dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


SOT Linux Advisories: libxml2, mutt

Mar 11, 2004, 15:59 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated libxml2 package for SOT Linux 2003
Advisory ID: SLSA-2004:5
Date: Thursday, March 4, 2004
Product: SOT Linux 2003


1. Problem description

libxml2 is a library for manipulating XML files.

Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0110 to this issue.

All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/libxml2-2.5.1-2.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/libxml2-devel-2.5.1-2.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/libxml2-python-2.5.1-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/libxml2-2.5.1-2.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/libxml2-2.5.1-2.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/libxml2-devel-2.5.1-2.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/libxml2-python-2.5.1-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/libxml2-2.5.1-2.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/libxml2-2.5.1-2.i386.rpm 84aa5b76d3b27710c447e624f33a89a2
/Desktop/i386/libxml2-devel-2.5.1-2.i386.rpm 28a759df9cd68009c6690b164a2a3320
/Desktop/i386/libxml2-python-2.5.1-2.i386.rpm 85f81f2369dd6f3bcbdba6d8394621f2
/Desktop/SRPMS/libxml2-2.5.1-2.src.rpm 82fc6718eb7d11d690dc90bab609c829
/Server/i386/libxml2-2.5.1-2.i386.rpm 84aa5b76d3b27710c447e624f33a89a2
/Server/i386/libxml2-devel-2.5.1-2.i386.rpm 28a759df9cd68009c6690b164a2a3320
/Server/i386/libxml2-python-2.5.1-2.i386.rpm 85f81f2369dd6f3bcbdba6d8394621f2
/Server/SRPMS/libxml2-2.5.1-2.src.rpm 82fc6718eb7d11d690dc90bab609c829

5. References

http://mail.gnome.org/archives/xml/2004-February/msg00070.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110

Copyright(c) 2001-2003 SOT


SOT Linux Security Advisory

Subject: Updated mutt package for SOT Linux 2003
Advisory ID: SLSA-2004:4
Date: Tuesday, March 2, 2004
Product: SOT Linux 2003


1. Problem description

Mutt is a text-based program for reading electronic mail.

It was discovered that certain messages would cause mutt to crash. Mutt 1.4.2 fixes this bug. See CAN-2004-0078.

Users of mutt should update to this update package, which contains a backported fix and is not vulnerable to this issue.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/mutt-1.4.2.1i-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/mutt-1.4.2.1i-3.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/mutt-1.4.2.1i-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/mutt-1.4.2.1i-3.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/mutt-1.4.2.1i-3.i386.rpm 96484dc0f28be6021045d661b70431a8
/Desktop/SRPMS/mutt-1.4.2.1i-3.src.rpm 6bf26a3ef768bb3acc9a4341916ed303
/Server/i386/mutt-1.4.2.1i-3.i386.rpm 96484dc0f28be6021045d661b70431a8
/Server/SRPMS/mutt-1.4.2.1i-3.src.rpm 6bf26a3ef768bb3acc9a4341916ed303

5. References

http://www.mutt.org/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078

Copyright(c) 2001-2003 SOT