cause
a denial of service (exit) via a type * (ANY) DNS query response
that contains multiple RRsets, which triggers an assertion error,
aka the "DNSSEC Validation" vulnerability.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2007-0493 and CVE-2007-0494 to these issues.
ed < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New upstream.
- SECURITY FIX: A vulnerability has been identified in the
"open_sbuf()" [buf.c] function that handles temporary files in an
insecure manner, which could allow malicious users to conduct
symlink attacks and create or overwrite arbitrary files with the
privileges of the user invoking the vulnerable application.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-6939 to this issue.
elinks < TSL 3.0 >
- New upstream.
- SECURITY Fix: Teemu Salmela has discovered a vulnerability, which
is caused due to an error in the validation of "smb://" URLs when
Links runs smbclient commands. This can be exploited to download
and overwrite local files or upload local files to an SMB share
by injecting smbclient commands in the "smb://" URL.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2006-5925 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from