dcsimg
Linux Today: Linux News On Internet Time.





Advisories: May 17, 2005

May 18, 2005, 04:45 (0 Talkback[s])

Conectiva Linux


CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE : kde
SUMMARY : Fixes for multiple KDE security vulnerabilities
DATE : 2005-05-17 09:56:00 ID : CLA-2005:953

RELEVANT
RELEASES : 9, 10


DESCRIPTION
KDE[1] is a very popular graphical desktop environment available for GNU/Linux and other operating systems.

This announcement fixes the following vulnerabilities:

1.Local denial of service vulnerability[2] in DCOP daemon
A local user can lock up the dcopserver of any other user on the same host by stalling the DCOP authentication process. This can cause a significant reduction in desktop functionality for the affected users including, but not limited to, the inability to browse the internet and the inability to start new applications.

2.Homograph vulnerability[3] in Konqueror
IDN allows a website to use a wide range of international characters in its domain name. Unfortunately, some of these characters have a strong resemblance to other characters, so called homographs. This lack of visual difference can be abused by attackers to trick users into visiting malicious websites that resemble a well known and trusted website in order to obtain personal information such as credit card details.

3.Symlink vulnerability[4] in dcopidlng script
The dcopidlng script is vulnerable to symlink attacks, potentially allowing a local attacker to overwrite arbitrary files of a user when that user compiles KDE or third party KDE applications that use the dcopidlng script as part of their build process.

4.Weak input validation vulnerable[5] in kimgio
kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to execute arbitrary code.

5.Arbitraty code execution vulnerability[6] in Kommander
Kommander executes without user confirmation data files from possibly untrusted locations. As they contain scripts, the user might accidentally run arbitrary code.

SOLUTION
It is recommended that all users of the KDE desktop, including those who use other desktop and only use certain KDE components such as Konqueror, upgrade their KDE packages.

IMPORTANT: in order to close the vulnerbilities, all KDE applications have to be restarted.

REFERENCES
1.http://www.kde.org
2.http://www.kde.org/info/security/advisory-20050316-1.txt
3.http://www.kde.org/info/security/advisory-20050316-2.txt
4.http://www.kde.org/info/security/advisory-20050316-3.txt
5.http://www.kde.org/info/security/advisory-20050421-1.txt
6.http://www.kde.org/info/security/advisory-20050420-1.txt

UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/kdelibs3-3.3.2-63233U10_6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/SRPMS/kdewebdev-3.3.2-72796U10_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdewebdev-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kfilereplace-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kimagemapeditor-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/klinkstatus-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/klinkstatus-help-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kommander-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kommander-help-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kxsldbg-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kxsldbg-help-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-devel-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-help-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-css-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-html-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-javascript-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-php-3.3.2-72796U10_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kde-base-icons-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs-artsinterface-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs-docbook-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs3-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs3-devel-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs3-devel-static-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-b3-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-highcolor-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-light-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-marble-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-qt-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-riscos-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-system-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/libknewstuff1-3.3.2-63233U10_6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kdelibs3-3.1.5-28927U90_7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/quanta-3.1-27553U90_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/quanta-3.1-27553U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/quanta-doc-3.1-27553U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/quanta-kommander-3.1-27553U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs-artsinterface-3.1.5-28927U90_7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs-docbook-3.1.5-28927U90_7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs3-3.1.5-28927U90_7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs3-devel-3.1.5-28927U90_7cl.i386.rpm

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

  • run: apt-get update
  • after that, execute: apt-get upgrade

Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

Fedora Core


Fedora Update Notification
FEDORA-2005-373
2005-05-17

Product : Fedora Core 3
Name : squid
Version : 2.5.STABLE9
Release : 1.FC3.6
Summary : The Squid proxy caching server.

Description :
Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.

Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools.


  • Mon May 16 2005 Jay Fenlason <fenlason@redhat.com> 7:2.5.STABLE9-1.FC3.6
    • More upstream patches, including ones for
      bz#157456 CAN-2005-1519 DNS lookups unreliable on untrusted networks
      bz#156162 CVE-1999-0710 cachemgr.cgi access control bypass
    • The following bugs had already been fixed, but the announcements were lost
      bz#156711 CAN-2005-1390 HTTP Request Smuggling Vulnerabilities
      bz#156703 CAN-2005-1389 HTTP Response Splitting Vulnerabilities (Both fixed by squid-7:2.5.STABLE8-1.FC3.1)
      bz#151419 Unexpected access control results on configuration errors (Fixed by 7:2.5.STABLE9-1.FC3.2)
      bz#152647#squid-2.5.STABLE9-1.FC3.4.x86_64.rpm is broken (fixed by 7:2.5.STABLE9-1.FC3.5)
      bz#141938 squid ldap authentification broken (Fixed by 7:2.5.STABLE7-1.FC3)
  • Fri Apr 1 2005 Jay Fenlason <fenlason@redhat.com> 7:2.5.STABLE9-1.FC3.5
    • More upstream patches, including a new version of the -2GB patch that doesn't break diskd.

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

c94ce8b9fc2ae09b867fa73a4036901b SRPMS/squid-2.5.STABLE9-1.FC3.6.src.rpm
6862c9189f1686280b95a31501ce5283 x86_64/squid-2.5.STABLE9-1.FC3.6.x86_64.rpm
5e96af43a684836da7e88279a5643b1a x86_64/debug/squid-debuginfo-2.5.STABLE9-1.FC3.6.x86_64.rpm
81f8f55caf7f423054356ae57c2d02f9 i386/squid-2.5.STABLE9-1.FC3.6.i386.rpm
e912773d9f9889686a70debe1c1146c8 i386/debug/squid-debuginfo-2.5.STABLE9-1.FC3.6.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.


Gentoo Linux


Gentoo Linux Security Advisory GLSA 200505-13

http://security.gentoo.org/


Severity: High
Title: FreeRADIUS: Buffer overflow and SQL injection vulnerability
Date: May 17, 2005
Bugs: #91736
ID: 200505-13


Synopsis

The FreeRADIUS server is vulnerable to a buffer overflow and an SQL injection attack, possibly allowing the compromise of the system.

Background

FreeRADIUS is an open source RADIUS authentication server implementation.

Affected packages


     Package                /  Vulnerable  /                Unaffected

  1  net-dialup/freeradius     < 1.0.2-r3                  >= 1.0.2-r3

Description

Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS may be vulnerable to a buffer overflow (BID 13541). He also discovered that FreeRADIUS fails to sanitize user-input before using it in a SQL query, possibly allowing SQL command injection (BID 13540).

Impact

By supplying carefully crafted input, a malicious user could cause a buffer overflow or an SQL injection, possibly leading to the execution of arbitrary code or disclosure and the modification of sensitive data.

Workaround

There are no known workarounds at this time.

Resolution

All FreeRADIUS users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.0.2-r3"

References

[ 1 ] BugTraq ID 13540

http://www.securityfocus.com/bid/13540/

[ 2 ] BugTraq ID 13541

http://www.securityfocus.com/bid/13541/

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200505-13.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux


Mandriva Linux Security Update Advisory


Package name: mozilla
Advisory ID: MDKSA-2005:088-1
Date: May 17th, 2005
Original Advisory Date: May 13th, 2005
Affected versions: 10.2


Problem Description:

The previously-released firefox updates were no longer able to download extensions for firefox due to strict version checking. This update fixes the problem by changing the version firefox reports from 1.0.2 to 1.0.4, allowing for extensions to be downloaded again.


Updated Packages:

Mandrakelinux 10.2:
c17cfdac1f0e6d6e04f784109981099f 10.2/RPMS/libnspr4-1.0.2-6.1.102mdk.i586.rpm
ff9f5cf04cf3f639251ecb822080a148 10.2/RPMS/libnspr4-devel-1.0.2-6.1.102mdk.i586.rpm
3518a675a8085a5a5408828c6b8f9032 10.2/RPMS/libnss3-1.0.2-6.1.102mdk.i586.rpm
b130975adbbd0b4e65a723beab7e4a6d 10.2/RPMS/libnss3-devel-1.0.2-6.1.102mdk.i586.rpm
3ac683081b3980636177b4148c7ef6f1 10.2/RPMS/mozilla-firefox-1.0.2-6.1.102mdk.i586.rpm
39b1cff4c003f13deffc4e0e154e96ef 10.2/RPMS/mozilla-firefox-devel-1.0.2-6.1.102mdk.i586.rpm
bee109a3f8187d72515b258c3f363f9d 10.2/SRPMS/mozilla-firefox-1.0.2-6.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
cdf2b4920ec3bde200fa85f3549c85fe x86_64/10.2/RPMS/lib64nspr4-1.0.2-6.1.102mdk.x86_64.rpm
3028ed182c82aef9b4fec35bcd4a8740 x86_64/10.2/RPMS/lib64nspr4-devel-1.0.2-6.1.102mdk.x86_64.rpm
2b613cb20ac8b05e236f6ab54fd04d9c x86_64/10.2/RPMS/lib64nss3-1.0.2-6.1.102mdk.x86_64.rpm
7d7c19e234bb1eb6d1ea967cc200a5b2 x86_64/10.2/RPMS/lib64nss3-devel-1.0.2-6.1.102mdk.x86_64.rpm
4bde441472f480f76c6eebab741f877c x86_64/10.2/RPMS/mozilla-firefox-1.0.2-6.1.102mdk.x86_64.rpm
9bda0e91ca36218f97ffa21b03cc6e00 x86_64/10.2/RPMS/mozilla-firefox-devel-1.0.2-6.1.102mdk.x86_64.rpm
bee109a3f8187d72515b258c3f363f9d x86_64/10.2/SRPMS/mozilla-firefox-1.0.2-6.1.102mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Red Hat Linux

Red Hat Security Advisory

Synopsis: Moderate: ncpfs security update
Advisory ID: RHSA-2005:371-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-371.html
Issue date: 2005-05-17
Updated on: 2005-05-17
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0013


1. Summary:

An updated ncpfs package is now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386

3. Problem description:

Ncpfs is a file system that understands the Novell NetWare(TM) NCP protocol.

A bug was found in the way ncpfs handled file permissions. ncpfs did not sufficiently check if the file owner matched the user attempting to access the file, potentially violating the file permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0013 to this issue.

All users of ncpfs are advised to upgrade to this updated package, which contains backported fixes for this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ncpfs-2.2.0.18-6.EL2.src.rpm
97fc82b06243d3344766a6c83d7ce2cc ncpfs-2.2.0.18-6.EL2.src.rpm

i386:
8000785605e0093e0a51689a63fa56c9 ipxutils-2.2.0.18-6.EL2.i386.rpm
d38e5b535f4fc5a14d456a13b22c0532 ncpfs-2.2.0.18-6.EL2.i386.rpm

ia64:
1a46f4110cccbcebfc679f1371774c88 ipxutils-2.2.0.18-6.EL2.ia64.rpm
4e5a20f0012d01b177762ed8c557105f ncpfs-2.2.0.18-6.EL2.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/ncpfs-2.2.0.18-6.EL2.src.rpm
97fc82b06243d3344766a6c83d7ce2cc ncpfs-2.2.0.18-6.EL2.src.rpm

ia64:
1a46f4110cccbcebfc679f1371774c88 ipxutils-2.2.0.18-6.EL2.ia64.rpm
4e5a20f0012d01b177762ed8c557105f ncpfs-2.2.0.18-6.EL2.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ncpfs-2.2.0.18-6.EL2.src.rpm
97fc82b06243d3344766a6c83d7ce2cc ncpfs-2.2.0.18-6.EL2.src.rpm

i386:
8000785605e0093e0a51689a63fa56c9 ipxutils-2.2.0.18-6.EL2.i386.rpm
d38e5b535f4fc5a14d456a13b22c0532 ncpfs-2.2.0.18-6.EL2.i386.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

6. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0013

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.


Red Hat Security Advisory

Synopsis: Important: kdelibs security update
Advisory ID: RHSA-2005:393-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-393.html
Issue date: 2005-05-17
Updated on: 2005-05-17
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-1046


1. Summary:

Updated kdelibs packages that fix a flaw in kimgio input validation are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

KDE is a graphical desktop environment for the X Window System. Konqueror is the file manager for the K Desktop Environment.

A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers.

A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-1046 to this issue.

All users of kdelibs should upgrade to these updated packages, which contain a backported security patch to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm
bce4c06fafe21d3efe6861baccdb336f kdelibs-3.3.1-3.10.src.rpm

i386:
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
663a4623ae7b79383c901ddd604f40c1 kdelibs-devel-3.3.1-3.10.i386.rpm

ia64:
d71ca353358cc55e8b095909b33a384a kdelibs-3.3.1-3.10.ia64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
6a6aee95de4b0e2c648cb333230e956c kdelibs-devel-3.3.1-3.10.ia64.rpm

ppc:
08f0b8a2dd54fcc21fd32bd713b10625 kdelibs-3.3.1-3.10.ppc.rpm
2a5859b0b379c8cd5019e312afb75d13 kdelibs-3.3.1-3.10.ppc64.rpm
933042fd45c59372b1ed3dab95cb8608 kdelibs-devel-3.3.1-3.10.ppc.rpm

s390:
7528c1d9e4bd655f1dbb29b0f784bd03 kdelibs-3.3.1-3.10.s390.rpm
6cbfdb4ed57dd476416a4626b234878a kdelibs-devel-3.3.1-3.10.s390.rpm

s390x:
d6c32e2c18773a37c24c0764c26ff8da kdelibs-3.3.1-3.10.s390x.rpm
7528c1d9e4bd655f1dbb29b0f784bd03 kdelibs-3.3.1-3.10.s390.rpm
9f7ad40ee12f4fdf898320d61943108d kdelibs-devel-3.3.1-3.10.s390x.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26 kdelibs-devel-3.3.1-3.10.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm
bce4c06fafe21d3efe6861baccdb336f kdelibs-3.3.1-3.10.src.rpm

i386:
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
663a4623ae7b79383c901ddd604f40c1 kdelibs-devel-3.3.1-3.10.i386.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26 kdelibs-devel-3.3.1-3.10.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm
bce4c06fafe21d3efe6861baccdb336f

i386:
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
663a4623ae7b79383c901ddd604f40c1 kdelibs-devel-3.3.1-3.10.i386.rpm

ia64:
d71ca353358cc55e8b095909b33a384a kdelibs-3.3.1-3.10.ia64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
6a6aee95de4b0e2c648cb333230e956c kdelibs-devel-3.3.1-3.10.ia64.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26 kdelibs-devel-3.3.1-3.10.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm
bce4c06fafe21d3efe6861baccdb336f kdelibs-3.3.1-3.10.src.rpm

i386:
663a4623ae7b79383c901ddd604f40c1 kdelibs-devel-3.3.1-3.10.i386.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm

ia64:
d71ca353358cc55e8b095909b33a384a kdelibs-3.3.1-3.10.ia64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
6a6aee95de4b0e2c648cb333230e956c kdelibs-devel-3.3.1-3.10.ia64.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26 kdelibs-devel-3.3.1-3.10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

6. References:

http://bugs.kde.org/102328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1046

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.


Red Hat Security Advisory

Synopsis: Moderate: cyrus-imapd security update
Advisory ID: RHSA-2005:408-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-408.html
Issue date: 2005-05-17
Updated on: 2005-05-17
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0546


1. Summary:

Updated cyrus-imapd packages that fix several buffer overflow security issues are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The cyrus-imapd package contains the core of the Cyrus IMAP server.

Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0546 to this issue.

Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm
4b3fa71b394dbd0e8c87a29c5a56b286 cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97 cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4 cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3 perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

ia64:
47e38551bf642b9f3c950e4d73014963 cyrus-imapd-2.2.12-3.RHEL4.1.ia64.rpm
4c7ca20e0b41290767236bc7cebced40 cyrus-imapd-devel-2.2.12-3.RHEL4.1.ia64.rpm
892adc82d6b337d5b838de06b31f6005 cyrus-imapd-murder-2.2.12-3.RHEL4.1.ia64.rpm
2d15fe37eaa0e6e82294b2fb4448824c cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ia64.rpm
e7d894fce5d9dfe8f17fcdbbd80280ee cyrus-imapd-utils-2.2.12-3.RHEL4.1.ia64.rpm
0d5ce4154308b7ad7796c9517c1b6fcd perl-Cyrus-2.2.12-3.RHEL4.1.ia64.rpm

ppc:
0cf0e912e3d10a013f875ca75f6ed117 cyrus-imapd-2.2.12-3.RHEL4.1.ppc.rpm
76e6a47a7b15caf6bdf770d8c8e9ceb2 cyrus-imapd-devel-2.2.12-3.RHEL4.1.ppc.rpm
c70639b4245a12ccc5d7d81cbe8a8262 cyrus-imapd-murder-2.2.12-3.RHEL4.1.ppc.rpm
9aa309aef2579944259cb7ffe8245488 cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ppc.rpm
f1c85a497a0e80e1ceaa146b2e78a742 cyrus-imapd-utils-2.2.12-3.RHEL4.1.ppc.rpm
cc16c62094b302d9411f3be1ee38ab09 perl-Cyrus-2.2.12-3.RHEL4.1.ppc.rpm

s390:
f7dc2f55144bb5f4fc608811f80323a0 cyrus-imapd-2.2.12-3.RHEL4.1.s390.rpm
f1b97671e20f3af01272f848b42f254e cyrus-imapd-devel-2.2.12-3.RHEL4.1.s390.rpm
00103a5a070125fd21b8e474bf321ec1 cyrus-imapd-murder-2.2.12-3.RHEL4.1.s390.rpm
e49e2d04a077d8f7478eb0f0d43fe91e cyrus-imapd-nntp-2.2.12-3.RHEL4.1.s390.rpm
0918d048e49457ece8c2e772a0ff2a2b cyrus-imapd-utils-2.2.12-3.RHEL4.1.s390.rpm
9dcb24d38c2bc3f5506a742e526f2ebc perl-Cyrus-2.2.12-3.RHEL4.1.s390.rpm

s390x:
45b6b8d9c21885c76263dc59b3b8e612 cyrus-imapd-2.2.12-3.RHEL4.1.s390x.rpm
624f870b32646960b4b02b0b38395f0c cyrus-imapd-devel-2.2.12-3.RHEL4.1.s390x.rpm
3785bb0f2410fbecdd19b0c4d006ad19 cyrus-imapd-murder-2.2.12-3.RHEL4.1.s390x.rpm
3b5acbdc0b46d079e033ecb1c7f5702c cyrus-imapd-nntp-2.2.12-3.RHEL4.1.s390x.rpm
27a4e0d1eb725896dad32f01bd29ed58 cyrus-imapd-utils-2.2.12-3.RHEL4.1.s390x.rpm
2f229a87ffcf945db5fece6ef5f1882b perl-Cyrus-2.2.12-3.RHEL4.1.s390x.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9 cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7 cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684 cyrus-imapd-murder-2.2.12-3.RHEL4.1.x86_64.rpm
723ffd10890a8c6ca91496a3d0f66511 cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm
4b3fa71b394dbd0e8c87a29c5a56b286 cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97 cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4 cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3 perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9 cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7 cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684 723ffd10890a8c6ca91496a3d0f66511 cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm
4b3fa71b394dbd0e8c87a29c5a56b286 cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97 cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4 cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3 perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

ia64:
47e38551bf642b9f3c950e4d73014963 cyrus-imapd-2.2.12-3.RHEL4.1.ia64.rpm
4c7ca20e0b41290767236bc7cebced40 cyrus-imapd-devel-2.2.12-3.RHEL4.1.ia64.rpm
892adc82d6b337d5b838de06b31f6005 cyrus-imapd-murder-2.2.12-3.RHEL4.1.ia64.rpm
2d15fe37eaa0e6e82294b2fb4448824c cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ia64.rpm
e7d894fce5d9dfe8f17fcdbbd80280ee cyrus-imapd-utils-2.2.12-3.RHEL4.1.ia64.rpm
0d5ce4154308b7ad7796c9517c1b6fcd perl-Cyrus-2.2.12-3.RHEL4.1.ia64.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9 cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7 cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684 cyrus-imapd-murder-2.2.12-3.RHEL4.1.x86_64.rpm
723ffd10890a8c6ca91496a3d0f66511 cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm
4b3fa71b394dbd0e8c87a29c5a56b286 cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97 cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4 cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3 perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

ia64:
47e38551bf642b9f3c950e4d73014963 cyrus-imapd-2.2.12-3.RHEL4.1.ia64.rpm
4c7ca20e0b41290767236bc7cebced40 cyrus-imapd-devel-2.2.12-3.RHEL4.1.ia64.rpm
892adc82d6b337d5b838de06b31f6005 cyrus-imapd-murder-2.2.12-3.RHEL4.1.ia64.rpm
2d15fe37eaa0e6e82294b2fb4448824c cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ia64.rpm
e7d894fce5d9dfe8f17fcdbbd80280ee cyrus-imapd-utils-2.2.12-3.RHEL4.1.ia64.rpm
0d5ce4154308b7ad7796c9517c1b6fcd perl-Cyrus-2.2.12-3.RHEL4.1.ia64.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9 cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7 cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684 cyrus-imapd-murder-2.2.12-3.RHEL4.1.x86_64.rpm
723ffd10890a8c6ca91496a3d0f66511 cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

6. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0546

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.