| |||||||||||||
Trustix alert TSLSA-2005-0055 (cvs rsync uw-imap)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2005-0055 Package names: cvs, rsync, uw-imap Summary: Multiple vulnerabilities Date: 2005-10-07 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Package description: cvs CVS (Concurrent Version System) is a version control system that can record the history of your files (usually, but not always, source code). CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred. rsync Rsync uses a quick and reliable algorithm to very quickly bring remote and host files into sync. Rsync is fast because it just sends the differences in the files over the network (instead of sending the complete files). Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package. uw-imap The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. The POP protocol uses a "post office" machine to collect mail for users and allows users to download their mail to their local machine for reading. The IMAP protocol provides the functionality of POP, but allows a user to read mail on a remote machine without downloading it to their local machine. Problem description: cvs < TSL 3.0 > < TSL 2.2 > - New Upstream - SECURITY Fix: Two vulnerabilities in CVS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system, has been fixed. The vulnerabilities are caused due to the use of a vulnerable version of zlib (CAN-2004-0797 and CAN-2005-2096). rsync < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - New Upstream - Minor changes in Output - SECURITY Fix: - The zlib code was upgraded to version 1.2.3 in order to make it more secure. While the widely-publicized security problem in zlib 1.2.2 did not affect rsync, another security problem surfaced that affects rsync's zlib 1.1.4 uw-imap < TSL 2.2 > < TSEL 2 > - SECURITY Fix: Vulnerability in the University of Washington's IMAP Server (UW-IMAP) allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2933 to this issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:http://http.trustix.org/pub/trustix/updates/>> <URI:ftp://ftp.trustix.org/pub/trustix/updates/>> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.trustix.org/support/>> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.org/TSL-SIGN-KEY>> The advisory itself is available from the errata pages at <URI:http://www.trustix.org/errata/trustix-2.2/>> and <URI:http://www.trustix.org/errata/trustix-3.0/>> or directly at <URI:http://www.trustix.org/errata/2005/0055/>> MD5sums of the packages: - -------------------------------------------------------------------------- 2ec05ad15cf280b287d40a479af30fdc 2.2/rpms/cvs-1.12.13-1tr.i586.rpm 6c00f9b202ba36512cfc742398b545e3 2.2/rpms/cvs-contrib-1.12.13-1tr.i586.rpm f9df9140be0cb7cd2ba5159a954f3036 2.2/rpms/cvs-pserver-1.12.13-1tr.i586.rpm 97ea8846768d748cd2a662b142561a38 2.2/rpms/libimap-2002e-5tr.i586.rpm 151d535b53131bcb5d530f380a790786 2.2/rpms/rsync-2.6.6-1tr.i586.rpm 50407e1f98813181c1a296bc7ce6d3ca 2.2/rpms/rsync-server-2.6.6-1tr.i586.rpm c827dd526de65745a68a39396882624f 2.2/rpms/uw-imap-2002e-5tr.i586.rpm 439debbd5a80da9efda6972ead0c4af9 2.2/rpms/uw-imap-devel-2002e-5tr.i586.rpm 573fe2b9f8c175440c4216c6341ff05b 3.0/rpms/cvs-1.12.13-1tr.i586.rpm 7aef92f6aa16b2c2a82bba6adefc1f6b 3.0/rpms/cvs-contrib-1.12.13-1tr.i586.rpm f86419d3857805606c96a41c084dca4e 3.0/rpms/cvs-pserver-1.12.13-1tr.i586.rpm 4557892b6d5a38313d934a3b5aa80237 3.0/rpms/rsync-2.6.6-1tr.i586.rpm 903ba1b5c2df2a2d9fdef95f60aa3ef2 3.0/rpms/rsync-server-2.6.6-1tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDXJPTi8CEzsK9IksRArUlAJ9nA2SgX2MqWPSj+zcww+fVLv7s1ACfSmgB qFhKtgTz5x08KF0wwlnTRT4= =RIuR -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@lists.trustix.org http://lists.trustix.org/mailman/listinfo/tsl-announce (Log in to post comments)
|
|||||||||||||