User: Password:
|
|
Subscribe / Log in / New account

Trustix alert TSLSA-2007-0007 (fetchmail, gd, php, postgresql, samba)

From:  Trustix Security Advisor <tsl@trustix.org>
To:  tsl-announce@lists.trustix.org
Subject:  TSLSA-2007-0007 - multi
Date:  Tue, 13 Feb 2007 08:06:30 +0000

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2007-0007 Package names: fetchmail, gd, php, postgresql, samba Summary: Multiple vulnerabilities Date: 2007-02-13 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Package description: fetchmail Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,and IPSEC) for retrieval. Then Fetchmail forwards the mail through SMTP so you can read it through your favorite mail client. gd gd is a graphics library. It allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and write out the result as a PNG or JPEG file. This is particularly useful in World Wide Web applications, where PNG and JPEG are two of the formats accepted for inline images by most browsers. php PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled web page with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache web server to understand and process the embedded PHP language in web pages. postgresql PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. These PostgreSQL client programs are programs that directly manipulate the internal structure of PostgreSQL databases on a PostgreSQL server. These client programs can be located on the same machine with the PostgreSQL server, or may be on a remote machine which accesses a PostgreSQL server over a network connection. This package contains the docs in HTML for the whole package, as well as command-line utilities for managing PostgreSQL databases on a PostgreSQL server. samba Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol. Problem description: fetchmail < TSL 3.0 > < TSL 2.2 > - SECURITY Fix: Fetchmail does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. - A vulnerability has been reported in Fetchmail caused due to a NULL pointer dereference error when rejecting a message sent to an MDA, which could be exploited by attackers to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-5867 and CVE-2006-5974 to these issues. gd < TSL 3.0 > < TSL 2.2 > - SECURITY Fix: Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-0455 to this issue. php < TSL 3.0 > < TSL 2.2 > - New Upstream. - Includes fix for php "out of memory" error, Bug #2062. - Multiple Security fixes. postgresql < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - New upstream. - SECURITY Fix: An unspecified error can be used to suppress certain checks, which ensure that SQL functions return the correct data type. This can be exploited to crash the database backend or disclose potentially sensitive information. - An unspecified error when changing the data type of a table column can be exploited to crash the database backend or disclose potentially sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-0555 and CVE-2007-0556 to these issues. samba < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - New upstream. - SECURITY Fix: smbd allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. - Buffer overflow in the nss_winbind.so.1 library, as used in the winbindd daemon, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions. - Format string vulnerability in the afsacl.so VFS module allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-0452, CVE-2007-0453 and CVE-2007-0454 to these issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:http://http.trustix.org/pub/trustix/updates/> <URI:ftp://ftp.trustix.org/pub/trustix/updates/> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.trustix.org/support/> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.org/TSL-SIGN-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.org/errata/trustix-2.2/> and <URI:http://www.trustix.org/errata/trustix-3.0/> or directly at <URI:http://www.trustix.org/errata/2007/0007/> MD5sums of the packages: - -------------------------------------------------------------------------- de6b10865bb6ad13a1a5934903d6cece 3.0/rpms/fetchmail-6.3.6-1tr.i586.rpm f04e1c33d8c11352a8115a178bce8806 3.0/rpms/gd-2.0.33-7tr.i586.rpm faff5121268f9cceb37d77e4c1fc2059 3.0/rpms/gd-devel-2.0.33-7tr.i586.rpm d65cb3c4798099bce8756d9d4d9fa7a0 3.0/rpms/gd-utils-2.0.33-7tr.i586.rpm 5bebb862eb223b3a0eedfe16c82b2dc6 3.0/rpms/php-5.2.1-1tr.i586.rpm a67665031b21953bebc51dba1aeba03c 3.0/rpms/php-calendar-5.2.1-1tr.i586.rpm f0fcbc3e69f4e96d646fec7bdbbcf554 3.0/rpms/php-cli-5.2.1-1tr.i586.rpm a939afe84d1671cce2bb7155f7ac0ab0 3.0/rpms/php-curl-5.2.1-1tr.i586.rpm 445da66088168ff3563b49a55397c745 3.0/rpms/php-dba-5.2.1-1tr.i586.rpm 9d5dd6d54688e2549206712d45d04c99 3.0/rpms/php-devel-5.2.1-1tr.i586.rpm b5e735b2210a098d985422eec4899118 3.0/rpms/php-exif-5.2.1-1tr.i586.rpm 8bf72a390e67d8c4d21394ca8d8a3cbd 3.0/rpms/php-fcgi-5.2.1-1tr.i586.rpm 609c6aa553a37f58e61a7c255d0dad23 3.0/rpms/php-gd-5.2.1-1tr.i586.rpm 82e8b36e32d265d28362c0a2235a3a10 3.0/rpms/php-imap-5.2.1-1tr.i586.rpm ec211999cb0359a7f17b82ea1d723777 3.0/rpms/php-ldap-5.2.1-1tr.i586.rpm 00274cb74e84ac30187acc473d64c862 3.0/rpms/php-mcrypt-5.2.1-1tr.i586.rpm 05d63a12841a4446990840d6ea85ab57 3.0/rpms/php-mhash-5.2.1-1tr.i586.rpm af196d861f6b48ba18d8af54178e9cbf 3.0/rpms/php-mssql-5.2.1-1tr.i586.rpm 55cfb9816587f3f4af66649c3d5cf50d 3.0/rpms/php-mysql-5.2.1-1tr.i586.rpm db96d6839bbac310d143240f0e355106 3.0/rpms/php-mysqli-5.2.1-1tr.i586.rpm 7e769d14d711d0da14c407a24030dc6e 3.0/rpms/php-openssl-5.2.1-1tr.i586.rpm a4848dad7454d6731585fc29697ce641 3.0/rpms/php-pdo-mysql-5.2.1-1tr.i586.rpm 044c453773907443c0583e6100280052 3.0/rpms/php-pdo-sqlite-5.2.1-1tr.i586.rpm a50c2f8aa1954845026f693c4f5dddd1 3.0/rpms/php-pgsql-5.2.1-1tr.i586.rpm dc4811e93101cf4f67785aded0604282 3.0/rpms/php-pspell-5.2.1-1tr.i586.rpm 656c60c889a7c24af9aa8279f99683bd 3.0/rpms/php-snmp-5.2.1-1tr.i586.rpm 985487ad22973ee213428eb05a9a4e71 3.0/rpms/php-sqlite-5.2.1-1tr.i586.rpm 974ebe419202aad9e71e0b904ad9a1a7 3.0/rpms/php-xslt-5.2.1-1tr.i586.rpm dccc24c6390eb5f08be54191a8759f90 3.0/rpms/php-zlib-5.2.1-1tr.i586.rpm 90b55a1dde7b503a6347ce898774df1b 3.0/rpms/postgresql-8.0.12-1tr.i586.rpm dc976150bccad1c875003fe92e8df406 3.0/rpms/postgresql-contrib-8.0.12-1tr.i586.rpm 373435a876d99504c422eb22e918110b 3.0/rpms/postgresql-devel-8.0.12-1tr.i586.rpm b28a5463590f707c2f2fbb4ec56c7968 3.0/rpms/postgresql-docs-8.0.12-1tr.i586.rpm 052899e6bf3d4dbf05b919ece3f78cc6 3.0/rpms/postgresql-libs-8.0.12-1tr.i586.rpm b917d3a7500d092b603596b9322e2e50 3.0/rpms/postgresql-plperl-8.0.12-1tr.i586.rpm 7b978664feff21df4de290d04849de25 3.0/rpms/postgresql-python-8.0.12-1tr.i586.rpm 57eba62e91beb1f756604ba0903a798d 3.0/rpms/postgresql-server-8.0.12-1tr.i586.rpm 4a78a579acc27be07c605b53757f409d 3.0/rpms/postgresql-test-8.0.12-1tr.i586.rpm 98cf0c288eb646d46e45ea3786d69460 3.0/rpms/samba-3.0.24-1tr.i586.rpm 3b8d03e1c657944697f27dfd94083b54 3.0/rpms/samba-client-3.0.24-1tr.i586.rpm 58bdd6118bddbbe9962f4eddb28ff7c8 3.0/rpms/samba-common-3.0.24-1tr.i586.rpm 97ba37f6f890e39a44474a575c8009d1 3.0/rpms/samba-devel-3.0.24-1tr.i586.rpm 4871243701dbd75a994eb14eefb88c6b 3.0/rpms/samba-mysql-3.0.24-1tr.i586.rpm 2c2dd71f917ff909e1f562af4984a46e 2.2/rpms/fetchmail-6.2.5.5-2tr.i586.rpm 40add27b80f1d4e97643c33df19b067a 2.2/rpms/gd-2.0.33-5tr.i586.rpm bb0f5436bd572f9526d6ec3461833061 2.2/rpms/gd-devel-2.0.33-5tr.i586.rpm 0411b52fdfb04e6473e093d2d8ba168c 2.2/rpms/gd-utils-2.0.33-5tr.i586.rpm 2922f2962e156ecd9b04ac172b34dfe7 2.2/rpms/php-5.2.1-1tr.i586.rpm e6d7e6e767034dbd849a70790e1f4a67 2.2/rpms/php-cli-5.2.1-1tr.i586.rpm 76bac87481615ac1acf7554f956aeffb 2.2/rpms/php-curl-5.2.1-1tr.i586.rpm 68819d843e5f40b8fb900a8a47904ace 2.2/rpms/php-devel-5.2.1-1tr.i586.rpm af0915f900c472c980704a104285fee3 2.2/rpms/php-exif-5.2.1-1tr.i586.rpm 95b0997487a8befd161061be801d97f4 2.2/rpms/php-fcgi-5.2.1-1tr.i586.rpm efa831f89218ff297b22fcb9c9a82e5d 2.2/rpms/php-gd-5.2.1-1tr.i586.rpm 6d6b91a201b5fe4e7e8df46be3f38afa 2.2/rpms/php-imap-5.2.1-1tr.i586.rpm 596d513c1ca3f35bbed8ca888da95e04 2.2/rpms/php-ldap-5.2.1-1tr.i586.rpm 3edf364b42f6b64fe73bf2713f7010b9 2.2/rpms/php-mcrypt-5.2.1-1tr.i586.rpm 7f5adac66ada60f9c8b5c173f1382be6 2.2/rpms/php-mhash-5.2.1-1tr.i586.rpm d64be30326180ddae851ea51cb09c8cd 2.2/rpms/php-mssql-5.2.1-1tr.i586.rpm e5dd0daf72c394aa999adb3aaf8d70e7 2.2/rpms/php-mysql-5.2.1-1tr.i586.rpm 309a3ddf2736e498a567b33a5b4b3d0c 2.2/rpms/php-mysqli-5.2.1-1tr.i586.rpm 37a8663a1a6e99fe3ad945ed023ba62d 2.2/rpms/php-openssl-5.2.1-1tr.i586.rpm 5d7468c9d48fcd68d2aa0e202f741ce1 2.2/rpms/php-pdo-mysql-5.2.1-1tr.i586.rpm 1e88c42de999f7777a2a6dba4a774396 2.2/rpms/php-pdo-sqlite-5.2.1-1tr.i586.rpm f80833a19188aa5cd3abdb6448478f0b 2.2/rpms/php-pgsql-5.2.1-1tr.i586.rpm dd47890fd035022a41093469ba12ae63 2.2/rpms/php-sqlite-5.2.1-1tr.i586.rpm 002c8c187c729b661bc4fe927aa2b43f 2.2/rpms/php-zlib-5.2.1-1tr.i586.rpm 37bd8755048481460d79cb572d6c94ab 2.2/rpms/postgresql-8.0.12-1tr.i586.rpm 0c540ef41fb8f5000042e24bf37fde0b 2.2/rpms/postgresql-contrib-8.0.12-1tr.i586.rpm b65d317f8b63ef6fc5e2654109f3721e 2.2/rpms/postgresql-devel-8.0.12-1tr.i586.rpm f66b44c1e5e4ca008327f5104d6b3167 2.2/rpms/postgresql-docs-8.0.12-1tr.i586.rpm 884bb462892ef386c5cec5ea8ef71db9 2.2/rpms/postgresql-libs-8.0.12-1tr.i586.rpm 08a2acb9fb41edf92e5c17742be27b41 2.2/rpms/postgresql-plperl-8.0.12-1tr.i586.rpm 7d2d55f87f50c25264c847a2f0f4f3d9 2.2/rpms/postgresql-python-8.0.12-1tr.i586.rpm 39c7d13a5ecd0c75d4cfe32c624393d6 2.2/rpms/postgresql-server-8.0.12-1tr.i586.rpm 78d22a4d806246050d81108a44e159f4 2.2/rpms/postgresql-test-8.0.12-1tr.i586.rpm a4326b1bde0265eb70f1a20d62380a08 2.2/rpms/samba-3.0.24-1tr.i586.rpm 219d539afdc93ae5bdaa2bc68170f91f 2.2/rpms/samba-client-3.0.24-1tr.i586.rpm e041c99a9647c63a83264d5f05d6b105 2.2/rpms/samba-common-3.0.24-1tr.i586.rpm 5f8dc6eb620ebb5000143a32249b9ffe 2.2/rpms/samba-devel-3.0.24-1tr.i586.rpm f318ce88117532b3bcdc4753169b9633 2.2/rpms/samba-mysql-3.0.24-1tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFF0Wzhi8CEzsK9IksRAiQmAJ99n22X2aRX9gwdAAiHSgyVyj4bYACffkqo HESfz2BXJONO38H5yPhw24U= =Z2/R -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@lists.trustix.org http://lists.trustix.org/mailman/listinfo/tsl-announce


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds