User: Password:
|
|
Subscribe / Log in / New account

Trustix alert TSLSA-2005-0018 (gzip)

From:  Trustix Security Advisor <tsl@trustix.org>
To:  tsl-announce@lists.trustix.org
Subject:  TSLSA-2005-0018 - multi
Date:  Fri, 6 May 2005 18:35:41 +0200

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2005-0018 Package name: gzip postgresql tcpdump vim Summary: Various security issues Date: 2005-05-06 Affected versions: Trustix Secure Linux 2.1 Trustix Secure Linux 2.2 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Package description: gzip: The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension. postgresql: PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. These PostgreSQL client programs are programs that directly manipulate the internal structure of PostgreSQL databases on a PostgreSQL server. These client programs can be located on the same machine with the PostgreSQL server, or may be on a remote machine which accesses a PostgreSQL server over a network connection. This package contains the docs in HTML for the whole package, as well as command-line utilities for managing PostgreSQL databases on a PostgreSQL server. tcpdump: Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet headers, or just the ones that match particular criteria. vim: VIM (VIsual editor iMproved) is an updated and improved version of the vi editor. Vi was the first real screen-based editor for UNIX, and is still very popular. VIM improves on vi by adding new features: multiple windows, multi-level undo, block highlighting and more. Problem description: gzip: - Ulf Härnhammar <metaur@telia.com> has discovered a vulnerability in gunzip that allows a malicious zip file to extract to an arbitrary directory of the attackers choice when gunzip is used with the -N option. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1228 to this issue. - A race condition error in the file permission restore code, which may be exploited by a malicious local user, with write permissions, to gain read or write access to files of other users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0988 to this issue. postgresql: - Fix Character Conversion Vulnerability, gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1409 to this issue. - Fix DOS Vulnerability, the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1410 to this issue. tcpdump: - Fixed Multiple DoS issues: From The Common Vulnerabilities and Exposures project (cve.mitre.org): CAN-2005-1278: The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. CAN-2005-1279: tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted (1) BGP packet, which is not properly handled by RT_ROUTING_INFO, or (2) LDP packet, which is not properly handled by the ldp_print function. CAN-2005-1280: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. vim: - Fix tempfile creation bug,(CAN-2005-0069). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. - Fix paths in vim.1 and vimtutor manpage (Bug #586) Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:http://http.trustix.org/pub/trustix/updates/>> <URI:ftp://ftp.trustix.org/pub/trustix/updates/>> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.trustix.org/support/>> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.org/TSL-SIGN-KEY>> The advisory itself is available from the errata pages at <URI:http://www.trustix.org/errata/trustix-2.1/>> and <URI:http://www.trustix.org/errata/trustix-2.2/>> or directly at <URI:http://www.trustix.org/errata/2005/0018/>> MD5sums of the packages: - -------------------------------------------------------------------------- 762c9b7d53b49efae421125a37712057 2.2/rpms/gzip-1.3.3-7tr.i586.rpm ff9d2fae613f3561d2522bbae0c3c6d5 2.2/rpms/gzip-doc-1.3.3-7tr.i586.rpm 11ac691a4702b5304c34e53057928cca 2.2/rpms/postgresql-8.0.2-2tr.i586.rpm d788f424f4d5ef7cd3bce32480a95f94 2.2/rpms/postgresql-contrib-8.0.2-2tr.i586.rpm 77878b8f57d9431a07ce0b42d12a9e64 2.2/rpms/postgresql-devel-8.0.2-2tr.i586.rpm 8be376cd2a87e5d1db64c99492aa0107 2.2/rpms/postgresql-docs-8.0.2-2tr.i586.rpm c9af6c00f7bc9e8eb945f130c897c920 2.2/rpms/postgresql-libs-8.0.2-2tr.i586.rpm a904613104d483385762ba0b218b3a9e 2.2/rpms/postgresql-plperl-8.0.2-2tr.i586.rpm cc66650605e223e4d2afe86217c6405f 2.2/rpms/postgresql-python-8.0.2-2tr.i586.rpm f8a16af349b3bc48671e007242ac3d80 2.2/rpms/postgresql-server-8.0.2-2tr.i586.rpm bcebd2b16e88aa8f63d55bb6fb15509f 2.2/rpms/postgresql-test-8.0.2-2tr.i586.rpm 701d65cfe65063dee81e4152a1343e72 2.2/rpms/tcpdump-3.8.3-2tr.i586.rpm e4e7d13d9922954690d429226188bc2a 2.2/rpms/vim-6.3.045-4tr.i586.rpm 80cedca045cddce512f82ee45beda55e 2.2/rpms/vim-doc-6.3.045-4tr.i586.rpm 2462f1b241ffad987e5afe23bc513ddc 2.2/rpms/vim-syntax-6.3.045-4tr.i586.rpm d6875a0195817353c297db94031bbb39 2.2/rpms/vim-tools-6.3.045-4tr.i586.rpm 9b2883ead0eeae5e5bee7bc5cf33c554 2.1/rpms/gzip-1.2.4a-31tr.i586.rpm b0e2e7095f7a22767e9bfe3aad3c43bf 2.1/rpms/gzip-doc-1.2.4a-31tr.i586.rpm ee2ecfebacc9073a329d55b9a1f602ff 2.1/rpms/postgresql-7.4.7-3tr.i586.rpm f1808dfd2f2c935a0aa6ba0b6525518c 2.1/rpms/postgresql-contrib-7.4.7-3tr.i586.rpm d4109460f0e8c7654dea95600df0f216 2.1/rpms/postgresql-devel-7.4.7-3tr.i586.rpm e2715ad2e7aaee96a9f01ed548748fd9 2.1/rpms/postgresql-docs-7.4.7-3tr.i586.rpm 173ba26305b70132724de5ee736a8019 2.1/rpms/postgresql-libs-7.4.7-3tr.i586.rpm 2f76eb3892d8e0c25af745de7891f816 2.1/rpms/postgresql-plperl-7.4.7-3tr.i586.rpm 91a839de2b811707bb08a6ccd520d206 2.1/rpms/postgresql-python-7.4.7-3tr.i586.rpm 66b49c3ea88bb85e7c6be2b72048ba1c 2.1/rpms/postgresql-server-7.4.7-3tr.i586.rpm df80901db01f929ae858d0a37331f425 2.1/rpms/postgresql-test-7.4.7-3tr.i586.rpm 226af2d3b51a2de1143139c06bcfa711 2.1/rpms/tcpdump-3.8.2-3tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCe5v5i8CEzsK9IksRAqtvAJ9CAEbNoMBSOqkmwRLgJT4TmT0w/wCgsm4a +RWkFgcl2h40f+y98YOFCwY= =ZlU9 -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@lists.trustix.org http://lists.trustix.org/mailman/listinfo/tsl-announce


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds