User: Password:
|
|
Subscribe / Log in / New account

Trustix alert TSLSA-2007-0005 (bind, ed, elinks)

From:  Trustix Security Advisor <tsl@trustix.org>
To:  tsl-announce@lists.trustix.org
Subject:  TSLSA-2007-0005 - multi
Date:  Mon, 5 Feb 2007 08:21:27 +0000

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2007-0005 Package names: bind, ed, elinks Summary: Multiple vulnerabilities Date: 2007-02-05 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Package description: bind BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. ed Ed is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts). For most purposes, ed has been replaced in normal usage by full-screen editors (emacs and vi, for example). elinks ELinks is a program for browsing the web in text mode. It provide a feature-rich text mode browser with an open patches/features inclusion policy and active development. One of these features is that ELinks includes Links-Lua which adds scripting capabilities to ELinks. Problem description: bind < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - New Upstream. - SECURITY Fix: Some vulnerabilities have been reported in ISC BIND, which can be exploited by malicious people to cause a DoS. An unspecified error may cause the named daemon to dereference a freed fetch context. - Another vulnerability in ISC BIND allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-0493 and CVE-2007-0494 to these issues. ed < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - New upstream. - SECURITY FIX: A vulnerability has been identified in the "open_sbuf()" [buf.c] function that handles temporary files in an insecure manner, which could allow malicious users to conduct symlink attacks and create or overwrite arbitrary files with the privileges of the user invoking the vulnerable application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-6939 to this issue. elinks < TSL 3.0 > - New upstream. - SECURITY Fix: Teemu Salmela has discovered a vulnerability, which is caused due to an error in the validation of "smb://" URLs when Links runs smbclient commands. This can be exploited to download and overwrite local files or upload local files to an SMB share by injecting smbclient commands in the "smb://" URL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-5925 to this issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:http://http.trustix.org/pub/trustix/updates/> <URI:ftp://ftp.trustix.org/pub/trustix/updates/> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.trustix.org/support/> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.org/TSL-SIGN-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.org/errata/trustix-2.2/> and <URI:http://www.trustix.org/errata/trustix-3.0/> or directly at <URI:http://www.trustix.org/errata/2007/0005/> MD5sums of the packages: - -------------------------------------------------------------------------- 3112dfc593ecb6394aeb7fb4867e4e30 3.0/rpms/bind-9.3.4-1tr.i586.rpm 8cc8c0d73f9b1457cda994fd82a52b87 3.0/rpms/bind-devel-9.3.4-1tr.i586.rpm 75c261426a6d4e77b45c98eacfacddfb 3.0/rpms/bind-libs-9.3.4-1tr.i586.rpm 87e5993a7e5b045958b9a78e104c736f 3.0/rpms/bind-light-9.3.4-1tr.i586.rpm f0fc46061ecd0740470b4503d0c7a065 3.0/rpms/bind-light-devel-9.3.4-1tr.i586.rpm a61e7ad79cd98d3bb31d91a6d455dff1 3.0/rpms/bind-utils-9.3.4-1tr.i586.rpm d0eafdde540e1328041ac0e89efad7e7 3.0/rpms/ed-0.4-1tr.i586.rpm 8f4d1769a53918324b04534f67e3b5d7 3.0/rpms/elinks-0.11.2-1tr.i586.rpm 0fc22c7b4599c72184e3bd9e0a0aaa8c 2.2/rpms/bind-9.3.4-1tr.i586.rpm cf5e701cffa3feb11f12c0f274d67d6c 2.2/rpms/bind-devel-9.3.4-1tr.i586.rpm 2d6d1c3b345a593a23266effdd613076 2.2/rpms/bind-libs-9.3.4-1tr.i586.rpm 8d549fba3a2aa68d555e45edb7bdf102 2.2/rpms/bind-light-9.3.4-1tr.i586.rpm bbf737edf58f73089f5dc00a37f823f9 2.2/rpms/bind-light-devel-9.3.4-1tr.i586.rpm 89f3cd943fd8f183bcc0adedace27451 2.2/rpms/bind-utils-9.3.4-1tr.i586.rpm 18b1ada8a24e8670cb40ac282e531c4a 2.2/rpms/ed-0.4-1tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFxuZni8CEzsK9IksRAu8EAJ4+0Nrd7rnGh5XhMAPrHcEcWuFhAACfeyb/ TaacJQ18NUY1H10niVwO1jw= =F39l -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@lists.trustix.org http://lists.trustix.org/mailman/listinfo/tsl-announce


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds