dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories: July 13, 2005

Jul 14, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 754-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq


Package : centericq
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1914
BugTraq ID : 14144

Eric Romang discovered that centericq, a text-mode multi-protocol instant messenger client, creates some temporary files with predictable filenames and is hence vulnerable to symlink attacks by local attackers.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 4.20.0-1sarge1.

For the unstable distribution (sid) this problem has been fixed in version 4.20.0-7.

We recommend that you upgrade your centericq package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1.dsc
Size/MD5 checksum: 875 ff3553a853e9dea97f75125500f39fd6
http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1.diff.gz
Size/MD5 checksum: 100900 b6a5e2debfafc7d8473fe81f0711a831
http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0.orig.tar.gz
Size/MD5 checksum: 1796894 874165f4fbd40e3be677bdd1696cee9d

Alpha architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_alpha.deb
Size/MD5 checksum: 1650272 882581a531410fc6284a24f40aa8b237
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_alpha.deb
Size/MD5 checksum: 335678 c87e1264b7bb422de39eeff293929aa8
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_alpha.deb
Size/MD5 checksum: 1651376 a8cd3d6ac111d9f28340efa50e925269
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_alpha.deb
Size/MD5 checksum: 1650310 9f3b0d39fdda30c961247d0aa674058d

ARM architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_arm.deb
Size/MD5 checksum: 2185028 4fdb5947660ce1d58fbdd81af93a60e9
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_arm.deb
Size/MD5 checksum: 335736 c335b521ca1f23e4c0c87c0957e99b26
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_arm.deb
Size/MD5 checksum: 2185856 c093062b1c397089201a417ebd35610b
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_arm.deb
Size/MD5 checksum: 2185088 814e779647082332701c2bdb2c1bfa2e

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_i386.deb
Size/MD5 checksum: 1349542 171e9599f323d0b7032221893c05c2db
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_i386.deb
Size/MD5 checksum: 336380 acb15387093497c5ae902128991b37e7
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_i386.deb
Size/MD5 checksum: 1350102 37a815e05d9bb0ba1bd5d99876a80e88
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_i386.deb
Size/MD5 checksum: 1349540 3a02ce4144ca83d843482ac2809f988e

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_ia64.deb
Size/MD5 checksum: 1881164 6766767f7c2d44d3023436b3a8726c27
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_ia64.deb
Size/MD5 checksum: 335720 1369e108773220fd60021709e6f7e590
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_ia64.deb
Size/MD5 checksum: 1882048 85b7af43d942cb506b59dbec6c10d3be
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_ia64.deb
Size/MD5 checksum: 1881146 a4b826076616b8b7cf52df38f0b3f601

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_hppa.deb
Size/MD5 checksum: 1812254 2c988bd55387eb756552406715320117
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_hppa.deb
Size/MD5 checksum: 336436 d40ce9a6241038f93862436496818d75
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_hppa.deb
Size/MD5 checksum: 1813346 e721c733e24d1063e029612e4b569e2b
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_hppa.deb
Size/MD5 checksum: 1812310 b9bd62aa66113ea84914ab4455e49bab

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_m68k.deb
Size/MD5 checksum: 1399166 7ddc0f2503ef5f2fd2bbb3e445408458
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_m68k.deb
Size/MD5 checksum: 336492 1400cd5ab6c2ff0d29456bcd9dfcc444
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_m68k.deb
Size/MD5 checksum: 1399876 612c10725c364b47a4fe40450f5510c8
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_m68k.deb
Size/MD5 checksum: 1399218 bf36275ec5ea06f9f7d557e85d826561

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_mips.deb
Size/MD5 checksum: 1492958 a2bb8d172576366bec82e519e0081014
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_mips.deb
Size/MD5 checksum: 336456 cfa56dc46a514e9aea800bb382040dde
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_mips.deb
Size/MD5 checksum: 1493512 33f0de5ec770cc9337c8cb10aeb8c345
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_mips.deb
Size/MD5 checksum: 1493010 a6c79e53b42b22fdd3171e73f75aead8

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_mipsel.deb
Size/MD5 checksum: 1483074 9c1f565bdb835615b5a873a9515048d8
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_mipsel.deb
Size/MD5 checksum: 335720 3dac5924736c7445985e2446df6e0bfb
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_mipsel.deb
Size/MD5 checksum: 1483650 de5c2aae6952ba8729a1d5e697e1309b
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_mipsel.deb
Size/MD5 checksum: 1483130 2ca921ed986f28d633cc28ddcb040c5e

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_powerpc.deb
Size/MD5 checksum: 1385012 94e319589b8f0512b8fb3821ab41db0a
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_powerpc.deb
Size/MD5 checksum: 336420 31ec6d10723f4ea728e9a603e38abd35
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_powerpc.deb
Size/MD5 checksum: 1385554 2210300e4bb99860d361a45a7e3c0626
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_powerpc.deb
Size/MD5 checksum: 1385108 87855894236a34a4650e5771dfe52ca2

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_s390.deb
Size/MD5 checksum: 1193784 ed23ee7d6ec4213436285bd4e2c65e45
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_s390.deb
Size/MD5 checksum: 336410 926b21a7de188e70c31c3aef62be36e8
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_s390.deb
Size/MD5 checksum: 1194074 7304eb97bf4bf5b9d9a117565b04b152
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_s390.deb
Size/MD5 checksum: 1193840 c6ca4ddb1b7ee6ec74b78b50b04b66f5

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_sparc.deb
Size/MD5 checksum: 1325774 05367d08c75e216ccab84db2ce35a870
http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_sparc.deb
Size/MD5 checksum: 336424 746efd83e6bde711b7260e968fcc4826
http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_sparc.deb
Size/MD5 checksum: 1326572 1e59f2d8c81b409b5d63473a11af836b
http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_sparc.deb
Size/MD5 checksum: 1325720 72cb751add782b3b5c1e91878506c761

These files will probably be moved into the stable distribution on its next update.


Debian Security Advisory DSA 755-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq


Package : tiff
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1544
Debian Bug : 309739

Frank Warmerdam discovered a stack-based buffer overflow in libtiff, the Tag Image File Format library for processing TIFF graphics files that can lead to the executionof arbitrary code via malformed TIFF files.

For the old stable distribution (woody) this problem has been fixed in version 3.5.5-7

For the stable distribution (sarge) this problem has been fixed in version 3.7.2-3.

For the unstable distribution (sid) this problem has been fixed in version 3.7.2-3.

We recommend that you upgrade your libtiff packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.dsc
Size/MD5 checksum: 623 fdb202eb01852d3aab26758f5f9a50ce
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.diff.gz
Size/MD5 checksum: 37270 3e154325390b0446bee083a7470adaac
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz
Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8

Alpha architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_alpha.deb
Size/MD5 checksum: 141498 f0d74c745fc5f75016e190f7c9af0604
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_alpha.deb
Size/MD5 checksum: 105544 ff3fe1edd72064a3cec25578decb4ce8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_alpha.deb
Size/MD5 checksum: 423258 d26ce2a8049612b29c4736f341930439

ARM architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_arm.deb
Size/MD5 checksum: 117004 f1c9aafcdaae7148cdb5f13e1805ded5
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_arm.deb
Size/MD5 checksum: 90842 e13019cb16071175cc0b88526d6dc28a
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_arm.deb
Size/MD5 checksum: 404308 162fe09877bf4e31044ad2c1c16983bf

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_i386.deb
Size/MD5 checksum: 112070 9351594ccf87495bc0ec6fb3624d9983
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_i386.deb
Size/MD5 checksum: 81468 76f340590aa4a0546d810a7e7c7691a8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_i386.deb
Size/MD5 checksum: 386938 25f47760934bf3abdf6aa5ac60a0bf84

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_ia64.deb
Size/MD5 checksum: 158806 0a4abf7ed300b3c33a2e590caa3dd2c1
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_ia64.deb
Size/MD5 checksum: 135786 341bf0f708522080b931e89a87b598a6
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_ia64.deb
Size/MD5 checksum: 446574 126ed5be544a1eefe30228d06db9e219

HP Precision architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_hppa.deb
Size/MD5 checksum: 128298 db87d7cbeb3620736f8cabb0286f831e
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_hppa.deb
Size/MD5 checksum: 107142 515937e00c5a75f3efa61749a8c8cf58
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_hppa.deb
Size/MD5 checksum: 420334 0f55b4124cd813964a438403f1253582

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_m68k.deb
Size/MD5 checksum: 107324 33229624caf61822d6cf77e90872c6f9
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_m68k.deb
Size/MD5 checksum: 80132 4d4279969b7526649874eb657accc2b1
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_m68k.deb
Size/MD5 checksum: 380204 68a43fac8f06c48d38ddffc058c7242c

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mips.deb
Size/MD5 checksum: 124008 20f911e6540aa69fc85fd07567fe4697
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mips.deb
Size/MD5 checksum: 88202 7d68f62089e9546c06d9ffa80e7b0a74
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mips.deb
Size/MD5 checksum: 410562 5fa6371f247618b5522ff51259ba35b2

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mipsel.deb
Size/MD5 checksum: 123504 ba3102303df4d1cbde4303a00e3428ed
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mipsel.deb
Size/MD5 checksum: 88530 c1f77d45cda72501d85607ea50f5a4b2
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mipsel.deb
Size/MD5 checksum: 410766 3e3a11a28bc4f1f8081b77e5c72000b0

PowerPC architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_powerpc.deb
Size/MD5 checksum: 116072 045e7bbd3d4dfb9dc75268435aa62794
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_powerpc.deb
Size/MD5 checksum: 89824 3e7d286752e28fea6769936695e097d8
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_powerpc.deb
Size/MD5 checksum: 402420 876d140d9752aaea30cb4cd7f9a38cb2

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_s390.deb
Size/MD5 checksum: 116924 380141ee69a4a10201efc66182fe5616
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_s390.deb
Size/MD5 checksum: 92150 762a64a6166aa720fcbf5430a26760cf
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_s390.deb
Size/MD5 checksum: 395362 228596854105753bc1a0139bc6e1fef0

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_sparc.deb
Size/MD5 checksum: 132902 65969fd417aa734f6299c0f35f15dff9
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_sparc.deb
Size/MD5 checksum: 88982 e674bafc1f1df1617b70f4184051da79
http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_sparc.deb
Size/MD5 checksum: 397132 e1ebfa6cdfec77c9c643f494e72d0714

These files will probably be moved into the stable distribution on its next update.


Debian Security Advisory DSA 756-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq


Package : squirrelmail
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-1769 CAN-2005-2095
Debian Bug : 314374 317094

Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-1769

Martijn Brinkers discovered cross-site scripting vulnerabilities that allow remote attackers to inject arbitrary web script or HTML in the URL and e-mail messages.

CAN-2005-2095

James Bercegay of GulfTech Security discovered a vulnerability in the variable handling which could lead to attackers altering other people's preferences and possibly reading them, writing files at any location writable for www-data and cross site scripting.

For the old stable distribution (woody) these problems have been fixed in version 1.2.6-4.

For the stable distribution (sarge) these problems have been fixed in version 1.4.4-6sarge1.

For the unstable distribution (sid) these problems have been fixed in version 1.4.4-6sarge1.

We recommend that you upgrade your squirrelmail package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.dsc
Size/MD5 checksum: 646 a3739e908230dfe1fa1074b299087276
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.diff.gz
Size/MD5 checksum: 24291 c7107719af77e02daae1c3fd5a4000b8
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1

Architecture independent components:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4_all.deb
Size/MD5 checksum: 1841510 3557389721f6e851b772838205841e01

Debian GNU/Linux 3.1 alias sarge


Source archives:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.dsc
Size/MD5 checksum: 690 c518315ea574b2f268a028eb32de4497
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.diff.gz
Size/MD5 checksum: 23441 fb2b94a5b1bf90c1b8c8b0c71fe1c40c
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz
Size/MD5 checksum: 575871 f50548b6f4f24d28afb5e6048977f4da

Architecture independent components:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1_all.deb
Size/MD5 checksum: 569980 2150edd3d6fea2d20d7d448a75be8d63

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core


Fedora Update Notification
FEDORA-2005-561
2005-07-13

Product : Fedora Core 4
Name : net-snmp
Version : 5.2.1.2
Release : fc4.1
Summary : A collection of SNMP protocol tools and libraries.

Description :
SNMP (Simple Network Management Protocol) is a protocol used for network management. The NET-SNMP project includes various SNMP tools: an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl mib browser. This package contains the snmpd and snmptrapd daemons, documentation, etc.

You will probably also want to install the net-snmp-utils package, which contains NET-SNMP utilities.

Building option:

--without tcp_wrappers : disable tcp_wrappers support


Update Information:

A security vulnerability has been found in Net-SNMP releases that could allow a denial of service attack against Net-SNMP agent"s which have opened a stream based protocol (EG, TCP but not UDP; it should be noted that Net-SNMP does not by default open a TCP port).

http://sourceforge.net/mailarchive/forum.php?thread_id=7659656&forum_id=12455


  • Wed Jul 13 2005 Radek Vokal <rvokal@redhat.com> - 5.2.1.2-fc4.1
    • CAN-2005-2177 new upstream version fixing DoS (#162908)
  • Tue May 31 2005 Radek Vokal <rvokal@redhat.com> - 5.2.1-13
    • CAN-2005-1740 net-snmp insecure temporary file usage (#158770)
    • patch from suse.de

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

b79090650c617e039939241bdc7b3946 SRPMS/net-snmp-5.2.1.2-fc4.1.src.rpm
80b5a855b95900fb5973e6073d25d851 ppc/net-snmp-5.2.1.2-fc4.1.ppc.rpm
478843b0b1c7bc5f04a053bcdb6ddcd8 ppc/net-snmp-utils-5.2.1.2-fc4.1.ppc.rpm
270fc3fecbfbd31718c756f2d0bf2d36 ppc/net-snmp-devel-5.2.1.2-fc4.1.ppc.rpm
33c28040e1ca630bc6f8bfe84ad4af38 ppc/net-snmp-perl-5.2.1.2-fc4.1.ppc.rpm
242d3108af124c3b9d457e8da9ba766d ppc/net-snmp-libs-5.2.1.2-fc4.1.ppc.rpm
ad273e2a6a6acd3169f4d193b06c3688 ppc/debug/net-snmp-debuginfo-5.2.1.2-fc4.1.ppc.rpm
acb18e87eb710d133a3622954867254a ppc/net-snmp-libs-5.2.1.2-fc4.1.ppc64.rpm
7de313a1ac5f52382aee5c165653618e x86_64/net-snmp-5.2.1.2-fc4.1.x86_64.rpm
092b4dfe9ec5b1c19a40a7db2a82dc63 x86_64/net-snmp-utils-5.2.1.2-fc4.1.x86_64.rpm
627b1a3adc9d2c1236085aae4bf2cec5 x86_64/net-snmp-devel-5.2.1.2-fc4.1.x86_64.rpm
7819a593d4b083010ca3ed4939956d68 x86_64/net-snmp-perl-5.2.1.2-fc4.1.x86_64.rpm
cca2e6c99cc7a0a6c6de8a08ab095f94 x86_64/net-snmp-libs-5.2.1.2-fc4.1.x86_64.rpm
148c341e81c53c5098d79c4bcc3f931c x86_64/debug/net-snmp-debuginfo-5.2.1.2-fc4.1.x86_64.rpm
2ffdbca98fbfff39b894eab6d6f9faaa x86_64/net-snmp-libs-5.2.1.2-fc4.1.i386.rpm
e7e5ee415a6239d3a5c7e9d1174a07ab i386/net-snmp-5.2.1.2-fc4.1.i386.rpm
ea9380fb6c23881a2aa861974a32d041 i386/net-snmp-utils-5.2.1.2-fc4.1.i386.rpm
874b9d3fd002d524d3e45a67f88f163e i386/net-snmp-devel-5.2.1.2-fc4.1.i386.rpm
c6c304989cb5c4ba74736e2eba48848d i386/net-snmp-perl-5.2.1.2-fc4.1.i386.rpm
2ffdbca98fbfff39b894eab6d6f9faaa i386/net-snmp-libs-5.2.1.2-fc4.1.i386.rpm
eab2776c49ae418dabab1d85cd95a698 i386/debug/net-snmp-debuginfo-5.2.1.2-fc4.1.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2005-562
2005-07-13

Product : Fedora Core 3 Name : net-snmp
Version : 5.2.1.2
Release : FC3.1
Summary : A collection of SNMP protocol tools and libraries.

Description :
SNMP (Simple Network Management Protocol) is a protocol used for network management. The NET-SNMP project includes various SNMP tools: an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl mib browser. This package contains the snmpd and snmptrapd daemons, documentation, etc.

You will probably also want to install the net-snmp-utils package, which contains NET-SNMP utilities.

Building option:

--without tcp_wrappers : disable tcp_wrappers support


  • Wed Jul 13 2005 Radek Vokal <rvokal@redhat.com>
    • CAN-2005-2177 new upstream version fixing DoS (#162908)
    • CAN-2005-1740 net-snmp insecure temporary file usage (#158770)
    • session free fixed, agentx modules build fine (#157851)
    • report gigabit Ethernet speeds using Ethtool (#152480)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


4b721f407f7e3f8328b55c221934a1c3 SRPMS/net-snmp-5.2.1.2-FC3.1.src.rpm
b5e93da4d42a9ed378ade7a4dca53303 x86_64/net-snmp-5.2.1.2-FC3.1.x86_64.rpm
5c9b2a222c5b73d8574bfa73fa7a43db x86_64/net-snmp-utils-5.2.1.2-FC3.1.x86_64.rpm
0742d799d460c662ead52bc00cb5c0c4 x86_64/net-snmp-devel-5.2.1.2-FC3.1.x86_64.rpm
9f4058884731fb796989c070cc8daf79 x86_64/net-snmp-perl-5.2.1.2-FC3.1.x86_64.rpm
16e4b9661cd1877a7fe4c407defcfb59 x86_64/net-snmp-libs-5.2.1.2-FC3.1.x86_64.rpm
3172c8d4cd09a5aacaf07fe67838b3e0 x86_64/debug/net-snmp-debuginfo-5.2.1.2-FC3.1.x86_64.rpm
7b9f7d1d829c812906550f4788315d55 x86_64/net-snmp-libs-5.2.1.2-FC3.1.i386.rpm
592d67733a8b4dcaa2cae2aff855674d i386/net-snmp-5.2.1.2-FC3.1.i386.rpm
437282b8f6bf797286b55ab96021b27e i386/net-snmp-utils-5.2.1.2-FC3.1.i386.rpm
ad465047964e37127328c5c260562d8a i386/net-snmp-devel-5.2.1.2-FC3.1.i386.rpm
8da7b9da314591bcc6ebf0f139cb79c1 i386/net-snmp-perl-5.2.1.2-FC3.1.i386.rpm
7b9f7d1d829c812906550f4788315d55 i386/net-snmp-libs-5.2.1.2-FC3.1.i386.rpm
bdf494c06278cdb8bd7a029694403ff5 i386/debug/net-snmp-debuginfo-5.2.1.2-FC3.1.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2005-565
2005-07-13

Product : Fedora Core 4
Name : rpm
Version : 4.4.1
Release : 22
Summary : The RPM package management system.

Description :
The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package like its version, a description, etc.


Update Information:

This update corrects security problem CAN-2005-2096.


Wed Jul 13 2005 Paul Nasrat <pnasrat@redhat.com> - 4.4.1-22
  • zlib fix for CAN-2005-2096

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

4e8753f4e96768e731dc7ff33e91323f SRPMS/rpm-4.4.1-22.src.rpm
4d2cef556d21a4590068b378222ae584 ppc/rpm-4.4.1-22.ppc.rpm
767aa8667cfb6130736fbd86f2a63750 ppc/rpm-libs-4.4.1-22.ppc.rpm
72ab6a216aeceb956ab71f27ccea7d01 ppc/rpm-devel-4.4.1-22.ppc.rpm
d0260b73251f2ebca9d46cda26ba731d ppc/rpm-build-4.4.1-22.ppc.rpm
833d3484b4d4169b518e3cee7f8ffe8f ppc/rpm-python-4.4.1-22.ppc.rpm
3fdc79debc0679add4e965d23a59b29e ppc/popt-1.10.1-22.ppc.rpm
d480472dfb69566ece6f9072f2bc4bee ppc/debug/rpm-debuginfo-4.4.1-22.ppc.rpm
604d36a26a6734dd556012d7abde53f1 ppc/popt-1.10.1-22.ppc64.rpm
37b01382694ac79ce43ab8308cd789cf x86_64/rpm-4.4.1-22.x86_64.rpm
186c26cedfdc8602c215916749ac75a4 x86_64/rpm-libs-4.4.1-22.x86_64.rpm
5cd21dae524b0918da4cf0c28e3e0bbf x86_64/rpm-devel-4.4.1-22.x86_64.rpm
d17768c4505657b1c64f397ea568a402 x86_64/rpm-build-4.4.1-22.x86_64.rpm
f832726f36a48a01646cfb371aca60b3 x86_64/rpm-python-4.4.1-22.x86_64.rpm
de6456c074a74c48c35f1d18dd260629 x86_64/popt-1.10.1-22.x86_64.rpm
1184723dc5506944af4758333d883265 x86_64/debug/rpm-debuginfo-4.4.1-22.x86_64.rpm
4080913a0dc8d6e3cd3efeef0ee0e225 x86_64/popt-1.10.1-22.i386.rpm
4267228376a6eaf4cdf6426d0fcf7c02 i386/rpm-4.4.1-22.i386.rpm
2905f7ab83a8a670139eaef1a7cc8ddb i386/rpm-libs-4.4.1-22.i386.rpm
a7ea6be9916669305028f250e72b1e34 i386/rpm-devel-4.4.1-22.i386.rpm
e3da18a9335d70e8947860edac4f8ce9 i386/rpm-build-4.4.1-22.i386.rpm
8de0b8dc5b9a656fc1f760cdafdd31e4 i386/rpm-python-4.4.1-22.i386.rpm
4080913a0dc8d6e3cd3efeef0ee0e225 i386/popt-1.10.1-22.i386.rpm
97497259fd879f7a4152b4a4974f57fc i386/debug/rpm-debuginfo-4.4.1-22.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.


Gentoo Linux


Gentoo Linux Security Advisory GLSA 200507-12

http://security.gentoo.org/


Severity: Low
Title: Bugzilla: Unauthorized access and information disclosure
Date: July 13, 2005
Bugs: #98348
ID: 200507-12


Synopsis

Multiple vulnerabilities in Bugzilla could allow remote users to modify bug flags or gain sensitive information.

Background

Bugzilla is a web-based bug-tracking system used by many projects.

Affected packages


     Package            /  Vulnerable  /                    Unaffected

  1  www-apps/bugzilla      < 2.18.3                         >= 2.18.3

Description

Bugzilla allows any user to modify the flags of any bug (CAN-2005-2173). Bugzilla inserts bugs into the database before marking them as private, in connection with MySQL replication this could lead to a race condition (CAN-2005-2174).

Impact

By manually changing the URL to process_bug.cgi, a remote attacker could modify the flags of any given bug, which could trigger an email including the bug summary to be sent to the attacker. The race condition when using Bugzilla with MySQL replication could lead to a short timespan (usually less than a second) where the summary of private bugs is exposed to all users.

Workaround

There are no known workarounds at this time.

Resolution

All Bugzilla users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-2.18.3"

References

[ 1 ] CAN-2005-2173

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2173

[ 2 ] CAN-2005-2174

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2174

[ 3 ] Bugzilla Security Advisory

http://www.bugzilla.org/security/2.18.1/

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200507-12.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0