|
 |
Conectiva LinuxCONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : clamav
DESCRIPTION This announcement updates clamav so it is able to update its database from the server without any problems related to its format and also because it fixes a security issue which could lead to a denial of service[2] situation.
SOLUTION
REFERENCES
UPDATED PACKAGES
ADDITIONAL INSTRUCTIONS
Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com Fedora CoreFedora Update Notification FEDORA-2005-188 2005-03-03
Product : Fedora Core 3
Description : Update Information:
Updated HelixPlayer packages that fixes two buffer overflow issues are
now This update has been rated as having critical security impact by the Red Hat Security Response Team. A stack based buffer overflow bug was found in HelixPlayer's Synchronized Multimedia Integration Language (SMIL) file processor. An attacker could create a specially crafted SMIL file which would execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0455 to this issue. A buffer overflow bug was found in the way HelixPlayer decodes WAV files. An attacker could create a specially crafted WAV file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0611 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer 1.0.3 which is not vulnerable to these issues.
This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
6b65dacea8b1502caa8c98d0076f1d6e SRPMS/HelixPlayer-1.0.3-3.fc3.src.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. Gentoo LinuxGentoo Linux Security Advisory GLSA 200503-05
Severity: Normal Synopsisxli and xloadimage are vulnerable to multiple issues, potentially leading to the execution of arbitrary code. Backgroundxli and xloadimage are X11 utilities for displaying and manipulating a wide range of image formats. Affected packages
DescriptionTavis Ormandy of the Gentoo Linux Security Audit Team has reported that xli and xloadimage contain a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. Rob Holland of the Gentoo Linux Security Audit Team has reported that an xloadimage vulnerability in the handling of Faces Project images discovered by zen-parse in 2001 remained unpatched in xli. Additionally, it has been reported that insufficient validation of image properties in xli could potentially result in buffer management errors. ImpactSuccessful exploitation would permit a remote attacker to execute arbitrary shell commands, or arbitrary code with the privileges of the xloadimage or xli user. WorkaroundThere is no known workaround at this time. ResolutionAll xli users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/xli-1.17.0-r1"
All xloadimage users should also upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/xloadimage-4.1-r2"
References[ 1 ] CAN-2001-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0775 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-05.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Gentoo Linux Security Advisory GLSA 200503-06
Severity: Normal SynopsisBidWatcher is vulnerable to a format string vulnerability, potentially allowing arbitrary code execution. BackgroundBidWatcher is a free auction tool for eBay users to keep track of their auctions. Affected packages
DescriptionUlf Harnhammar discovered a format string vulnerability in "netstuff.cpp". ImpactRemote attackers can potentially exploit this vulnerability by sending specially crafted responses via an eBay HTTP server or a man-in-the-middle attack to execute arbitrary malicious code. WorkaroundThere is no known workaround at this time. ResolutionAll BidWatcher users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/bidwatcher-1.13.17"
References[ 1 ] CAN-2005-0158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0158 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-06.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Gentoo Linux Security Advisory GLSA 200503-07
Severity: Normal
SynopsisphpMyAdmin contains multiple vulnerabilities that could lead to command execution, XSS issues and bypass of security restrictions. BackgroundphpMyAdmin is a tool written in PHP intended to handle the administration of MySQL databases from a web-browser. Affected packages
DescriptionphpMyAdmin contains several security issues:
ImpactBy sending a specially-crafted request, an attacker can include and execute arbitrary PHP code or cause path information disclosure. furthermore the XSS issue allows an attacker to inject malicious script code, potentially compromising the victim's browser. Lastly the improper escaping of special characters results in unintended privilege settings for MySQL. WorkaroundThere is no known workaround at this time. ResolutionAll phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=3Ddev-db/phpmyadmin-2.6.1_p2-r1"
References[ 1 ] PMASA-2005-1
http://www.phpmyadmin.net/home_page/security.php?issue=3DPMASA-20051 [ 2 ] PMASA-2005-2
http://www.phpmyadmin.net/home_page/security.php?issue=3DPMASA-20052 [ 3 ] phpMyAdmin bug 1113788 http://sourceforge.net/tracker/index.php?func=3Ddetail&aid=3D1113788&group_id=3D23067&atid=3D377408 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-07.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Ubuntu LinuxUbuntu Security Notice USN-90-1 March 03, 2005 imagemagick vulnerability CAN-2005-0397 A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected:
imagemagick The problem can be corrected by upgrading the affected package to version 5:6.0.2.5-1ubuntu1.4. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a format string vulnerability in ImageMagick's file name handling. Specially crafted file names could cause a program using ImageMagick to crash, or possibly even cause execution of arbitrary code. Since ImageMagick can be used in custom printing systems, this also might lead to privilege escalation (execute code with the printer spooler's privileges). However, Ubuntu's standard printing system does not use ImageMagick, thus there is no risk of privilege escalation in a standard installation. ImageMagick is also commonly used by web frontends; if these accept image uploads with arbitrary file names, this could also lead to remote privilege escalation. Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4.diff.gz amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_powerpc.deb  
|
 |
|
|
|
|
| All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux, Apache and PHP |
