Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Trustix Secure Linux Advisories: tcpdump, wget, kernel, perl, mysql, lynx-ssl

Dec 20, 2002, 18:49 (0 Talkback[s])

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0084

Package name:      tcpdump
Summary:           Incorrect bounds checking
Date:              2002-12-19
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------
Package description:
  Tcpdump is a command-line tool for monitoring network traffic.
  Tcpdump can capture and display the packet headers on a particular
  network interface or on all interfaces.  Tcpdump can display all of
  the packet headers, or just the ones that match particular criteria.


Problem description:
  Tcpdump tries to decode packages it sees on the network to provide
  some information to the user.  In the decoding of BGP packages, it
  failed to do proper bounds checking.  The impact is not known, but
  it could at least be used to crash tcpdump.  This is fixed in the
  3.7.1 release of tcpdump.

  In addition, we have upgraded libpcap and arpwatch to resolve
  dependencies.


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/>; and
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0084-tcpdump.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
824e7cf0772ba11aba56d98c08f951d6  ./1.1/RPMS/arpwatch-2.1a11-2tr.i586.rpm
c95236148c009f7365f3497a14add5b4  ./1.1/RPMS/libpcap-0.7.1-2tr.i586.rpm
d0eb21ecad3542f89ae88b8707359236  ./1.1/RPMS/tcpdump-3.7.1-2tr.i586.rpm
47c5a0e065911176c9b6f1569b4dee62  ./1.1/SRPMS/arpwatch-2.1a11-2tr.src.rpm
a07a2aac096c3097536b9688241016ea  ./1.1/SRPMS/libpcap-0.7.1-2tr.src.rpm
659a448d9c335ac09eda2b18ead701e4  ./1.1/SRPMS/tcpdump-3.7.1-2tr.src.rpm
b57f1b852378665c4d2a2e17bf81d329  ./1.2/RPMS/arpwatch-2.1a11-2tr.i586.rpm
c4d8b5d252ec86a1ba26919fd84e359e  ./1.2/RPMS/libpcap-0.7.1-2tr.i586.rpm
df7ede2ec5728304ec81edf17305a88a  ./1.2/RPMS/tcpdump-3.7.1-2tr.i586.rpm
47c5a0e065911176c9b6f1569b4dee62  ./1.2/SRPMS/arpwatch-2.1a11-2tr.src.rpm
a07a2aac096c3097536b9688241016ea  ./1.2/SRPMS/libpcap-0.7.1-2tr.src.rpm
659a448d9c335ac09eda2b18ead701e4  ./1.2/SRPMS/tcpdump-3.7.1-2tr.src.rpm
e6fba4806f2dabdfe344c735a3756206  ./1.5/RPMS/arpwatch-2.1a11-2tr.i586.rpm
e4205a7ef19af19e2748faa371dc5bc9  ./1.5/RPMS/libpcap-0.7.1-2tr.i586.rpm
921390de9b10db4b2651a3cdebd00580  ./1.5/RPMS/tcpdump-3.7.1-2tr.i586.rpm
47c5a0e065911176c9b6f1569b4dee62  ./1.5/SRPMS/arpwatch-2.1a11-2tr.src.rpm
a07a2aac096c3097536b9688241016ea  ./1.5/SRPMS/libpcap-0.7.1-2tr.src.rpm
659a448d9c335ac09eda2b18ead701e4  ./1.5/SRPMS/tcpdump-3.7.1-2tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team


- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0089

Package name:      wget
Summary:           directory traversal bug
Date:              2002-12-19
Affected versions: TSL 1.5

- --------------------------------------------------------------------------
Package description:
  GNU Wget is a file retrieval utility which can use either the HTTP or
  FTP protocols.  Wget features include the ability to work in the
  background while you're logged out, recursive retrieval of
  directories, file name wildcard matching, remote file timestamp
  storage and comparison, use of Rest with FTP servers and Range with
  HTTP servers to retrieve files over slow or unstable connections,
  support for Proxy servers, and configurability.


Problem description:
  wget did not check the path sent back by an FTP server allowing an
  FTP server to create files containing path elements to higher up in
  the directory tree (i.e. "../../").


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0089-wget.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
435d1e7e4703328faabed4f8c1d81de9  ./1.5/RPMS/wget-1.8.2-4tr.i586.rpm
9841379e63c8741e0df935a896352f19  ./1.5/SRPMS/wget-1.8.2-4tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0083

Package name:      kernel
Summary:           Local DoS
Date:              2002-19-12
Affected versions: TSL 1.01, 1.1, 1.2, 1.5

- --------------------------------------------------------------------------
Package description:
  The kernel package contains the Linux kernel (vmlinuz), the core of your
  Trustix Secure Linux operating system.  The kernel handles the basic
  functions of the operating system:  memory allocation, process allocation,
  device input and output, etc.


Problem description:
  In all Linux 2.2 kernels up to and including 2.2.23, the /proc/<pid>/mem
  interface can be abused to crash the system.  This release is patched
  disabling the usage of mmap() on /proc/<pid>/mem.


Action:
  We recommend that all systems with this package installed be upgraded.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/>; and
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0083-kernel.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
8bf46717922b74dce7cce2c20c1c40b2  ./1.1/RPMS/kernel-2.2.22-8tr.i586.rpm
128f2bedd2b75b5b826e1192b1c8014f  ./1.1/RPMS/kernel-BOOT-2.2.22-8tr.i586.rpm
4faa41fa29ef216e410b502bf7f3bc8d  ./1.1/RPMS/kernel-doc-2.2.22-8tr.i586.rpm
e96cb88f6265670a9df6693bb5146c76  ./1.1/RPMS/kernel-headers-2.2.22-8tr.i586.rpm
a863c612964514d0414d39c838edd33c  ./1.1/RPMS/kernel-smp-2.2.22-8tr.i586.rpm
8281ac5ac9db2edfd774b0b36cd29305  ./1.1/RPMS/kernel-source-2.2.22-8tr.i586.rpm
871ff841cc270853e40685b1ca73ee7b  ./1.1/RPMS/kernel-utils-2.2.22-8tr.i586.rpm
6fbf42ab35d5eaf8140b1a1725655bb5  ./1.1/SRPMS/kernel-2.2.22-8tr.src.rpm
c2edcf9e0aa8deff4a85e680d654e6dd  ./1.2/RPMS/kernel-2.2.22-8tr.i586.rpm
992d44d4fa51bf4098ffa595da758e90  ./1.2/RPMS/kernel-BOOT-2.2.22-8tr.i586.rpm
ecbbcfc05db0f38ec1e76488a8b0ca72  ./1.2/RPMS/kernel-doc-2.2.22-8tr.i586.rpm
8f101137b75b75b12345f659abb352a6  ./1.2/RPMS/kernel-headers-2.2.22-8tr.i586.rpm
7039175a62f4a9ac561377ef57f61ea9  ./1.2/RPMS/kernel-smp-2.2.22-8tr.i586.rpm
1dd50cf1b95272ce95db2037d4e1d477  ./1.2/RPMS/kernel-source-2.2.22-8tr.i586.rpm
0b92b66f37b6811c329d6c96f21df7c1  ./1.2/RPMS/kernel-utils-2.2.22-8tr.i586.rpm
6fbf42ab35d5eaf8140b1a1725655bb5  ./1.2/SRPMS/kernel-2.2.22-8tr.src.rpm
6b9a40f9e62b263fdb2375172655dbcd  ./1.5/RPMS/kernel-2.2.22-8tr.i586.rpm
3eb4bfd459653baa628d3eea3935ab9b  ./1.5/RPMS/kernel-BOOT-2.2.22-8tr.i586.rpm
b721d5c6ff919dea0323de510abc0a85  ./1.5/RPMS/kernel-doc-2.2.22-8tr.i586.rpm
0a792c78a2c912115fd9ad741b75ccfe  ./1.5/RPMS/kernel-headers-2.2.22-8tr.i586.rpm
1e33ee7bc7a7caafbadd9e0f0114977b  ./1.5/RPMS/kernel-smp-2.2.22-8tr.i586.rpm
5677a192a348c38513c08dfc6aa28b04  ./1.5/RPMS/kernel-source-2.2.22-8tr.i586.rpm
e1da8df14695e351d6e0d27c91c991f2  ./1.5/RPMS/kernel-utils-2.2.22-8tr.i586.rpm
6fbf42ab35d5eaf8140b1a1725655bb5  ./1.5/SRPMS/kernel-2.2.22-8tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team


- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0087

Package name:      perl
Summary:           Safe compartments not being safe
Date:              2002-12-19
Affected versions: TSL 1.01, 1.1, 1.2, 1.5

- --------------------------------------------------------------------------
Package description:
  Perl is a high-level programming language with roots in C, sed, awk
  and shell scripting.  Perl is good at handling processes and files,
  and is especially good at handling text.  Perl's hallmarks are
  practicality and efficiency.  While it is used to do a lot of
  different things, Perl's most common applications (and what it excels
  at) are probably system administration utilities and web programming.
  A large proportion of the CGI scripts on the web are written in Perl.


Problem description:
  Perl allows for socalled "safe compartmemts" where code can be
  evalutated without access to variables outside this environment.
  There was, however, a bug with regards to applications using this
  safe compartment more than once.


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/>; and
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0087-perl.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
5b836b3ace7257bff56256a3849bdc08  ./1.1/RPMS/perl-5.00503-14tr.i586.rpm
cd5cd40261c0a1291254d572f6331373  ./1.1/SRPMS/perl-5.00503-14tr.src.rpm
13a4239092934f5d059cfd573e448eee  ./1.2/RPMS/perl-5.00503-14tr.i586.rpm
cd5cd40261c0a1291254d572f6331373  ./1.2/SRPMS/perl-5.00503-14tr.src.rpm
6e864051fab21be22c8e295dbff00df2  ./1.5/RPMS/perl-5.00503-14tr.i586.rpm
cd5cd40261c0a1291254d572f6331373  ./1.5/SRPMS/perl-5.00503-14tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0086

Package name:      mysql
Summary:           Multiple issues
Date:              2002-12-19
Affected versions: TSL 1.5

- --------------------------------------------------------------------------
Package description:
  MySQL is a true multi-user, multi-threaded SQL (Structured Query
  Language) database server. MySQL is a client/server implementation
  that consists of a server daemon (mysqld) and many different client
  programs/libraries.


Problem description:
  This release fixes the following issues:
  * Signed integer vulnerability in COM_TABLE_DUMP in the MySQL server
  * Password length vulnerability COM_CHANGE_USER in the MySQL server
  * read_rows overflow in the MySQL client libraries
  * read_one_row byte overwrites in the MySQL client libraries


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
de0b8637137ac292e9d90da5f689d776  ./1.5/RPMS/mysql-3.23.54a-1tr.i586.rpm
b7dd8fdd0ec332942f68b2d6e2278114  ./1.5/RPMS/mysql-bench-3.23.54a-1tr.i586.rpm
e25e5cf36241e8c233b133c6916fa24b  ./1.5/RPMS/mysql-client-3.23.54a-1tr.i586.rpm
3ea335814acf1df461e329a6d693e9b7  ./1.5/RPMS/mysql-devel-3.23.54a-1tr.i586.rpm
ea3d28332b197d47c9ba2ff89b141554  ./1.5/RPMS/mysql-shared-3.23.54a-1tr.i586.rpm
0a188cc1ece8525071be69cebcc16b2c  ./1.5/SRPMS/mysql-3.23.54a-1tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team


- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0085

Package name:      lynx-ssl
Summary:           HTTP headers injection
Date:              2002-12-19
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------
Package description:
  Lynx is a text-based Web browser. Lynx does not display any images,
  but it does support frames, tables and most other HTML tags. Lynx's
  advantage over graphical browsers is its speed: Lynx starts and exits
  quickly and swiftly when displaying Web pages.

  This SSL patch package for Lynx provides the ability to make use of SSL
  over HTTP for secure access to web sites (HTTPS) and over NNTP for secure
  access to news servers (SNEWS).  SSL is handled transparently, allowing
  users to continue accessing web sites and news services from within Lynx
  through the same interface for both secure and standard transfers.


Problem description:
  Due to insufficient checking for illegal characters, the Lynx-ssl
  could be tricked into sending additional HTTP headers in a request.


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/>; and
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
b797d18c88060df90ce54e9fb48e1bf4  ./1.1/RPMS/lynx-ssl-2.8.4-1tr.i586.rpm
581dfbd59e6f47f721b1ea6a365c5c4e  ./1.1/SRPMS/lynx-ssl-2.8.4-1tr.src.rpm
abf719e183bdec2fcc5d6314e22fa785  ./1.2/RPMS/lynx-ssl-2.8.4-1tr.i586.rpm
581dfbd59e6f47f721b1ea6a365c5c4e  ./1.2/SRPMS/lynx-ssl-2.8.4-1tr.src.rpm
b9a901ce8b48c6fd77ca996c6f998540  ./1.5/RPMS/lynx-ssl-2.8.4-1tr.i586.rpm
581dfbd59e6f47f721b1ea6a365c5c4e  ./1.5/SRPMS/lynx-ssl-2.8.4-1tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team