Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Advisories, May 24, 2006

May 25, 2006, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 1074-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 24th, 2006 http://www.debian.org/security/faq


Package : mpg123
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-1655
BugTraq ID : 17365
Debian Bug : 361863

Alejandro Hernández discovered a vulnerability in mpg123, a command-line player for MPEG audio files. Insufficient validation of MPEG 2.0 layer 3 files results in several buffer overflows.

For the stable distribution (sarge) these problems have been fixed in version 0.59r-20sarge1.

For the unstable distribution (sid) these problems have been fixed in version 0.59r-22.

We recommend that you upgrade your mpg123 packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1.dsc
      Size/MD5 checksum: 751 ba026638de21be9fa5061056bd53a43d
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1.diff.gz
      Size/MD5 checksum: 41527 3119adeed1228f6bd10c3f7100a308e0
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz
      Size/MD5 checksum: 159028 95df59ad1651dd2346d49fafc83747e7

Alpha architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_alpha.deb
      Size/MD5 checksum: 124974 b9ea8480d28e09e27673072ade3021e3
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-20sarge1_alpha.deb
      Size/MD5 checksum: 124814 55e68e2a8a4ad452d9078d26550fcd3b

ARM architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_arm.deb
      Size/MD5 checksum: 102068 82ab3c03fc9256ad5e5049152a8c00fc

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_i386.deb
      Size/MD5 checksum: 87160 a072702eaf20b77fd0438ffeb28eede9
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-20sarge1_i386.deb
      Size/MD5 checksum: 87232 54462dbc34ad9fbbfce90fec5608e79f
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-20sarge1_i386.deb
      Size/MD5 checksum: 90148 c4d04e08d4326ec2e734675922dd8f61
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-20sarge1_i386.deb
      Size/MD5 checksum: 90392 e8166266d16a7f503547217a58d871bb
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-20sarge1_i386.deb
      Size/MD5 checksum: 93850 e7b3d76e2e011f2f6e70630e0cb15737

HP Precision architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_hppa.deb
      Size/MD5 checksum: 101702 5f04ef0d8a5ae5c30f3acdc0c00b0927

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_m68k.deb
      Size/MD5 checksum: 80232 e81a61a8c84c0a776655501b3cfff93c

PowerPC architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_powerpc.deb
      Size/MD5 checksum: 96536 cf2cf30c6c4d4b912c4585979c823eab
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-20sarge1_powerpc.deb
      Size/MD5 checksum: 98058 04843c3a016782384e2dc5ae987a365d

Sun Sparc architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-20sarge1_sparc.deb
      Size/MD5 checksum: 91586 3cc30d3290684dbce40e71acec6202ad

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:087
http://www.mandriva.com/security/


Package : kernel
Date : May 24, 2006
Affected: 2006.0


Problem Description:

Memory corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed.

The provided packages are patched to fix this vulnerability. Users who may be running netfilter on important servers are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2444


Updated Packages:

Mandriva Linux 2006.0:
4dc3aebce01743d22ccfdcf2d7e6be1c 2006.0/RPMS/kernel-2.6.12.22mdk-1-1mdk.i586.rpm
4df75974100f1d867b227f83aac9bc2e 2006.0/RPMS/kernel-BOOT-2.6.12.22mdk-1-1mdk.i586.rpm
7ad9ef00021f9e0938932014f22e4bba 2006.0/RPMS/kernel-i586-up-1GB-2.6.12.22mdk-1-1mdk.i586.rpm
44eae16e32239f239346e620cd0f7b15 2006.0/RPMS/kernel-i686-up-4GB-2.6.12.22mdk-1-1mdk.i586.rpm
e01abef21d8d14e6d6c879f56ebe684b 2006.0/RPMS/kernel-smp-2.6.12.22mdk-1-1mdk.i586.rpm
5d3826385c72a86a3ebcf564529d85b1 2006.0/RPMS/kernel-source-2.6-2.6.12-22mdk.i586.rpm
79586cea137b4d36658d3fd7b313ef8b 2006.0/RPMS/kernel-source-stripped-2.6-2.6.12-22mdk.i586.rpm
883243ea22ad7eb494b1546a4a390507 2006.0/RPMS/kernel-xbox-2.6.12.22mdk-1-1mdk.i586.rpm
4283b2f1fefe78b8459ffb3611fb1273 2006.0/RPMS/kernel-xen0-2.6.12.22mdk-1-1mdk.i586.rpm
eb25ea2db1336906f145cf20a84f29a6 2006.0/RPMS/kernel-xenU-2.6.12.22mdk-1-1mdk.i586.rpm
f34885d9d75928e9371f1ca3dd620fd3 2006.0/SRPMS/kernel-2.6.12.22mdk-1-1mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
94fc9062208f2bc8010f64070f505133 x86_64/2006.0/RPMS/kernel-2.6.12.22mdk-1-1mdk.x86_64.rpm
fad1ee518ba360420a9dc7f544ace3ee x86_64/2006.0/RPMS/kernel-BOOT-2.6.12.22mdk-1-1mdk.x86_64.rpm
88d61abf3296793a136cc8c662030b34 x86_64/2006.0/RPMS/kernel-smp-2.6.12.22mdk-1-1mdk.x86_64.rpm
d57c2d28a28e66b2eafe716d22971619 x86_64/2006.0/RPMS/kernel-source-2.6-2.6.12-22mdk.x86_64.rpm
6c0ff6667a79390e8260d30ff7f2faa5 x86_64/2006.0/RPMS/kernel-source-stripped-2.6-2.6.12-22mdk.x86_64.rpm
f34885d9d75928e9371f1ca3dd620fd3 x86_64/2006.0/SRPMS/kernel-2.6.12.22mdk-1-1mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:088
http://www.mandriva.com/security/


Package : hostapd
Date : May 24, 2006
Affected: 10.2, 2006.0


Problem Description:

Hostapd 0.3.7 allows remote attackers to cause a denial of service (segmentation fault) via an unspecified value in the key_data_length field of an EAPoL frame.

Packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2213


Updated Packages:

Mandriva Linux 10.2:
9154a5005bc66dae4528cd3008dbca09 10.2/RPMS/hostapd-0.3.7-2.1.102dk.i586.rpm
699e613fea4270c79ee1849d96f1ee03 10.2/SRPMS/hostapd-0.3.7-2.1.102dk.src.rpm

Mandriva Linux 10.2/X86_64:
810b867b9562b11ce4ecb6ab7e3bd352 x86_64/10.2/RPMS/hostapd-0.3.7-2.1.102dk.x86_64.rpm
699e613fea4270c79ee1849d96f1ee03 x86_64/10.2/SRPMS/hostapd-0.3.7-2.1.102dk.src.rpm

Mandriva Linux 2006.0:
4d85ab25bff640f3176c5bb55ddcc214 2006.0/RPMS/hostapd-0.3.7-2.1.20060mdk.i586.rpm
fe727611379d2f48798361d8d2be4bc1 2006.0/SRPMS/hostapd-0.3.7-2.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
a1952ce345775472df1aa7636fd7b5cc x86_64/2006.0/RPMS/hostapd-0.3.7-2.1.20060mdk.x86_64.rpm
fe727611379d2f48798361d8d2be4bc1 x86_64/2006.0/SRPMS/hostapd-0.3.7-2.1.20060mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:089
http://www.mandriva.com/security/


Package : kphone
Date : May 24, 2006
Affected: 2006.0


Problem Description:

Kphone creates .qt/kphonerc with world-readable permissions, which allows local users to read usernames and SIP passwords.

Packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2442


Updated Packages:

Mandriva Linux 2006.0:
fca945c8a4e1237ab7b684256ee00f63 2006.0/RPMS/kphone-4.2-5.1.20060mdk.i586.rpm
bd5080d59632c0ae685376bfe2084b76 2006.0/SRPMS/kphone-4.2-5.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
e109b023b0d240cead8eee2db6d3dcf1 x86_64/2006.0/RPMS/kphone-4.2-5.1.20060mdk.x86_64.rpm
bd5080d59632c0ae685376bfe2084b76 x86_64/2006.0/SRPMS/kphone-4.2-5.1.20060mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Red Hat Linux


Red Hat Security Advisory

Synopsis: Important: kernel security update
Advisory ID: RHSA-2006:0493-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0493.html
Issue date: 2006-05-24
Updated on: 2006-05-24
Product: Red Hat Enterprise Linux
Keywords: nahant kernel update
Obsoletes: RHSA-2006:0132
CVE Names: CVE-2005-2973 CVE-2005-3272 CVE-2005-3359 CVE-2006-0555 CVE-2006-0741 CVE-2006-0744 CVE-2006-1522 CVE-2006-1525 CVE-2006-1527 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-1862 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274


1. Summary:

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64

3. Problem description:

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below:

  • a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important)
  • a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate)
  • a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important)
  • a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important)
  • a difference in "sysretq" operation of EM64T (as opposed to Opteron) processors that allowed a local user to cause a denial of service (crash) upon return from certain system calls (CVE-2006-0741 and CVE-2006-0744, important)
  • a flaw in the keyring implementation that allowed a local user to cause a denial of service (OOPS) (CVE-2006-1522, important)
  • a flaw in IP routing implementation that allowed a local user to cause a denial of service (panic) via a request for a route for a multicast IP (CVE-2006-1525, important)
  • a flaw in the SCTP-netfilter implementation that allowed a remote user to cause a denial of service (infinite loop) (CVE-2006-1527, important)
  • a flaw in the sg driver that allowed a local user to cause a denial of service (crash) via a dio transfer to memory mapped (mmap) IO space (CVE-2006-1528, important)
  • a flaw in the threading implementation that allowed a local user to cause a denial of service (panic) (CVE-2006-1855, important)
  • two missing LSM hooks that allowed a local user to bypass the LSM by using readv() or writev() (CVE-2006-1856, moderate)
  • a flaw in the virtual memory implementation that allowed local user to cause a denial of service (panic) by using the lsof command (CVE-2006-1862, important)
  • a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\" sequences (CVE-2006-1864, moderate)
  • a flaw in the ECNE chunk handling of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2271, moderate)
  • a flaw in the handling of COOKIE_ECHO and HEARTBEAT control chunks of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2272, moderate)
  • a flaw in the handling of DATA fragments of SCTP that allowed a remote user to cause a denial of service (infinite recursion and crash) (CVE-2006-2274, moderate)

All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

168791 - CVE-2006-1528 Possible local crash by dio/mmap sg driver
170772 - CVE-2005-2973 ipv6 infinite loop
171383 - CVE-2005-3272 bridge poisoning
175769 - CVE-2005-3359 incorrect inrement/decrement in atm module leads to panic
181795 - CVE-2006-0555 NFS client panic using O_DIRECT
183489 - CVE-2006-0741 bad elf entry address (CVE-2006-0744)
187841 - CVE-2006-1855 Old thread debugging causes false BUG() in choose_new_parent
188466 - CVE-2006-1522 DoS/bug in keyring code (security/keys/)
189260 - CVE-2006-1862 The lsof command triggers a kernel oops under heavy load
189346 - CVE-2006-1525 ip_route_input() panic
189435 - CVE-2006-1864 smbfs chroot issue
190460 - CVE-2006-1527 netfilter/sctp: lockup in sctp_new()
191201 - CVE-2006-2271 SCTP ECNE chunk handling DoS
191202 - CVE-2006-2272 SCTP incoming COOKIE_ECHO and HEARTBEAT packets DoS
191258 - CVE-2006-2274 SCTP DATA fragments DoS
191524 - CVE-2006-1856 LSM missing readv/writev

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-34.0.1.EL.src.rpm
d43492e556689a0607d7bafd927024b7 kernel-2.6.9-34.0.1.EL.src.rpm

i386:
34813080d97fdd6f647fd7d4f809c7fc kernel-2.6.9-34.0.1.EL.i686.rpm
c7518db018da32cf470378154154687d
kernel-debuginfo-2.6.9-34.0.1.EL.i686.rpm
e78b9ccc0c954cff7cb40e6f02b24674 kernel-devel-2.6.9-34.0.1.EL.i686.rpm
3c00e3363ab92e43224a3017fb7bb4a3
kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm
861c261dc99531fecc8b90a579e3d406 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm
ac1a65bd4766603619c7871c8454312d
kernel-smp-2.6.9-34.0.1.EL.i686.rpm
20bb2e56287af558784e341a22ecc899 kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm

ia64:
bb16d7851570a9973acc285b1c10d4c5 kernel-2.6.9-34.0.1.EL.ia64.rpm
b09b0d137ec1fe6f4362c3a278b4181e
kernel-debuginfo-2.6.9-34.0.1.EL.ia64.rpm
20207fbb33c783bad9de5c2d8d8b9a07 kernel-devel-2.6.9-34.0.1.EL.ia64.rpm
3a4a43172ab8119ffcec9a28abce6a69
kernel-largesmp-2.6.9-34.0.1.EL.ia64.rpm
58810e499bf182b64a4a11b2391e04b3 kernel-largesmp-devel-2.6.9-34.0.1.EL.ia64.rpm

noarch:
4969d66062c65e2f969a5b23f3d038fb kernel-doc-2.6.9-34.0.1.EL.noarch.rpm

ppc:
50f16a3bc3db576300e8ed39b7e58696 kernel-2.6.9-34.0.1.EL.ppc64.rpm
40f0c5f7d16d02e70f7058572c59829d
kernel-2.6.9-34.0.1.EL.ppc64iseries.rpm
9c189ac2cd58ae5db8c6bc98858cf411 kernel-debuginfo-2.6.9-34.0.1.EL.ppc64.rpm
ed5ae1b541ca2147b6acfda916fb0524
kernel-debuginfo-2.6.9-34.0.1.EL.ppc64iseries.rpm
80b022ce31c0fd4fe94742f36e528d75 kernel-devel-2.6.9-34.0.1.EL.ppc64.rpm
65479dc320135ebefacb42c27ded8277
kernel-devel-2.6.9-34.0.1.EL.ppc64iseries.rpm
1e22096056638a03e4c473a0d0158268 kernel-largesmp-2.6.9-34.0.1.EL.ppc64.rpm
224188bba442a6b6109689afb7bba903
kernel-largesmp-devel-2.6.9-34.0.1.EL.ppc64.rpm

s390:
8ddc9750a621e3ea4142d1adfd06a5c5 kernel-2.6.9-34.0.1.EL.s390.rpm
390b94a99981c86375e2b5d7bc2d6084
kernel-debuginfo-2.6.9-34.0.1.EL.s390.rpm
ba2a9b707ce91af1e7ae817b726ed6c5 kernel-devel-2.6.9-34.0.1.EL.s390.rpm

s390x:
4bf39050d27a794cc1df5b3eb916484a kernel-2.6.9-34.0.1.EL.s390x.rpm
ee55f330c834a2fd38f31759caec18e0
kernel-debuginfo-2.6.9-34.0.1.EL.s390x.rpm
e959fb20625849eccbd399958265fe84 kernel-devel-2.6.9-34.0.1.EL.s390x.rpm

x86_64:
055f1e2e0ec115d813792811018da5e6 kernel-2.6.9-34.0.1.EL.x86_64.rpm
2fe393eb2dea769a7c673658b85d3166
kernel-debuginfo-2.6.9-34.0.1.EL.x86_64.rpm
ab2acc3e78f549776c01be84b8aae710 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm
4c09ae42fe85e7fa0699cde07b163802
kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm
3bb0bc6a400c3bd7faebe3070402f356 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm
f11147d14d9f88a9760aa67af12d7d6c
kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm
c411c259c433dd3fe50222a5a3ebc472 kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-34.0.1.EL.src.rpm
d43492e556689a0607d7bafd927024b7 kernel-2.6.9-34.0.1.EL.src.rpm

i386:
34813080d97fdd6f647fd7d4f809c7fc kernel-2.6.9-34.0.1.EL.i686.rpm
c7518db018da32cf470378154154687d
kernel-debuginfo-2.6.9-34.0.1.EL.i686.rpm
e78b9ccc0c954cff7cb40e6f02b24674 kernel-devel-2.6.9-34.0.1.EL.i686.rpm
3c00e3363ab92e43224a3017fb7bb4a3
kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm
861c261dc99531fecc8b90a579e3d406 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm
ac1a65bd4766603619c7871c8454312d
kernel-smp-2.6.9-34.0.1.EL.i686.rpm
20bb2e56287af558784e341a22ecc899 kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm

noarch:
4969d66062c65e2f969a5b23f3d038fb kernel-doc-2.6.9-34.0.1.EL.noarch.rpm

x86_64:
055f1e2e0ec115d813792811018da5e6 kernel-2.6.9-34.0.1.EL.x86_64.rpm
2fe393eb2dea769a7c673658b85d3166
kernel-debuginfo-2.6.9-34.0.1.EL.x86_64.rpm
ab2acc3e78f549776c01be84b8aae710 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm
4c09ae42fe85e7fa0699cde07b163802
kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm
3bb0bc6a400c3bd7faebe3070402f356 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm
f11147d14d9f88a9760aa67af12d7d6c
kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm
c411c259c433dd3fe50222a5a3ebc472 kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-34.0.1.EL.src.rpm
d43492e556689a0607d7bafd927024b7 kernel-2.6.9-34.0.1.EL.src.rpm

i386:
34813080d97fdd6f647fd7d4f809c7fc kernel-2.6.9-34.0.1.EL.i686.rpm
c7518db018da32cf470378154154687d
kernel-debuginfo-2.6.9-34.0.1.EL.i686.rpm
e78b9ccc0c954cff7cb40e6f02b24674 kernel-devel-2.6.9-34.0.1.EL.i686.rpm
3c00e3363ab92e43224a3017fb7bb4a3
kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm
861c261dc99531fecc8b90a579e3d406 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm
ac1a65bd4766603619c7871c8454312d
kernel-smp-2.6.9-34.0.1.EL.i686.rpm
20bb2e56287af558784e341a22ecc899 kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm

ia64:
bb16d7851570a9973acc285b1c10d4c5 kernel-2.6.9-34.0.1.EL.ia64.rpm
b09b0d137ec1fe6f4362c3a278b4181e
kernel-debuginfo-2.6.9-34.0.1.EL.ia64.rpm
20207fbb33c783bad9de5c2d8d8b9a07 kernel-devel-2.6.9-34.0.1.EL.ia64.rpm
3a4a43172ab8119ffcec9a28abce6a69
kernel-largesmp-2.6.9-34.0.1.EL.ia64.rpm
58810e499bf182b64a4a11b2391e04b3 kernel-largesmp-devel-2.6.9-34.0.1.EL.ia64.rpm

noarch:
4969d66062c65e2f969a5b23f3d038fb kernel-doc-2.6.9-34.0.1.EL.noarch.rpm

x86_64:
055f1e2e0ec115d813792811018da5e6 kernel-2.6.9-34.0.1.EL.x86_64.rpm
2fe393eb2dea769a7c673658b85d3166
kernel-debuginfo-2.6.9-34.0.1.EL.x86_64.rpm
ab2acc3e78f549776c01be84b8aae710 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm
4c09ae42fe85e7fa0699cde07b163802
kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm
3bb0bc6a400c3bd7faebe3070402f356 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm
f11147d14d9f88a9760aa67af12d7d6c
kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm
c411c259c433dd3fe50222a5a3ebc472 kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-34.0.1.EL.src.rpm
d43492e556689a0607d7bafd927024b7 kernel-2.6.9-34.0.1.EL.src.rpm

i386:
34813080d97fdd6f647fd7d4f809c7fc kernel-2.6.9-34.0.1.EL.i686.rpm
c7518db018da32cf470378154154687d
kernel-debuginfo-2.6.9-34.0.1.EL.i686.rpm
e78b9ccc0c954cff7cb40e6f02b24674 kernel-devel-2.6.9-34.0.1.EL.i686.rpm
3c00e3363ab92e43224a3017fb7bb4a3
kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm
861c261dc99531fecc8b90a579e3d406 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm
ac1a65bd4766603619c7871c8454312d
kernel-smp-2.6.9-34.0.1.EL.i686.rpm
20bb2e56287af558784e341a22ecc899 kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm

ia64:
bb16d7851570a9973acc285b1c10d4c5 kernel-2.6.9-34.0.1.EL.ia64.rpm
b09b0d137ec1fe6f4362c3a278b4181e
kernel-debuginfo-2.6.9-34.0.1.EL.ia64.rpm
20207fbb33c783bad9de5c2d8d8b9a07 kernel-devel-2.6.9-34.0.1.EL.ia64.rpm
3a4a43172ab8119ffcec9a28abce6a69
kernel-largesmp-2.6.9-34.0.1.EL.ia64.rpm
58810e499bf182b64a4a11b2391e04b3 kernel-largesmp-devel-2.6.9-34.0.1.EL.ia64.rpm

noarch:
4969d66062c65e2f969a5b23f3d038fb kernel-doc-2.6.9-34.0.1.EL.noarch.rpm

x86_64:
055f1e2e0ec115d813792811018da5e6 kernel-2.6.9-34.0.1.EL.x86_64.rpm
2fe393eb2dea769a7c673658b85d3166
kernel-debuginfo-2.6.9-34.0.1.EL.x86_64.rpm
ab2acc3e78f549776c01be84b8aae710 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm
4c09ae42fe85e7fa0699cde07b163802
kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm
3bb0bc6a400c3bd7faebe3070402f356 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm
f11147d14d9f88a9760aa67af12d7d6c
kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm
c411c259c433dd3fe50222a5a3ebc472 kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2274
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.

Ubuntu Linux


Ubuntu Security Notice USN-285-1 May 23, 2006
awstats vulnerability
CVE-2006-2237

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

awstats

The problem can be corrected by upgrading the affected package to version 6.3-1ubuntu0.2 (for Ubuntu 5.04), or 6.4-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

AWStats did not properly sanitize the 'migrate' CGI parameter. If the update of the stats via web front-end is allowed, a remote attacker could execute arbitrary commands on the server with the privileges of the AWStats server.

This does not affect AWStats installations which only build static pages.

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.2.diff.gz
      Size/MD5: 25306 1f013ca8aaad65d8f3ae148e194b3551
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.2.dsc
      Size/MD5: 595 46a103a327e1f1bad3876927c7e66198
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3.orig.tar.gz
      Size/MD5: 938794 edb73007530a5800d53b9f1f90c88053

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.2_all.deb
      Size/MD5: 726430 728ee50f468a4cf3693a32b98c94b455

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.1.diff.gz
      Size/MD5: 18541 e186b842fbd2d4d97b65eacf7c9c1295
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.1.dsc
      Size/MD5: 595 c5784c2c1bfa002abbfa77d936bc2da5
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4.orig.tar.gz
      Size/MD5: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.1_all.deb
      Size/MD5: 728490 60ca39a436e3a21a838560db5d8a5f3b