Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Advisories, April 28, 2005

Apr 29, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 718-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 28th, 2005 http://www.debian.org/security/faq


Package : ethereal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0739

[ This version lists the correct packages in the packages section. ]

A buffer overflow has been detected in the IAPP dissector of Ethereal, a commonly used network traffic analyser. A remote attacker may be able to overflow a buffer using a specially crafted packet. More problems have been discovered which don't apply to the version in woody but are fixed in sid as well.

For the stable distribution (woody) this problem has been fixed in version 0.9.4-1woody12.

For the unstable distribution (sid) these problems have been fixed in version 0.10.10-1.

We recommend that you upgrade your ethereal packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12.dsc
Size/MD5 checksum: 681 4a66adc24391cf92ae57e072f8cff668
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12.diff.gz
Size/MD5 checksum: 42743 78a9c2b0df034ed8cfd821bb1007ee13
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_alpha.deb
Size/MD5 checksum: 1940348 f8132086d17c44a77ce56e3514234aff
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_alpha.deb
Size/MD5 checksum: 334394 2db8ab849d239dcd08a9f1a693e26be2
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_alpha.deb
Size/MD5 checksum: 222588 2b51550545b4b9bc8e8a19af37f4eadf
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_alpha.deb
Size/MD5 checksum: 1707602 f05a8025502c0ae0941ee6a4eaff5215

ARM architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_arm.deb
Size/MD5 checksum: 1635332 b39c6c07669ee7750cfcf5b41a31bba0
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_arm.deb
Size/MD5 checksum: 297832 92c98f82cd31ad7e069140257f8e5b80
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_arm.deb
Size/MD5 checksum: 206462 e12807990b0995006ea24ffd27938f2a
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_arm.deb
Size/MD5 checksum: 1439522 4b53ec534ecf2148bf32dc52027117e7

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_i386.deb
Size/MD5 checksum: 1512990 ce1e6172813918e06a7db629d30c6914
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_i386.deb
Size/MD5 checksum: 286808 400d994f31eca783431c35f784caa7fa
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_i386.deb
Size/MD5 checksum: 198386 5bb0277bad80dabdb9e684f64833e5a8
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_i386.deb
Size/MD5 checksum: 1326498 4ff0a73562de1ed879113da2b15bd972

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_ia64.deb
Size/MD5 checksum: 2150020 b11ad9be36cfb9c35f312fc34ec52929
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_ia64.deb
Size/MD5 checksum: 373420 191531c4220ba200f1bb646f808d0348
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_ia64.deb
Size/MD5 checksum: 234076 06a7e2b1ea8e940d3edb93fdac9bc606
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_ia64.deb
Size/MD5 checksum: 1861518 a8f7a3363abfe7be570edbd20f751b44

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_hppa.deb
Size/MD5 checksum: 1804650 ba5c084760261b2ff6c6d13e5dfee5d8
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_hppa.deb
Size/MD5 checksum: 322746 bd47c147c7ef301fcba04bfbd12f4a0e
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_hppa.deb
Size/MD5 checksum: 217164 888088c4b2fed932f890ae8931ed5de4
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_hppa.deb
Size/MD5 checksum: 1576110 379f41355e1d9590d5d03b67f64d84aa

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_m68k.deb
Size/MD5 checksum: 1424634 c931c1da4a7de71d7980f6b6b9cd4f4a
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_m68k.deb
Size/MD5 checksum: 283060 ae509526418709d023a15fcb16db1ee0
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_m68k.deb
Size/MD5 checksum: 195450 51bbdb440db2c5ca2c46e3537560b13c
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_m68k.deb
Size/MD5 checksum: 1248726 2a0fc0956bb08ba3f1eeb294ccf3d52c

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_mips.deb
Size/MD5 checksum: 1617010 9d71224d003f77dc07dfdb44fd2c3a44
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_mips.deb
Size/MD5 checksum: 305586 e3d8d59e016942145bd3df4d42750635
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_mips.deb
Size/MD5 checksum: 214026 0373d06002c81f18633dcc84d142cb4a
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_mips.deb
Size/MD5 checksum: 1421854 f0d382ebf5aafb38c3ecebc925d451b7

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_mipsel.deb
Size/MD5 checksum: 1598998 cdc724a4d50486caa3f5a4d64935234e
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_mipsel.deb
Size/MD5 checksum: 305088 1b83d697e81df853200e5f01c5dc0988
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_mipsel.deb
Size/MD5 checksum: 213740 dadfeb96a4773091fe2650eb7af3257c
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_mipsel.deb
Size/MD5 checksum: 1406882 9b80509f83717db2915eb4a1e3c60312

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_powerpc.deb
Size/MD5 checksum: 1618560 2d59d0d9637d6b8d4fa0e3a4d6f9db7d
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_powerpc.deb
Size/MD5 checksum: 302248 e8e72c62030bc974b31d8af4e0d63852
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_powerpc.deb
Size/MD5 checksum: 209252 b3a4d8eb2e92f7a246f05dae2a0fed5f
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_powerpc.deb
Size/MD5 checksum: 1419328 622dc47f9c98cad778c8d70902daf923

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_s390.deb
Size/MD5 checksum: 1574694 c6294f826dfd8b4f317d280813402c41
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_s390.deb
Size/MD5 checksum: 301070 f172764728c5d5dde499eb7a899cd0b0
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_s390.deb
Size/MD5 checksum: 204354 425f219731ab8727431ef95d74c8b127
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_s390.deb
Size/MD5 checksum: 1387250 b85f112f84d1998f7b3548001be1c3ef

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody12_sparc.deb
Size/MD5 checksum: 1583266 13d30be49f62ee046d2a8053efc32bbf
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody12_sparc.deb
Size/MD5 checksum: 318356 94dd17eb13f1d1111031e75ca1fe089a
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody12_sparc.deb
Size/MD5 checksum: 205120 f414e5cbb6fb969792c0170a4dcaa0a4
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody12_sparc.deb
Size/MD5 checksum: 1389310 193250254cd301644e8ee6b50b260ec4

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 719-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 28th, 2005 http://www.debian.org/security/faq


Package : prozilla
Vulnerability : format string problems Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0523
BugTraq ID : 12635

Several format string problems have been discovered in prozilla, a multi-threaded download accelerator, that can be exploited by a malicious server to execute arbitrary code with the rights of the user running prozilla.

For the stable distribution (woody) these problems have been fixed in version 1.3.6-3woody2.

For the unstable distribution (sid) these problems have been fixed in version 1.3.7.4-1.

We recommend that you upgrade your prozilla package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2.dsc
Size/MD5 checksum: 612 b928187dd8f03148a2539d4b3c80b438
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2.diff.gz
Size/MD5 checksum: 9649 fe452d3b07b843d9bdb0a62eea08b32e
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6.orig.tar.gz
Size/MD5 checksum: 152755 65864dfe72f5cb7d7e595ca6f34fc7d7

Alpha architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_alpha.deb
Size/MD5 checksum: 78456 67eb74ad4ef6f7b11fb6d0c84e97e885

ARM architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_arm.deb
Size/MD5 checksum: 65416 ee4e2b27282f5d797388cf9db6bb1ae6

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_i386.deb
Size/MD5 checksum: 64420 ca9cf2d80468eb3c6f262efd2865f32f

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_ia64.deb
Size/MD5 checksum: 93510 41775fe0d297ef48a07decba2df534d0

HP Precision architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_hppa.deb
Size/MD5 checksum: 74488 8d7ccf055d158ddd57f29ff6a67a54ba

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_m68k.deb
Size/MD5 checksum: 61402 087350199da0c600391b0975956d097a

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_mips.deb
Size/MD5 checksum: 73084 5a5e06a2436b08c7133ce1a21b97a167

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_mipsel.deb
Size/MD5 checksum: 73182 8479c67ce0ccb680821aeddba9fdb2e5

PowerPC architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_powerpc.deb
Size/MD5 checksum: 68490 7c83bdce09185e681b20c3903fcc18fd

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_s390.deb
Size/MD5 checksum: 65476 e25037beaff259f42db818fb8e8a403b

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody2_sparc.deb
Size/MD5 checksum: 68120 a1c98ba0fad335c84930c8894bf57435

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core


Fedora Update Notification
FEDORA-2005-344
2005-04-27

Product : Fedora Core 3
Name : ImageMagick
Version : 6.2.2.0
Release : 1.fc3
Summary : An X application for displaying and manipulating images.

Description :
ImageMagick(TM) is an image display and manipulation tool for the X Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF, and Photo CD image formats. It can resize, rotate, sharpen, color reduce, or add special effects to an image, and when finished you can either save the completed work in the original format or a different one. ImageMagick also includes command line programs for creating animated or transparent .gifs, creating composite images, creating thumbnail images, and more.

ImageMagick is one of your choices if you need a program to manipulate and dis play images. If you want to develop your own applications which use ImageMagick code or APIs, you need to install ImageMagick-devel as well.


Update Information:

The update fixes a possible heap corruption issue in the pnm decoder. It also includes a number of other bug fixes and improvements.


  • Tue Apr 26 2005 Matthias Clasen <mclasen@redhat.com> - 6.2.2.0-1.fc3
    • Update to 6.2.2 to fix a heap corruption issue in the pnm coder.
  • Mon Apr 25 2005 <mclasen@redhat.com> - 6.2.1.7-2.fc3
    • Update to 6.2.1
    • Include multiple improvements and bugfixes by Rex Dieter et al (111961, 145466, 151196, 149970, 146518, 113951, 145449, 144977, 144570, 139298)
  • Sun Apr 24 2005 <mclasen@redhat.com> - 6.2.0.7-3
    • Make zip compression work for tiff (#154045)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

7f39cda1085fea8a4e478bd726ba6bca SRPMS/ImageMagick-6.2.2.0-1.fc3.src.rpm
091faa0bf0349d921ed2997e84a75792 x86_64/ImageMagick-6.2.2.0-1.fc3.x86_64.rpm
666a2b8a817beba8c9aa01b17159afa2 x86_64/ImageMagick-devel-6.2.2.0-1.fc3.x86_64.rpm
f52c1afdf5adfe6424067393783747d1 x86_64/ImageMagick-perl-6.2.2.0-1.fc3.x86_64.rpm
fd826d5ee8e25dbe4806257ce624d949 x86_64/ImageMagick-c ++-6.2.2.0-1.fc3.x86_64.rpm
6f2e58f3e4fe891d27a374e7fb291cbf x86_64/ImageMagick-c ++-devel-6.2.2.0-1.fc3.x86_64.rpm
be0adb07ba72b45e315a7a406c0ed97f x86_64/debug/ImageMagick-debuginfo-6.2.2.0-1.fc3.x86_64.rpm
4ac7fe1a4e22b3e7eea9b8102104c73b x86_64/ImageMagick-6.2.2.0-1.fc3.i386.rpm
591932d15e406856088a7023f02b0eaa x86_64/ImageMagick-c ++-6.2.2.0-1.fc3.i386.rpm
4ac7fe1a4e22b3e7eea9b8102104c73b i386/ImageMagick-6.2.2.0-1.fc3.i386.rpm
70796447044d3b0c38be3aec006c66d1 i386/ImageMagick-devel-6.2.2.0-1.fc3.i386.rpm
a7b9b8c68d9c9f63ead862296a89fc09 i386/ImageMagick-perl-6.2.2.0-1.fc3.i386.rpm
591932d15e406856088a7023f02b0eaa i386/ImageMagick-c ++-6.2.2.0-1.fc3.i386.rpm
442158cf21be6ca2eaf94385d3f090b9 i386/ImageMagick-c ++-devel-6.2.2.0-1.fc3.i386.rpm
09aa2af0b08abbb279167deeeca66e26 i386/debug/ImageMagick-debuginfo-6.2.2.0-1.fc3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2005-345
2005-04-28

Product : Fedora Core 3
Name : kdewebdev
Version : 3.3.1
Release : 2.1
Summary : WEB Development package for the K Desktop Environment.

Description :
The kdewebdev package contains Quanta Plus and other applications, which are useful
for web development. They are runtime dependencies of Quanta Plus, and it is highly recommended that you install them.


  • Wed Apr 27 2005 Than Ngo <than@redhat.com> 6:3.3.1-2.1
    • apply patch to fix CAN-2005-0754, Kommander untrusted code execution, thanks to KDE security team
  • Mon Oct 18 2004 Than Ngo <than@redhat.com> 6:3.3.1-2
    • rebuilt

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

4d5d22019cab362058135ec8faa14d25 SRPMS/kdewebdev-3.3.1-2.1.src.rpm
59d982f1666a49d1085946700e52f30d x86_64/kdewebdev-3.3.1-2.1.x86_64.rpm
1535e28501e0d82b95e51aeabc032b44 x86_64/kdewebdev-devel-3.3.1-2.1.x86_64.rpm
26226ae521ad3134352bd9b99fbece49 x86_64/debug/kdewebdev-debuginfo-3.3.1-2.1.x86_64.rpm
a749308d15c2d15e3bd00d859c06ee92 i386/kdewebdev-3.3.1-2.1.i386.rpm
1cb8f8ec42a9810a12a2113c02d09b45 i386/kdewebdev-devel-3.3.1-2.1.i386.rpm
2d7c68a65e20f78fc856c4dc55dbb527 i386/debug/kdewebdev-debuginfo-3.3.1-2.1.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.


Gentoo Linux


Gentoo Linux Security Advisory GLSA 200504-28

http://security.gentoo.org/


Severity: Normal
Title: Heimdal: Buffer overflow vulnerabilities
Date: April 28, 2005
Bugs: #89861
ID: 200504-28


Synopsis

Buffer overflow vulnerabilities have been found in the telnet client in Heimdal which could lead to execution of arbitrary code.

Background

Heimdal is a free implementation of Kerberos 5 that includes a telnet client program.

Affected packages


     Package            /  Vulnerable  /                    Unaffected

  1  app-crypt/heimdal       < 0.6.4                          >= 0.6.4

Description

Buffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal.

Impact

Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using the telnet client, potentially executing arbitrary code with the permissions of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Heimdal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.6.4"

References

[ 1 ] CAN-2005-0468

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

[ 2 ] CAN-2005-0469

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200504-28.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0