Linux Today - Advisories, February 5, 2006

search.internet.com

Become a Marketplace Partner

internet.commerce

Be a Commerce Partner

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices

Technology Jobs

LinuxToday Newsletters

Subscribe News
Subscribe PR
Subscribe Security

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Current Newswire:

Week 2, Day 7 of SCO v. Novell Trial - More McBride and Botosan Opens a Door - Updated

Social media privacy: Insurance companies want access to your Facebook

Novell Mono project bringing Silverlight to Apple iPhone

Build Your Own Video Community With Lighttpd And FlowPlayer (Ubuntu 9.10)

Will The Linux Desktop Soon Be Irrelevant?

Ruby 1.9.2 expected in August

Linux: A Platform for the Cloud

Get to Know MySQL Workbench

More than 100 candidates to Italian regional elections support Free Software

SECURITY: Thunderbird Secure Connections Using Postfix

Systems Engineer Sr – Solaris – Linux – Logical Domains (CO)
Next Step Systems
US-CO-Thornton

Post A Job | Post A Resume

:Advisories, February 5, 2006

Advisories, February 5, 2006
Mar 6, 2006, 04 :45 UTC (0 Talkback[s]) (2142 reads)

Fedora Core

Fedora Update Notification
FEDORA-2006-133
2006-03-03

Product : Fedora Core 4
Name : squirrelmail
Version : 1.4.6
Release : 1.fc4
Summary : SquirrelMail webmail client

Description :
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no Javascript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.

Update Information:

Upgrade to version upstream 1.4.6 which solves these issues in addition to several bugs.

http://www.squirrelmail.org/changelog.php More details here.

Additionally Fedora's package contains fixes that may improve usability of squirrelmail in various non-English languages. Please report to Bug #162852 if this update causes any regressions in non-English language behavior.

Wed Mar 1 2006 David Woodhouse <dwmw2@redhat.com> 1.4.6-1
- Upgrade to 1.4.6 proper for CVE-2006-0377 CVE-2006-0195 CVE-2006-0188
- Script the charset changes instead of using a patch
- Convert the ko_KR files to UTF-8, dropping invalid characters from what's theoretically supposed to be EUC-KR in the original.
Tue Jan 17 2006 Warren Togami <wtogami@redhat.com> 1.4.6-0.cvs20050812.3
- do not remove mo files
- require php-mbstring
Fri Dec 9 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
Mon Sep 12 2005 David Woodhouse <dwmw2@redhat.com> 1.4.6-0.cvs20050812.2
- Convert all locales to UTF-8 instead of legacy character sets to work around bug #162852. Except for ko_KR, because iconv doesn't believe its help files are actually in EUC-KR as claimed.

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

7fa03570698b636dcd976d0f3b6d3d51df171224 SRPMS/squirrelmail-1.4.6-1.fc4.src.rpm
9cb6adf3a5746a0187ca0f7db333884221ef7512 ppc/squirrelmail-1.4.6-1.fc4.noarch.rpm
9cb6adf3a5746a0187ca0f7db333884221ef7512 x86_64/squirrelmail-1.4.6-1.fc4.noarch.rpm
9cb6adf3a5746a0187ca0f7db333884221ef7512 i386/squirrelmail-1.4.6-1.fc4.noarch.rpm

This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://fedora.redhat.com/docs/yum/.

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200603-01

http://security.gentoo.org/

Severity: Normal
Title: WordPress: SQL injection vulnerability
Date: March 04, 2006
Bugs: #121661
ID: 200603-01

Synopsis

WordPress is vulnerable to an SQL injection vulnerability.

Background

WordPress is a PHP and MySQL based content management and publishing system.

Affected packages


     Package             /  Vulnerable  /                   Unaffected

  1  www-apps/wordpress      <= 1.5.2                         >= 2.0.1

Description

Patrik Karlsson reported that WordPress 1.5.2 makes use of an insufficiently filtered User Agent string in SQL queries related to comments posting. This vulnerability was already fixed in the 2.0-series of WordPress.

Impact

An attacker could send a comment with a malicious User Agent parameter, resulting in SQL injection and potentially in the subversion of the WordPress database. This vulnerability wouldn't affect WordPress sites which do not allow comments or which require that comments go through a moderator.

Workaround

Disable or moderate comments on your WordPress blogs.

Resolution

All WordPress users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.1"

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200603-01.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200603-02

http://security.gentoo.org/

Severity: Normal
Title: teTeX, pTeX, CSTeX: Multiple overflows in included XPdf code
Date: March 04, 2006
Bugs: #115775
ID: 200603-02

Synopsis

CSTeTeX, pTeX, and teTeX include vulnerable XPdf code to handle PDF files, making them vulnerable to the execution of arbitrary code.

Background

teTex is a complete TeX distribution. It is used for creating and manipulating LaTeX documents. CSTeX is a TeX distribution with Czech and Slovak support. pTeX is and ASCII publishing TeX distribution.

Affected packages

Package / Vulnerable / Unaffected

1 app-text/tetex < 2.0.2-r8 >= 2.0.2-r8 2 app-text/cstetex < 2.0.2-r2 >= 2.0.2-r2 3 app-text/ptex < 3.1.5-r1 >= 3.1.5-r1 ------------------------------------------------------------------- 3 affected packages on all of their supported architectures.

Description

CSTeX, teTex, and pTeX include XPdf code to handle PDF files. This XPdf code is vulnerable to several heap overflows (GLSA 200512-08) as well as several buffer and integer overflows discovered by Chris Evans (CESA-2005-003).

Impact

An attacker could entice a user to open a specially crafted PDF file with teTeX, pTeX or CSTeX, potentially resulting in the execution of arbitrary code with the rights of the user running the affected application.

Workaround

There is no known workaround at this time.

Resolution

All teTex users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/tetex-2.0.2-r8"

All CSTeX users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/cstetex-2.0.2-r2"

All pTeX users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/ptex-3.1.5-r1"

References

[ 1 ] CVE-2005-3193

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3193

[ 2 ] GLSA 200512-08

http://www.gentoo.org/security/en/glsa/glsa-200512-08.xml

[ 3 ] CESA-2005-003

http://scary.beasts.org/security/CESA-2005-003.txt

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200603-02.xml

Concerns?

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200603-03

http://security.gentoo.org/

Severity: Normal
Title: MPlayer: Multiple integer overflows
Date: March 04, 2006
Bugs: #115760, #122029
ID: 200603-03

Synopsis

MPlayer is vulnerable to integer overflows in FFmpeg and ASF decoding that could potentially result in the execution of arbitrary code.

Background

MPlayer is a media player capable of handling multiple multimedia file formats.

Affected packages


     Package              /    Vulnerable    /              Unaffected

  1  media-video/mplayer     < 1.0.20060217            >= 1.0.20060217

Description

MPlayer makes use of the FFmpeg library, which is vulnerable to a heap overflow in the avcodec_default_get_buffer() function discovered by Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security Research discovered two integer overflows in ASF file format decoding, in the new_demux_packet() function from libmpdemux/demuxer.h and the demux_asf_read_packet() function from libmpdemux/demux_asf.c.

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0.20060217"

References

[ 1 ] CVE-2005-4048

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048

[ 2 ] CVE-2006-0579

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579

[ 3 ] GLSA 200601-06

http://www.gentoo.org/security/en/glsa/glsa-200601-06.xml

No talkbacks posted.

Home | Search Talkbacks | Customize View

Top of Page

Enter your comments below:

All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux, Apache and PHP

The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Intel Whitepaper: 2010 Intel Core vPro Processors Overview
Article: Adobe Helps PHP Developers Create Rich Internet Applications
Article: Reduce Your Infrastructure Costs with Microsoft System Center
Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
Article: Security Enhancements Abound in Windows Server 2008
Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs
Microsoft Whitepaper: Improve Communications and Collaboration
Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
Microsoft Personalized Whitepapers and Resources for You
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

IBM Cloud Computing for Developers Virtual Event, April 6-8
Micro Focus Webcast: Boosting the Impact and Effectiveness of Software Development QA and Testing
Microsoft Webcast: Simplified Access and Single Sign-On
Intel Video: 2010 Intel Core Processor Technologies
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Adobe Download: Tour de Flex Application and Explore Flex
HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Free Adobe Online Flex Training: Check Out this Video Training Course Here
Learn Unified Communications
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products
Learn Forefront
Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES