|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0013
Package names: clamav, freeradius, freetype
Summary: Multiple vulnerabilities
Date: 2007-04-20
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Secure Linux 3.0.5
- --------------------------------------------------------------------------
Package description:
clamav
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
of this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a command line scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
package, which you can use with your own software. Most importantly,
the virus database is kept up to date.
freeradius
The FreeRADIUS Server Project is a high performance and highly
configurable GPL'd free RADIUS server. The server is similar in some
respects to Livingston's 2.0 server. While FreeRADIUS started as a
variant of the Cistron RADIUS server, they don't share a lot in common
any more. It now has many more features than Cistron or Livingston,
and is much more configurable.
freetype
The FreeType engine is a free and portable TrueType font rendering
engine, developed to provide TrueType support for a variety of
platforms and environments. FreeType is a library which can open
and manages font files as well as efficiently load, hint and render
individual glyphs. FreeType is not a font server or a complete
text-rendering library.
Problem description:
clamav < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- New Upstream.
- SECURITY Fix: A file descriptor leak error in the
"chm_decompress_stream()" [libclamav/chmunpack.c] function, which
could be exploited by attackers to crash an affected system via a
specially crafted CHM file.
- A buffer overflow error in the "cab_unstore()" [libclamav/cab.c]
function when processing a negative value read from a CAB file,
which could be exploited by attackers to crash an affected
application or compromise a vulnerable system via a specially
crafted CAB file.
The Common Vulnerabilities and Exposures project has assigned the
names CVE-2007-1745 and CVE-2007-1997 to these issues.
freeradius < TSL 3.0.5 > < TSL 3.0 >
- New upstream.
- SECURITY Fix: A security issue has been reported in FreeRADIUS,
caused due to a memory leak within the handling of certain
malformed diameter format values inside an EAP-TTLS tunnel. This
can be exploited to exhaust all available memory by sending a
large number of malformed authentication requests to a vulnerable
server.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2007-2028 to this issue.
freetype < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: A vulnerability has been reported in FreeType, caused
due to an integer overflow when parsing BDF fonts. This can be
exploited to cause a heap-based buffer overflow via a specially
crafted BDF font.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1351 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from