Advisories, December 20, 2005

Dec 21, 2005, 04:45 (0 Talkback[s])

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200512-11

http://security.gentoo.org/

Severity: Normal
Title: CenterICQ: Multiple vulnerabilities
Date: December 20, 2005
Bugs: #100519, #114038
ID: 200512-11

Synopsis

CenterICQ is vulnerable to a Denial of Service issue, and also potentially to the execution of arbitrary code through an included vulnerable ktools library.

Background

CenterICQ is a text-based instant messaging interface that supports multiple protocols. It includes the ktools library, which provides text-mode user interface controls.

Affected packages

     Package           /   Vulnerable   /                   Unaffected

  1  net-im/centericq      < 4.21.0-r2                    >= 4.21.0-r2

Gentoo developer Wernfried Haas discovered that when the "Enable peer-to-peer communications" option is enabled, CenterICQ opens a port that insufficiently validates whatever is sent to it. Furthermore, Zone-H Research reported a buffer overflow in the ktools library.

Impact

A remote attacker could cause a crash of CenterICQ by sending packets to the peer-to-peer communications port, and potentially cause the execution of arbitrary code by enticing a CenterICQ user to edit overly long contact details.

Workaround

There is no known workaround at this time.

Resolution

All CenterICQ users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-im/centericq-4.21.0-r2"

References

[ 1 ] CVE-2005-3694

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3694

[ 2 ] CVE-2005-3863

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3863

[ 3 ] Zone-H Research ZRCSA 200503

http://www.zone-h.org/en/advisories/read/id=8480/

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-11.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux

Mandriva Linux Security Advisory MDKSA-2005:234
http://www.mandriva.com/security/

Package : sudo
Date : December 20, 2005
Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0, Multi Network Firewall 2.0

Problem Description:

Charles Morris discovered a vulnerability in sudo versions prior to 1.6.8p12 where, when the perl taint flag is off, sudo does not clear the PERLLIB, PERL5LIB, and PERL5OPT environment variables, which could allow limited local users to cause a perl script to include and execute arbitrary library files that have the same name as library files that included by the script.

In addition, other environment variables have been included in the patch that remove similar environment variables that could be used in python and ruby, scripts, among others.

The updated packages have been patched to correct this problem.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-4158
http://www.sudo.ws/sudo/alerts/perl_env.html

Updated Packages:

Mandriva Linux 10.1:
2516e27be7da2de14cccef0a77adf35a 10.1/RPMS/sudo-1.6.8p1-1.4.101mdk.i586.rpm
3c6e47db109ab754ecfd50037a163fe4 10.1/SRPMS/sudo-1.6.8p1-1.4.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
ba79d9f091d06ce3654584e97d6ea695 x86_64/10.1/RPMS/sudo-1.6.8p1-1.4.101mdk.x86_64.rpm
3c6e47db109ab754ecfd50037a163fe4 x86_64/10.1/SRPMS/sudo-1.6.8p1-1.4.101mdk.src.rpm

Mandriva Linux 10.2:
8481507149ed3e20e2cb1ee2ac1aac2d 10.2/RPMS/sudo-1.6.8p1-2.3.102mdk.i586.rpm
34401e963a063bd36d580b188fc7d5f4 10.2/SRPMS/sudo-1.6.8p1-2.3.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
d105ea0dcf161229cf18bd0b4ad49ae4 x86_64/10.2/RPMS/sudo-1.6.8p1-2.3.102mdk.x86_64.rpm
34401e963a063bd36d580b188fc7d5f4 x86_64/10.2/SRPMS/sudo-1.6.8p1-2.3.102mdk.src.rpm

Mandriva Linux 2006.0:
da9c44f3f29809e72f0b3eac2ad08237 2006.0/RPMS/sudo-1.6.8p8-2.2.20060mdk.i586.rpm
218a529af57212352cb76bb6dddff6f7 2006.0/SRPMS/sudo-1.6.8p8-2.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
497b26c02a39f889436af1233a3ccf17 x86_64/2006.0/RPMS/sudo-1.6.8p8-2.2.20060mdk.x86_64.rpm
218a529af57212352cb76bb6dddff6f7 x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.2.20060mdk.src.rpm

Corporate Server 2.1:
a2ff055e40e82badb298e5e43616fa7a corporate/2.1/RPMS/sudo-1.6.6-2.4.C21mdk.i586.rpm
757021ec14b8d6bbf5092a55717fed8e corporate/2.1/SRPMS/sudo-1.6.6-2.4.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
d8726687c4576fa798d9689a7ca1783f x86_64/corporate/2.1/RPMS/sudo-1.6.6-2.4.C21mdk.x86_64.rpm
757021ec14b8d6bbf5092a55717fed8e x86_64/corporate/2.1/SRPMS/sudo-1.6.6-2.4.C21mdk.src.rpm

Corporate 3.0:
3f8e7d74cf2a9a1df4558aae11596186 corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.4.C30mdk.i586.rpm
9b06900a06ba7f5185c4d975d6cf5600 corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
c5b266372ba22c8899e35051e844ddca x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.4.C30mdk.x86_64.rpm
9b06900a06ba7f5185c4d975d6cf5600 x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.4.C30mdk.src.rpm

Multi Network Firewall 2.0:
13b9e27dd7f1811edce5bba617699ddc mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.4.M20mdk.i586.rpm
65e7086a169fbf3200220e347d6824aa mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.4.M20mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Red Hat Linux

Red Hat Security Advisory

Synopsis: Important: xpdf security update
Advisory ID: RHSA-2005:840-02
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-840.html
Issue date: 2005-12-06
Updated on: 2005-12-20
Product: Red Hat Enterprise Linux
CVE Names: CVE-2005-3191 CVE-2005-3192 CVE-2005-3193

1. Summary:

An updated xpdf package that fixes several security issues is now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

[Updated 20 Dec 2005]
The initial fix for these issues was incomplete. The packages have been updated with a more complete fix.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files.

Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues.

Users of Xpdf should upgrade to this updated package, which contains a backported patch to resolve these issues.

Red Hat would like to thank Derek B. Noonburg for reporting this issue and providing a patch.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

173888 - CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192)

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/xpdf-0.92-17.src.rpm
62488b664f387dbc445f2599cd271fb1 xpdf-0.92-17.src.rpm

i386:
a35ec0b6b7dc5b0e3da4ef9693bb4f10 xpdf-0.92-17.i386.rpm

ia64:
35b35e3afa2988670448cbb11416f295 xpdf-0.92-17.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/xpdf-0.92-17.src.rpm
62488b664f387dbc445f2599cd271fb1 xpdf-0.92-17.src.rpm

ia64:
35b35e3afa2988670448cbb11416f295 xpdf-0.92-17.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/xpdf-0.92-17.src.rpm
62488b664f387dbc445f2599cd271fb1 xpdf-0.92-17.src.rpm

i386:
a35ec0b6b7dc5b0e3da4ef9693bb4f10 xpdf-0.92-17.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/xpdf-0.92-17.src.rpm
62488b664f387dbc445f2599cd271fb1 xpdf-0.92-17.src.rpm

i386:
a35ec0b6b7dc5b0e3da4ef9693bb4f10 xpdf-0.92-17.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/xpdf-2.02-9.8.src.rpm
d36145286daa040f00c2c4a8f279aa1e xpdf-2.02-9.8.src.rpm

i386:
5588e8d776743176ee1988803d1d7ad1 xpdf-2.02-9.8.i386.rpm

ia64:
a8a44a7875d791e4a41ebc523b2a4160 xpdf-2.02-9.8.ia64.rpm

ppc:
2f0bb7d6a85d9887b9a6f8baa48c1914 xpdf-2.02-9.8.ppc.rpm

s390:
bbcffd95a3f13dd2b007d4719a7baf10 xpdf-2.02-9.8.s390.rpm

s390x:
ec00da6cceeace46c20c8396564c7bc9 xpdf-2.02-9.8.s390x.rpm

x86_64:
710b1db79adecdee276eae828602ee1e xpdf-2.02-9.8.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/xpdf-2.02-9.8.src.rpm
d36145286daa040f00c2c4a8f279aa1e xpdf-2.02-9.8.src.rpm

i386:
5588e8d776743176ee1988803d1d7ad1 xpdf-2.02-9.8.i386.rpm

x86_64:
710b1db79adecdee276eae828602ee1e xpdf-2.02-9.8.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/xpdf-2.02-9.8.src.rpm
d36145286daa040f00c2c4a8f279aa1e xpdf-2.02-9.8.src.rpm

i386:
5588e8d776743176ee1988803d1d7ad1 xpdf-2.02-9.8.i386.rpm

ia64:
a8a44a7875d791e4a41ebc523b2a4160 xpdf-2.02-9.8.ia64.rpm

x86_64:
710b1db79adecdee276eae828602ee1e xpdf-2.02-9.8.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/xpdf-2.02-9.8.src.rpm
d36145286daa040f00c2c4a8f279aa1e xpdf-2.02-9.8.src.rpm

i386:
5588e8d776743176ee1988803d1d7ad1 xpdf-2.02-9.8.i386.rpm

ia64:
a8a44a7875d791e4a41ebc523b2a4160 xpdf-2.02-9.8.ia64.rpm

x86_64:
710b1db79adecdee276eae828602ee1e xpdf-2.02-9.8.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/xpdf-3.00-11.10.src.rpm
d9b785314985cb40a6140d3cb73fd2ab xpdf-3.00-11.10.src.rpm

i386:
79efaf8403963ebb2506c295d6b2f77d xpdf-3.00-11.10.i386.rpm

ia64:
b058289401c54ace50b57dae59b86fa0 xpdf-3.00-11.10.ia64.rpm

ppc:
128da0cd0f68b2953c131369f2028939 xpdf-3.00-11.10.ppc.rpm

s390:
134f14919b8015aa392a0eab434d4d88 xpdf-3.00-11.10.s390.rpm

s390x:
1647a4a8b76bbe27b2c4dc30d47ee7b8 xpdf-3.00-11.10.s390x.rpm

x86_64:
05f1e4ecdf15bc2509b1807951f59298 xpdf-3.00-11.10.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/xpdf-3.00-11.10.src.rpm
d9b785314985cb40a6140d3cb73fd2ab xpdf-3.00-11.10.src.rpm

i386:
79efaf8403963ebb2506c295d6b2f77d xpdf-3.00-11.10.i386.rpm

x86_64:
05f1e4ecdf15bc2509b1807951f59298 xpdf-3.00-11.10.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/xpdf-3.00-11.10.src.rpm
d9b785314985cb40a6140d3cb73fd2ab xpdf-3.00-11.10.src.rpm

i386:
79efaf8403963ebb2506c295d6b2f77d xpdf-3.00-11.10.i386.rpm

ia64:
b058289401c54ace50b57dae59b86fa0 xpdf-3.00-11.10.ia64.rpm

x86_64:
05f1e4ecdf15bc2509b1807951f59298 xpdf-3.00-11.10.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/xpdf-3.00-11.10.src.rpm
d9b785314985cb40a6140d3cb73fd2ab xpdf-3.00-11.10.src.rpm

i386:
79efaf8403963ebb2506c295d6b2f77d xpdf-3.00-11.10.i386.rpm

ia64:
b058289401c54ace50b57dae59b86fa0 xpdf-3.00-11.10.ia64.rpm

x86_64:
05f1e4ecdf15bc2509b1807951f59298 xpdf-3.00-11.10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Red Hat Security Advisory

Synopsis: Moderate: netpbm security update
Advisory ID: RHSA-2005:843-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-843.html
Issue date: 2005-12-20
Updated on: 2005-12-20
Product: Red Hat Enterprise Linux
CVE Names: CVE-2005-3632 CVE-2005-3662

1. Summary:

Updated netpbm packages that fix two security issues are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

3. Problem description:

The netpbm package contains a library of functions that support programs for handling various graphics file formats.

A stack based buffer overflow bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). A specially crafted PNM file could allow an attacker to execute arbitrary code by attempting to convert a PNM file to a PNG file when using pnmtopng with the '-text' option. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3632 to this issue.

An "off by one" bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). If a victim attempts to convert a specially crafted 256 color PNM file to a PNG file, then it can cause the pnmtopng utility to crash. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3662 to this issue.

All users of netpbm should upgrade to these updated packages, which contain backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

173342 - CVE-2005-3662 netpbm off by one error 173344 - CVE-2005-3632 Netpbm buffer overflow

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/netpbm-9.24-9.AS21.6.src.rpm
f9ba7f06f41f2aa95d2d86931f2aa7fd netpbm-9.24-9.AS21.6.src.rpm

i386:
360ae1d9aaef8544b3a1ca00a2feaa4b netpbm-9.24-9.AS21.6.i386.rpm
c45c19f689ba6628ef0e609e00854d89 netpbm-devel-9.24-9.AS21.6.i386.rpm
6bc5d1878c9ebf6aaab762ed99bdfcfb netpbm-progs-9.24-9.AS21.6.i386.rpm

ia64:
c014f290d818568f0d58605aa3b143dd netpbm-9.24-9.AS21.6.ia64.rpm
ddddb9b88c82496eccab50ffc0173fc4 netpbm-devel-9.24-9.AS21.6.ia64.rpm
b11ae66486d6d362984ba99ab972b4b3 netpbm-progs-9.24-9.AS21.6.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/netpbm-9.24-9.AS21.6.src.rpm
f9ba7f06f41f2aa95d2d86931f2aa7fd netpbm-9.24-9.AS21.6.src.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/netpbm-9.24-9.AS21.6.src.rpm
f9ba7f06f41f2aa95d2d86931f2aa7fd netpbm-9.24-9.AS21.6.src.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/netpbm-9.24-9.AS21.6.src.rpm
f9ba7f06f41f2aa95d2d86931f2aa7fd netpbm-9.24-9.AS21.6.src.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/netpbm-9.24-11.30.4.src.rpm
19ad9f0ab04dbd18bb443a2f894c34eb netpbm-9.24-11.30.4.src.rpm

i386:
36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.i386.rpm
70469787c6d5c6b30e8a3dfd6398befb netpbm-devel-9.24-11.30.4.i386.rpm
4f09f963a50fd68ca3945b384d2c6f0c netpbm-progs-9.24-11.30.4.i386.rpm

ia64:
36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.i386.rpm
b60f5790cc03bcaf05efa8bcfce97f73 netpbm-9.24-11.30.4.ia64.rpm
d04b6fb6473d8ba03c98d14b78780c52 netpbm-devel-9.24-11.30.4.ia64.rpm
277c76e67e11b69aa4d5c15cfb831715 netpbm-progs-9.24-11.30.4.ia64.rpm

ppc:
b2a3cd86dbd9927b0ba1b6189886bcb5 netpbm-9.24-11.30.4.ppc.rpm
cab079cbf11baf472ce9b7d775dc897c netpbm-9.24-11.30.4.ppc64.rpm
37a16559b3e387d60c6095812dfa64a6 netpbm-devel-9.24-11.30.4.ppc.rpm
ff27be9c5b2075bf3ca9e27e0fe14383 netpbm-progs-9.24-11.30.4.ppc.rpm

s390:
2beab978ada99868ab0e9cc3180af5e2 netpbm-9.24-11.30.4.s390.rpm
b8de7d98668ff912c0c1f80bcb06de56 netpbm-devel-9.24-11.30.4.s390.rpm
b8907a301fef7ec9b53dc39cce290099 netpbm-progs-9.24-11.30.4.s390.rpm

s390x:
2beab978ada99868ab0e9cc3180af5e2 netpbm-9.24-11.30.4.s390.rpm
1da23fee520b2afe4f598f14afffe7b2 netpbm-9.24-11.30.4.s390x.rpm
dec2d8f223ebd2bf912bc6b3af987e42 netpbm-devel-9.24-11.30.4.s390x.rpm
8edfb12940f8ff15ab8e5043ed41b8bc netpbm-progs-9.24-11.30.4.s390x.rpm

x86_64:
36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.i386.rpm
e0ef48b3172d3be3ff41fb0165c92cec netpbm-9.24-11.30.4.x86_64.rpm
11101f273f9010346e2f66f0320dfeb2 netpbm-devel-9.24-11.30.4.x86_64.rpm
2daa6fadc97f817f4a1aac69d1730e9d netpbm-progs-9.24-11.30.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/netpbm-9.24-11.30.4.src.rpm
19ad9f0ab04dbd18bb443a2f894c34eb netpbm-9.24-11.30.4.src.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/netpbm-9.24-11.30.4.src.rpm
19ad9f0ab04dbd18bb443a2f894c34eb netpbm-9.24-11.30.4.src.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/netpbm-9.24-11.30.4.src.rpm
19ad9f0ab04dbd18bb443a2f894c34eb netpbm-9.24-11.30.4.src.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3662

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Red Hat Security Advisory

Synopsis: Important: udev security update
Advisory ID: RHSA-2005:864-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-864.html
Issue date: 2005-12-20
Updated on: 2005-12-20
Product: Red Hat Enterprise Linux
CVE Names: CVE-2005-3631

1. Summary:

Updated udev packages that fix a security issue are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug.

Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue.

All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

174845 - CVE-2005-3631 /dev/input/* incorrect permissions

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/udev-039-10.10.EL4.3.src.rpm
479e8b3ac5f9ca72193827d40e0fdd13 udev-039-10.10.EL4.3.src.rpm

i386:
0f694e4ae57487ce5e2c23627f8076ce udev-039-10.10.EL4.3.i386.rpm

ia64:
117b4faf0ff4c5204b27f84da509e5eb udev-039-10.10.EL4.3.ia64.rpm

ppc:
e80ead84ea6e72323006f5f1cdcde4f1 udev-039-10.10.EL4.3.ppc.rpm

s390:
bf2a4abfe19dd9d37296e002d8308f74 udev-039-10.10.EL4.3.s390.rpm

s390x:
60b1c19d6b0c198054032c943368e633 udev-039-10.10.EL4.3.s390x.rpm

x86_64:
2dd7e790e730dc1e5b64048e02e90225 udev-039-10.10.EL4.3.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/udev-039-10.10.EL4.3.src.rpm
479e8b3ac5f9ca72193827d40e0fdd13 udev-039-10.10.EL4.3.src.rpm

i386:
0f694e4ae57487ce5e2c23627f8076ce udev-039-10.10.EL4.3.i386.rpm

x86_64:
2dd7e790e730dc1e5b64048e02e90225 udev-039-10.10.EL4.3.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/udev-039-10.10.EL4.3.src.rpm
479e8b3ac5f9ca72193827d40e0fdd13 udev-039-10.10.EL4.3.src.rpm

i386:
0f694e4ae57487ce5e2c23627f8076ce udev-039-10.10.EL4.3.i386.rpm

ia64:
117b4faf0ff4c5204b27f84da509e5eb udev-039-10.10.EL4.3.ia64.rpm

x86_64:
2dd7e790e730dc1e5b64048e02e90225 udev-039-10.10.EL4.3.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/udev-039-10.10.EL4.3.src.rpm
479e8b3ac5f9ca72193827d40e0fdd13 udev-039-10.10.EL4.3.src.rpm

i386:
0f694e4ae57487ce5e2c23627f8076ce udev-039-10.10.EL4.3.i386.rpm

ia64:
117b4faf0ff4c5204b27f84da509e5eb udev-039-10.10.EL4.3.ia64.rpm

x86_64:
2dd7e790e730dc1e5b64048e02e90225 udev-039-10.10.EL4.3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Red Hat Security Advisory

Synopsis: Important: gpdf security update
Advisory ID: RHSA-2005:867-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-867.html
Issue date: 2005-12-20
Updated on: 2005-12-20
Product: Red Hat Enterprise Linux
CVE Names: CVE-2005-3191 CVE-2005-3192 CVE-2005-3193

1. Summary:

An updated gpdf package that fixes several security issues is now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

3. Problem description:

The gpdf package is a GNOME based viewer for Portable Document Format (PDF) files.

Several flaws were discovered in gpdf. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues.

Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

175100 - CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192)

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gpdf-2.8.2-7.3.src.rpm
b365aac32d140ef324ab0eb2c7cf3bfd gpdf-2.8.2-7.3.src.rpm

i386:
a3f8659efab116042f37cfc9d227dc82 gpdf-2.8.2-7.3.i386.rpm

ia64:
d429fc7fef00acef1468cddd11d2bbea gpdf-2.8.2-7.3.ia64.rpm

ppc:
af418aad8b7c3b556359d41b42860745 gpdf-2.8.2-7.3.ppc.rpm

s390:
dc073f271f99420aea8d2bf7a3fc13a4 gpdf-2.8.2-7.3.s390.rpm

s390x:
3978d2d5f302b2313f6a06162dffdc20 gpdf-2.8.2-7.3.s390x.rpm

x86_64:
e7aff4c218078b599959d90b968fffd0 gpdf-2.8.2-7.3.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gpdf-2.8.2-7.3.src.rpm
b365aac32d140ef324ab0eb2c7cf3bfd gpdf-2.8.2-7.3.src.rpm

i386:
a3f8659efab116042f37cfc9d227dc82 gpdf-2.8.2-7.3.i386.rpm

x86_64:
e7aff4c218078b599959d90b968fffd0 gpdf-2.8.2-7.3.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gpdf-2.8.2-7.3.src.rpm
b365aac32d140ef324ab0eb2c7cf3bfd gpdf-2.8.2-7.3.src.rpm

i386:
a3f8659efab116042f37cfc9d227dc82 gpdf-2.8.2-7.3.i386.rpm

ia64:
d429fc7fef00acef1468cddd11d2bbea gpdf-2.8.2-7.3.ia64.rpm

x86_64:
e7aff4c218078b599959d90b968fffd0 gpdf-2.8.2-7.3.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gpdf-2.8.2-7.3.src.rpm
b365aac32d140ef324ab0eb2c7cf3bfd gpdf-2.8.2-7.3.src.rpm

i386:
a3f8659efab116042f37cfc9d227dc82 gpdf-2.8.2-7.3.i386.rpm

ia64:
d429fc7fef00acef1468cddd11d2bbea gpdf-2.8.2-7.3.ia64.rpm

x86_64:
e7aff4c218078b599959d90b968fffd0 gpdf-2.8.2-7.3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Red Hat Security Advisory

Synopsis: Important: kdegraphics security update
Advisory ID: RHSA-2005:868-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-868.html
Issue date: 2005-12-20
Updated on: 2005-12-20
Product: Red Hat Enterprise Linux
CVE Names: CVE-2005-3191 CVE-2005-3192 CVE-2005-3193

1. Summary:

Updated kdegraphics packages that resolve several security issues in kpdf are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

3. Problem description:

The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer.

Several flaws were discovered in kpdf. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues.

Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

175105 - CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192)

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdegraphics-3.3.1-3.6.src.rpm
d72af47a55eabd5bfd0f95538951007d kdegraphics-3.3.1-3.6.src.rpm

i386:
216eabcf4313d5a3a66f849cc446cdaf kdegraphics-3.3.1-3.6.i386.rpm
6558e85cef158b8c45e7069cc2a567b4 kdegraphics-devel-3.3.1-3.6.i386.rpm

ia64:
7859a256f616e79311a5faf64227bfdf kdegraphics-3.3.1-3.6.ia64.rpm
7f4312d4a79011edd8694f3b19106e78 kdegraphics-devel-3.3.1-3.6.ia64.rpm

ppc:
0beeafa85a6715a4040b7355bd21fda5 kdegraphics-3.3.1-3.6.ppc.rpm
4b4880c8edd72320b0fe475cb245a8e2 kdegraphics-devel-3.3.1-3.6.ppc.rpm

s390:
64bfbe394e5988987ab7d1784361e39a kdegraphics-3.3.1-3.6.s390.rpm
557cc641cf9c85e0dc44335b747e8970 kdegraphics-devel-3.3.1-3.6.s390.rpm

s390x:
cf7f965ab80723da2775442c931590d8 kdegraphics-3.3.1-3.6.s390x.rpm
b475339a5a98ddda8abf6f1b3838b5c0 kdegraphics-devel-3.3.1-3.6.s390x.rpm

x86_64:
b68f28b7ceb0a76d5a34cc02c4f6aeaf kdegraphics-3.3.1-3.6.x86_64.rpm
358bd292294d3e5bf6c71da1f7349a0d kdegraphics-devel-3.3.1-3.6.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdegraphics-3.3.1-3.6.src.rpm
d72af47a55eabd5bfd0f95538951007d kdegraphics-3.3.1-3.6.src.rpm

i386:
216eabcf4313d5a3a66f849cc446cdaf kdegraphics-3.3.1-3.6.i386.rpm
6558e85cef158b8c45e7069cc2a567b4 kdegraphics-devel-3.3.1-3.6.i386.rpm

x86_64:
b68f28b7ceb0a76d5a34cc02c4f6aeaf kdegraphics-3.3.1-3.6.x86_64.rpm
358bd292294d3e5bf6c71da1f7349a0d kdegraphics-devel-3.3.1-3.6.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdegraphics-3.3.1-3.6.src.rpm
d72af47a55eabd5bfd0f95538951007d kdegraphics-3.3.1-3.6.src.rpm

i386:
216eabcf4313d5a3a66f849cc446cdaf kdegraphics-3.3.1-3.6.i386.rpm
6558e85cef158b8c45e7069cc2a567b4 kdegraphics-devel-3.3.1-3.6.i386.rpm

ia64:
7859a256f616e79311a5faf64227bfdf kdegraphics-3.3.1-3.6.ia64.rpm
7f4312d4a79011edd8694f3b19106e78 kdegraphics-devel-3.3.1-3.6.ia64.rpm

x86_64:
b68f28b7ceb0a76d5a34cc02c4f6aeaf kdegraphics-3.3.1-3.6.x86_64.rpm
358bd292294d3e5bf6c71da1f7349a0d kdegraphics-devel-3.3.1-3.6.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdegraphics-3.3.1-3.6.src.rpm
d72af47a55eabd5bfd0f95538951007d kdegraphics-3.3.1-3.6.src.rpm

i386:
216eabcf4313d5a3a66f849cc446cdaf kdegraphics-3.3.1-3.6.i386.rpm
6558e85cef158b8c45e7069cc2a567b4 kdegraphics-devel-3.3.1-3.6.i386.rpm

ia64:
7859a256f616e79311a5faf64227bfdf kdegraphics-3.3.1-3.6.ia64.rpm
7f4312d4a79011edd8694f3b19106e78 kdegraphics-devel-3.3.1-3.6.ia64.rpm

x86_64:
b68f28b7ceb0a76d5a34cc02c4f6aeaf kdegraphics-3.3.1-3.6.x86_64.rpm
358bd292294d3e5bf6c71da1f7349a0d kdegraphics-devel-3.3.1-3.6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Red Hat Security Advisory

Synopsis: Moderate: curl security update
Advisory ID: RHSA-2005:875-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-875.html
Issue date: 2005-12-20
Updated on: 2005-12-20
Product: Red Hat Enterprise Linux
CVE Names: CVE-2005-4077

1. Summary:

Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

3. Problem description:

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols.

Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user's machine if the user can be tricked into executing curl with a carefully crafted URL. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-4077 to this issue.

All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

175266 - CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/curl-7.12.1-8.rhel4.src.rpm
83b66ac5f655c0675c73a754fb36968f curl-7.12.1-8.rhel4.src.rpm

i386:
8eb8d6c18a0098a29c74762e3b5917b1 curl-7.12.1-8.rhel4.i386.rpm
40e4373395a73d48813e5826302217ce curl-devel-7.12.1-8.rhel4.i386.rpm

ia64:
8eb8d6c18a0098a29c74762e3b5917b1 curl-7.12.1-8.rhel4.i386.rpm
db6a1983890b2d4b9c087047703ffbfa curl-7.12.1-8.rhel4.ia64.rpm
c1ee175858e2694554850a6074e05a78 curl-devel-7.12.1-8.rhel4.ia64.rpm

ppc:
c102b9482bfea7ed549468cbd527643a curl-7.12.1-8.rhel4.ppc.rpm
5dca0663e9cea384f6c4b07d2b2c819e curl-7.12.1-8.rhel4.ppc64.rpm
1d695a5ff574dfb7e04ad1f71eed6334 curl-devel-7.12.1-8.rhel4.ppc.rpm

s390:
71d21e63880d3f4f620e5bb7c2aa7786 curl-7.12.1-8.rhel4.s390.rpm
95b81b8528ed3f77e72ba904b3438f6c curl-devel-7.12.1-8.rhel4.s390.rpm

s390x:
71d21e63880d3f4f620e5bb7c2aa7786 curl-7.12.1-8.rhel4.s390.rpm
2975ba72bc7b028a73cb8f34c4e02c7c curl-7.12.1-8.rhel4.s390x.rpm
e1f25c48b701ba616cf9cc8f340107f4 curl-devel-7.12.1-8.rhel4.s390x.rpm

x86_64:
8eb8d6c18a0098a29c74762e3b5917b1 curl-7.12.1-8.rhel4.i386.rpm
cac21a3c7f52b473547a7537a777c240 curl-7.12.1-8.rhel4.x86_64.rpm
257b3566961c1e49ae9ab8b92cf9584b curl-devel-7.12.1-8.rhel4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/curl-7.12.1-8.rhel4.src.rpm
83b66ac5f655c0675c73a754fb36968f curl-7.12.1-8.rhel4.src.rpm

i386:
8eb8d6c18a0098a29c74762e3b5917b1

Top White Papers

Subscribe to Our Daily Newsletter

Current Newswire:

More on LinuxToday

Advisories, December 20, 2005

Gentoo Linux

Synopsis

Background

Affected packages

Description

Impact

Workaround

Resolution

References

Availability

Concerns?

License

Mandriva Linux

Red Hat Linux