User: Password:
|
|
Subscribe / Log in / New account

OpenPKG alert OpenPKG-SA-2006.020 (gzip)

From:  OpenPKG <openpkg@openpkg.org>
To:  openpkg-announce@openpkg.org
Subject:  [OpenPKG-SA-2006.020] OpenPKG Security Advisory (gzip)
Date:  Wed, 20 Sep 2006 13:26:41 +0200

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security/ http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2006.020 20-Sep-2006 ________________________________________________________________________ Package: gzip Vulnerability: denial of service, arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= gzip-1.3.5-20050724 >= gzip-1.3.5-20060920 OpenPKG 2-STABLE <= gzip-1.3.5-2.20060622 >= gzip-1.3.5-2.20060920 OpenPKG 2.5-RELEASE <= gzip-1.3.5-2.5.0 >= gzip-1.3.5-2.5.1 Description: Tavis Ormandy of the Google Security Team discovered several vulnerabilities in the compression tool GZIP [1]. The problems are a NULL dereference, an out-of-bound (OOB) write, a buffer underflow, a buffer overflow and an infinite loop. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CVE-2006-4334 [2], CVE-2006-4335 [3], CVE-2006-4336 [4], CVE-2006-4337 [5] and CVE-2006-4338 [6] to the problems. ________________________________________________________________________ References: [1] http://www.gzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iD8DBQFFESVYgHWT4GPEy58RAnL5AJ933TxbcOrNaQO5DF9ONBvvUPqsXgCfeHmz 3SSOO5xLnz8L4LPRcQuK7xo= =4l8w -----END PGP SIGNATURE----- ______________________________________________________________________ The OpenPKG Project www.openpkg.org Project Announcement List openpkg-announce@openpkg.org


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds