:Advisories, August 31, 2006
Advisories, August 31, 2006 0 Talkback[s]
Debian GNU/Linux
Debian Security Advisory DSA 1164-1 security@debian.org http://www.debian.org/security/ Noah Meyerhanshttp://www.debian.org/security/faq
Package : sendmail
A programming error has been discovered in sendmail, an alternative
mail transport agent for Debian, that could allow a remote attacker to
crash the sendmail process by sending a specially crafted email
message.
Please note that in order to install this update you also need
libsasl2 library from proposed updates as outlined in DSA 1155-2.
For the stable distribution (sarge) this problem has been fixed in
version 8.13.3-3sarge3
For the unstable distribution (sid) this problem has been fixed in
version 8.13.8-1
We recommend that you upgrade your sendmail package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3.dsc http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3.diff.gz http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-base_8.13.4-3sarge3_all.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-cf_8.13.4-3sarge3_all.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.13.4-3sarge3_all.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_arm.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_hppa.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_ia64.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
http://security.debian.org/ stable/updates mainftp://security.debian.org/debian-security dists/stable/updates/maindebian-security-announce@lists.debian.org http://packages.debian.org/<pkg>
Mandriva Linux
Mandriva Linux Security Advisory MDKSA-2006:158http://www.mandriva.com/security/
Package : MySQL
Problem Description:
MySQL before 4.1.13 allows local users to cause a denial of service
(persistent replication slave crash) via a query with multiupdate
and subselects. (CVE-2006-4380)
There is a bug in the MySQL-Max (and MySQL) init script where the
script was not waiting for the mysqld daemon to fully stop. This
impacted the restart beahvior during updates, as well as scripted
setups that temporarily stopped the server to backup the database
files. (Bug #15724)
The Corporate 3 and MNF2 products are not affected by these issues.
Packages have been patched to correct these issues.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4389 http://qa.mandriva.com/show_bug.cgi?id=15724
Updated Packages:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
rPath Linux
rPath Security Advisory: 2006-0161-1
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4197 https://issues.rpath.com/browse/RPL-610
Description:
Previous versions of the libmusicbrainz package are vulnerable to
compromised or otherwise malicious servers, if a client attempts
to access the server. While this is a remote source of data,
it cannot be triggered directly by a remote attacker, and requires
explicit or implicit user complicity. It is therefore similar to
mail client IMAP parsing vulnerabilities.
rPath Security Advisory: 2006-0162-1
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2935 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3745 https://issues.rpath.com/browse/RPL-611 https://issues.rpath.com/browse/RPL-524
Description:
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the
system to crash (denial of service). Malformed CDROM firmware or
USB storage devices (such as USB keys) could cause system crash
(denial of service), and if they were intentionally malformed, can
cause arbitrary code to run with elevated privileges. In addition,
the SCTP protocol is subject to a remote system crash (denial of
service) attack, but rPath Linux does not include the tools required
to configure the SCTP protocol, so rPath Linux is not configured
by default to be vulnerable to this attack.
This update requires a system reboot to implement the fixes.
