|
|
| Top White Papers
Current Newswire:
Advisories: February 24, 2005Feb 25, 2005, 04:45 (0 Talkback[s])Fedora LegacyFedora Legacy Update Advisory Synopsis: Updated gdk-pixbuf packages fix security flaws 1. Topic: Updated gdk-pixbuf packages that fix several security flaws are now available. The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: Thomas Kristensen discovered a bitmap file that would cause the Evolution mail reader to crash. This issue was caused by a flaw that affects versions of the gdk-pixbuf package prior to 0.20. To exploit this flaw, a remote attacker could send (via email) a carefully-crafted BMP file, which would cause Evolution to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0111 to this issue. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0753 to this issue. During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788) Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2005 - gdk-pixbuf bmp image loader DOS 6. RPMs required: Red Hat Linux 7.3: SRPM: i386: Red Hat Linux 9: SRPM: i386: 7. Verification: SHA1 sum Package Name a29384912cdf63b635694050c1ecf2f8f56f2e3c
redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.2.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0111 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory Synopsis: Updated zlib package fixes security issues 1. Topic: An updated zlib package that fixes a security flaw is now available. Zlib is a general-purpose, patent-free, lossless data compression library which is used by many different programs. 2. Relevant releases/architectures: Fedora Core 1 - i386 3. Problem description: Johan Thelmen reported that a specially crafted file can cause a segmentation fault in zlib as the inflate() and inflateBack() functions do not properly handle errors. An attacker could construct a carefully crafted file that could cause a crash or possibly execute arbitrary code when opened. The specific impact depends on the application using zlib. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0797 to this issue. Users of zlib are advised to upgrade to this errata package, which contains a backported patch correcting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2043 - Zlib Compression Library Denial Of Service Vulnerability 6. RPMs required: Fedora Core 1: SRPM: i386: 7. Verification: SHA1 sum Package Name 815ce5cc7d77184e8075d7b81f16ae94f620ffea
fedora/1/updates/i386/zlib-1.2.0.7-2.1.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory Synopsis: Updated vim packages fix security issues 1. Topic: Updated vim packages that fix multiple vulnerabilities are now available. VIM (Vi IMproved) is an updated and improved version of the vi screenbased editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain backported patches for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2343 - multiple vim vulns 6. RPMs required: Red Hat Linux 7.3: SRPM: i386: Red Hat Linux 9: SRPM: i386: Fedora Core 1: SRPM: i386: 7. Verification: SHA1 sum Package Name 06e66495cc5204b04791af26d8f907a04230f23e
redhat/7.3/updates/i386/vim-common-6.1-18.7x.2.3.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1138 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org MandrakelinuxMandrakelinux Security Update Advisory Package name: squid Problem Description: The squid developers discovered that a remote attacker could cause squid to crash via certain DNS responses. The updated packages are patched to fix the problem. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0446 Updated Packages: Mandrakelinux 10.0: Mandrakelinux 10.0/AMD64: Mandrakelinux 10.1: Mandrakelinux 10.1/X86_64: Corporate Server 2.1: Corporate Server 2.1/X86_64: Corporate 3.0: Corporate 3.0/X86_64: Mandrakelinux 9.2: Mandrakelinux 9.2/AMD64: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID Mandrakelinux Security Update Advisory Package name: uim Problem Description: Takumi ASAKI discovered that uim always trusts environment variables which can allow a local attacker to obtain elevated privileges when libuim is linked against an suid/sgid application. This problem is only exploitable in 'immodule for Qt' enabled Qt applications. The updated packages are patched to fix the problem. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0503 Updated Packages: Mandrakelinux 10.1: Mandrakelinux 10.1/X86_64: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID
0 Talkback[s]
(click to add your comment)
|
