|
|
| Top White Papers
Current Newswire:
Advisories: March 28, 2005Mar 29, 2005, 04:45 (0 Talkback[s])Conectiva LinuxCONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : ethereal DESCRIPTION This update fixes several vulnerabilities[2,3] in ethereal: CAN-2005-0006[4]: The COPS dissector could go into an infinite loop. CAN-2005-0007[5]: The DLSw dissector could cause an assertion, making Ethereal exit prematurely. CAN-2005-0008[6]: The DNP dissector could cause memory corruption. CAN-2005-0009[7]: The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. CAN-2005-0010[8]: The MMSE dissector could free static memory. CAN-2005-0084[9]: The X11 protocol dissector is vulnerable to a string buffer overflow. CAN-2005-0699[10]: Diego Giago discovered a buffer overflow in the 3GPP2 A11 dissector. CAN-2005-0704[11]: Matevz Pustisek discovered a buffer overflow in the Etheric dissector. CAN-2005-0705[12]: The GPRS-LLC dissector could crash if the "ignore cipher bit" option was enabled. CAN-2005-0739[13]: Leon Juranic discovered a buffer overflow in the IAPP dissector. Also, it fixes other two issues: a bug in the JXTA and sFlow dissectors that could make Ethereal crash. SOLUTION REFERENCES UPDATED PACKAGES ADDITIONAL INSTRUCTIONS
Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com Fedora CoreFedora Update Notification FEDORA-2005-259 2005-03-28 Product : Fedora Core 2 Description : Update Information: Multiple issues in squirrelmail (CAN-2005-0104) Upgrade to 1.4.4
This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ a238db60bcad582241e36e125eb2888a
SRPMS/squirrelmail-1.4.4-1.FC2.src.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. Fedora Update Notification FEDORA-2005-260 2005-03-28 Product : Fedora Core 3 Description : Update Information: Multiple issues in squirrelmail (CAN-2005-0104) Upgrade to 1.4.4
This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ b62f0fe0b26a125239e4897a1aef60d8
SRPMS/squirrelmail-1.4.4-1.FC3.src.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. Fedora Security Update Notification FEDORA-2005-262 2005-03-28 Product : Fedora Core 2 Description :
This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ 279048bd2e34f477912badf1bb73d798
SRPMS/kernel-2.6.10-1.771_FC2.src.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. Gentoo LinuxGentoo Linux Security Advisory GLSA 200503-34 Severity: Normal SynopsisA flaw in the processing of ID3 tags in mpg321 could potentially lead to the execution of arbitrary code. Backgroundmpg321 is a GPL replacement for mpg123, a command line audio player with support for ID3. ID3 is a tagging system that allows metadata to be embedded within media files. Affected packages
Package / Vulnerable / Unaffected
1 media-sound/mpg321 < 0.2.10-r2 >= 0.2.10-r2 DescriptionA routine security audit of the mpg321 package revealed a known security issue remained unpatched. The vulnerability is a result of mpg321 printing embedded ID3 data to the console in an unsafe manner. ImpactSuccessful exploitation would require a victim to play a specially crafted audio file using mpg321, potentially resulting in the execution of arbitrary code. WorkaroundThere is no known workaround at this time. ResolutionAll mpg321 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-sound/mpg321-0.2.10-r2"
References[ 1 ] CVE-2003-0969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0969 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-34.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Ubuntu LinuxUbuntu Security Notice USN-101-1 March 28, 2005 netkit-telnet vulnerabilities CAN-2004-0911, CAN-2005-0469 A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: telnet The problem can be corrected by upgrading the affected package to version 0.17-24ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow was discovered in the telnet client's handling of the LINEMODE suboptions. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CAN-2005-0469) Michal Zalewski discovered a Denial of Service vulnerability in the telnet server (telnetd). A remote attacker could cause the telnetd process to free an invalid pointer, which caused the server process to crash, leading to a denial of service (inetd will disable the service if telnetd crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). Please note that the telnet server is not officially supported by Ubuntu, it is in the "universe" component. (CAN-2004-0911) Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/netkit-telnet/netkit-telnet_0.17-24ubuntu0.1.diff.gz amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/n/netkit-telnet/telnet_0.17-24ubuntu0.1_amd64.deb i386 architecture (x86 compatible Intel/AMD) Severity: Normal Title: mpg321: Format string vulnerability Date: March 28, 2005 Bugs: #86033 ID: 200503-34 SynopsisA flaw in the processing of ID3 tags in mpg321 could potentially lead to the execution of arbitrary code. Backgroundmpg321 is a GPL replacement for mpg123, a command line audio player with support for ID3. ID3 is a tagging system that allows metadata to be embedded within media files. Affected packagesPackage / Vulnerable / Unaffected 1 media-sound/mpg321 < 0.2.10-r2 >= 0.2.10-r2 DescriptionA routine security audit of the mpg321 package revealed a known security issue remained unpatched. The vulnerability is a result of mpg321 printing embedded ID3 data to the console in an unsafe manner. ImpactSuccessful exploitation would require a victim to play a specially crafted audio file using mpg321, potentially resulting in the execution of arbitrary code. WorkaroundThere is no known workaround at this time. ResolutionAll mpg321 users should upgrade to the latest version: # emerge --sync References[ 1 ] CVE-2003-0969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0969 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-34.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 6.deb">http://security.ubuntu.com/ubuntu/pool/main/n/netkit-telnet/telnet_0.17-24ubuntu0.1_i386.debSize/MD5: 62892 37527def740efa14d836b69dc27f1b53 http://security.ubuntu.com/ubuntu/pool/universe/n/netkit-telnet/telnetd_0.17-24ubuntu0.1_i386.deb Size/MD5: 40264 782d910cecdb2e54c70428ce1ab95c51 powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/n/netkit-telnet/telnet_0.17-24ubuntu0.1_powerpc.deb
0 Talkback[s]
(click to add your comment)
|
