dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories, December 19, 2005

Dec 20, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 923-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 19th, 2005 http://www.debian.org/security/faq


Package : dropbear
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2005-4178

A buffer overflow has been discovered in dropbear, a lightweight SSH2 server and client, that may allow authenticated users to execute arbitrary code as the server user (usually root).

The old stable distribution (woody) does not contain dropbear packages.

For the stable distribution (sarge) this problem has been fixed in version 0.45-2sarge0.

For the unstable distribution (sid) this problem has been fixed in version 0.47-1.

We recommend that you upgrade your dropbear package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0.dsc
      Size/MD5 checksum: 562 771c96890c39a12c47120ddd910d006e
    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0.diff.gz
      Size/MD5 checksum: 4319 c968be5d18aa754d7ee8811f75ecc852
    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45.orig.tar.gz
      Size/MD5 checksum: 1455970 29babade35e1d8a322e4726886473a84

Alpha architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_alpha.deb
      Size/MD5 checksum: 281480 5629ae5d6fd265b3d102564c8a4d31cf

AMD64 architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_amd64.deb
      Size/MD5 checksum: 231480 2aa8ed3a949b983bd638568d47bcc10c

ARM architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_arm.deb
      Size/MD5 checksum: 200804 85c55cf59293bef6ea547240106288f6

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_i386.deb
      Size/MD5 checksum: 202040 57744bf60afc9a2a513e55942f99e049

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_ia64.deb
      Size/MD5 checksum: 314292 15cfb647be2679801b1a0ac34bd1b19b

HP Precision architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_hppa.deb
      Size/MD5 checksum: 231472 3110c908e587d7a8a0b93b520d240e06

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_m68k.deb
      Size/MD5 checksum: 181280 0cdbf4dee816ba3d296cccc8ba5bcb43

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_mips.deb
      Size/MD5 checksum: 244772 08ca3d67421ee4c71abc49426b79229b

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_mipsel.deb
      Size/MD5 checksum: 245768 50abc231c3074055a4dcb552425062de

PowerPC architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_powerpc.deb
      Size/MD5 checksum: 225898 4289b9460a9378969b4fdb120877dacd

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_s390.deb
      Size/MD5 checksum: 230878 403a282803b66481a0c34fc1be4bdda2

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0_sparc.deb
      Size/MD5 checksum: 200704 22879b1b90f75ac8bfb48c489eccbf3b

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core


Fedora Update Notification
FEDORA-2005-1169
2005-12-17

Product : Fedora Core 4
Name : xpdf
Version : 3.01
Release : 0.FC4.5
Summary : A PDF file viewer for the X Window System.

Description :
Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Xpdf is a small and efficient program which uses standard X fonts.


Update Information:

Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues.

Users of xpdf should upgrade to this updated package, which contains a patch to resolve these issues.


  • Wed Dec 14 2005 Kristian Hägsberg <krh@redhat.com> 1:3.01-0.FC4.5
    • Bump release.
    • Update sources file and drop t1lib support entirely.
  • Wed Dec 14 2005 Kristian Hägsberg <krh@redhat.com> 1:3.01-0.FC4.4
    • Add xpdf-3.01-CVE-2005-3191.patch to fix security bug #173888 and merge embargo branch back to FC-4

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

8eb2b8dde353ab48730c89972991a2fc SRPMS/xpdf-3.01-0.FC4.5.src.rpm
012186b96a434e36c7b04bdda865e8e5 ppc/xpdf-3.01-0.FC4.5.ppc.rpm
c43973989dae59251a1f6f2ea1c3596e ppc/debug/xpdf-debuginfo-3.01-0.FC4.5.ppc.rpm
9e70f7a2df42688105546aca78da6faf x86_64/xpdf-3.01-0.FC4.5.x86_64.rpm
7eaf3e7bda92dd7ab210de5f103a12cf x86_64/debug/xpdf-debuginfo-3.01-0.FC4.5.x86_64.rpm
4ec1702606e69f0aea8265951e6bd83d i386/xpdf-3.01-0.FC4.5.i386.rpm
effbf4cfdbb8284d4963a1d9db0270a3 i386/debug/xpdf-debuginfo-3.01-0.FC4.5.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2005-1171
2005-12-19

Product : Fedora Core 4
Name : poppler
Version : 0.4.3
Release : 1.3
Summary : PDF rendering library

Description :
Poppler, a PDF rendering library, it's a fork of the xpdf PDF viewer developed by Derek Noonburg of Glyph and Cog, LLC.


Update Information:

Several more flaws were discovered in Xpdf, which poppler is based on. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues.


  • Fri Dec 16 2005 Kristian Hägsberg <krh@redhat.com> 0.4.3-1.3
  • Add remaining bits of CVS-2005-3191 fix.
  • Tue Dec 13 2005 Kristian Hägsberg <krh@redhat.com> 0.4.3-1.2
  • Add missing build requires.
  • Mon Dec 12 2005 Kristian Hägsberg <krh@redhat.com> 0.4.3-1.1
  • Update to 0.4.3.

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

dead2565946464bc75b95d71039c701c SRPMS/poppler-0.4.3-1.3.src.rpm
12ad1eb376b4517c18307fdaf1f15aec ppc/poppler-0.4.3-1.3.ppc.rpm
44b4f92350fde34b3df07a157e260cb8 ppc/poppler-devel-0.4.3-1.3.ppc.rpm
d3b02a1e7806eb457e8a915559b20036 ppc/debug/poppler-debuginfo-0.4.3-1.3.ppc.rpm
c174e6d62873770eaab179c46ef2f9d2 x86_64/poppler-0.4.3-1.3.x86_64.rpm
b95588155c8b7af41ba8017b6905d7e6 x86_64/poppler-devel-0.4.3-1.3.x86_64.rpm
e57f57990d9c996fad99dd2484f7d9be x86_64/debug/poppler-debuginfo-0.4.3-1.3.x86_64.rpm
e4dc688bfac95202607148a0615b0776 i386/poppler-0.4.3-1.3.i386.rpm
7a16f6b1d327bda409d750c13f606114 i386/poppler-devel-0.4.3-1.3.i386.rpm
014ce2b38ecd7ae84968385d801b7a87 i386/debug/poppler-debuginfo-0.4.3-1.3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.


Fedora Legacy


Fedora Legacy Update Advisory

Synopsis: Updated redhat-config-nfs package fixes security issue
Advisory ID: FLSA:152787
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0750



1. Topic:

An updated redhat-config-nfs package that fixes a security issue is now available.

redhat-config-nfs is a graphical user interface for creating, modifying, and deleting nfs shares.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

John Buswell discovered a flaw in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2004-0750 to this issue.

Additionally, a bug was found that prevented redhat-config-nfs from being run if hosts didn't have options set in /etc/exports.

All users of redhat-config-nfs should upgrade to this updated package, which includes a patch to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152787

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/redhat-config-nfs-1.0.13-6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/redhat-config-nfs-1.0.13-6.legacy.noarch.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/redhat-config-nfs-1.1.3-3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/redhat-config-nfs-1.1.3-3.legacy.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/system-config-nfs-1.2.3-5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/system-config-nfs-1.2.3-5.legacy.noarch.rpm

7. Verification:

SHA1 sum Package Name


6d0c5c269b0702a5f7ef352e1c01390dfcedf66e redhat/9/updates/i386/redhat-config-nfs-1.0.13-6.legacy.noarch.rpm
7dfd3e3cd3e937144b0a79b38967749caea1f779 redhat/9/updates/SRPMS/redhat-config-nfs-1.0.13-6.legacy.src.rpm
376cd7a13d85877976d606a2a8dc57e5a9de1766 fedora/1/updates/i386/redhat-config-nfs-1.1.3-3.legacy.noarch.rpm
b1828331941b0d64625dc5981990b63fb8f5ee26 fedora/1/updates/SRPMS/redhat-config-nfs-1.1.3-3.legacy.src.rpm
e9694cfe870c4370ab080ef81fe2ee5d09f23a34 fedora/2/updates/i386/system-config-nfs-1.2.3-5.legacy.noarch.rpm
6e4cee9467fa66760b8e757000e771f167225377 fedora/2/updates/SRPMS/system-config-nfs-1.2.3-5.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0750

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated lynx package fixes security issues
Advisory ID: FLSA:152832
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2929 CVE-2005-3120



1. Topic:

An updated lynx package that corrects security issues is now available.

Lynx is a text-based Web browser.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2929 to this issue.

Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue.

Users should update to this erratum package, which contains backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152832

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/

7. Verification:

SHA1 sum Package Name


f90ed394ffb119c628f30cbe24af00980e21ddec redhat/7.3/updates/i386/lynx-2.8.4-18.3.legacy.i386.rpm
ae6eccd737ca25bd411bffb3db5a4ae46b512a0f redhat/7.3/updates/SRPMS/lynx-2.8.4-18.3.legacy.src.rpm
e3f8bdd24f77bd9122afe9550b1711ec39580c30 redhat/9/updates/i386/lynx-2.8.5-11.2.legacy.i386.rpm
e6f6f18d22595b977964b03e4f820ef4c259faf4 redhat/9/updates/SRPMS/lynx-2.8.5-11.2.legacy.src.rpm
f9a79fc5425d1d853614c53c1ab158c9328c3078 fedora/1/updates/i386/lynx-2.8.5-13.2.legacy.i386.rpm
6711308acdcff88c914cda153f0862253efa0b67 fedora/1/updates/SRPMS/lynx-2.8.5-13.2.legacy.src.rpm
ff7d68c03bbe5cbeac076e5153dc964b8900a8d5 fedora/2/updates/i386/lynx-2.8.5-15.2.legacy.i386.rpm
e46bb7466177677c5a6032fcef7a71bc55145984 fedora/2/updates/SRPMS/lynx-2.8.5-15.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated a2ps package fixes security issue
Advisory ID: FLSA:152870
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-1170



1. Topic:

An updated a2ps package that fixes a security bug is now available.

The a2ps filter converts text and other types of files to PostScript format.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

A problem was discovered in the way a2ps handles filenames that include shell metacharacters. An attacker could use this flaw to execute arbitrary commands by providing a filename that includes metacharacters as an argument. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2004-1170 to this issue.

All users of a2ps should upgrade to this updated package, which includes a patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152870

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/a2ps-4.13b-19.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/a2ps-4.13b-19.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/a2ps-4.13b-28.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/a2ps-4.13b-28.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/a2ps-4.13b-30.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/a2ps-4.13b-30.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


b0ebb139fd78a887831f8528458d969c42841283 redhat/7.3/updates/i386/a2ps-4.13b-19.2.legacy.i386.rpm
fb55530b7f25e02080fcd8c5126f9f5f042a5d43 redhat/7.3/updates/SRPMS/a2ps-4.13b-19.2.legacy.src.rpm
828dc69302ec1530ada589842da023e3eb796ab5 redhat/9/updates/i386/a2ps-4.13b-28.2.legacy.i386.rpm
8b3ef7ab2dca9d436fb34b2d11935921842c2779 redhat/9/updates/SRPMS/a2ps-4.13b-28.2.legacy.src.rpm
87a14c8ceafcc6e633430ed3715a9d63c3c9e837 fedora/1/updates/i386/a2ps-4.13b-30.2.legacy.i386.rpm
9426b2180ef3750090b05616daa776f88bbfb3fa fedora/1/updates/SRPMS/a2ps-4.13b-30.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1170

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated enscript package fixes security issues
Advisory ID: FLSA:152892
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-1184 CVE-2004-1185 CVE-2004-1186



1. Topic:

An updated enscript package that fixes several security issues is now available.

GNU enscript converts ASCII files to PostScript.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2004-1184 to this issue.

Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names CVE-2004-1185 and CVE-2004-1186 to these issues.

All users of enscript should upgrade to these updated packages, which resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152892

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/enscript-1.6.1-19.73.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/enscript-1.6.1-19.73.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/enscript-1.6.1-24.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/enscript-1.6.1-24.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/enscript-1.6.1-25.1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/enscript-1.6.1-25.1.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


ac29cc61b638a8a4a6e70642a48d4d4e7985a94c redhat/7.3/updates/i386/enscript-1.6.1-19.73.2.legacy.i386.rpm
2cc05a10d33fb0bd13cad08ae622cebbbf94ada6 redhat/7.3/updates/SRPMS/enscript-1.6.1-19.73.2.legacy.src.rpm
275eecbd654c9cc15b17e65a2c60cff8c5ec6f58 redhat/9/updates/i386/enscript-1.6.1-24.2.legacy.i386.rpm
ed838a6c0f4235c789a872e880ddc5aff2d0e457 redhat/9/updates/SRPMS/enscript-1.6.1-24.2.legacy.src.rpm
f1de9a957caa34766434ea5e77ad31d49ee769dd fedora/1/updates/i386/enscript-1.6.1-25.1.1.legacy.i386.rpm
f73d7da391cadf7d033dfe21979fb2ae10477fc6 fedora/1/updates/SRPMS/enscript-1.6.1-25.1.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1186

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated gtk2 packages fixes security issues
Advisory ID: FLSA:155510
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0753 CVE-2004-0782 CVE-2004-0783 CVE-2004-0788 CVE-2005-0891



1. Topic:

Updated gtk2 packages that fix several security flaws are now available.

The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

During testing of a previously fixed flaw in Qt (CVE-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CVE-2004-0782, CVE-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CVE-2004-0788)

A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2005-0891 to this issue.

Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155510

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gtk2-2.0.2-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gtk2-2.2.1-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gtk2-2.2.4-10.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


f923e47859f2b8e973a19978baa299a9eb9510b9 redhat/7.3/updates/i386/gtk2-2.0.2-4.2.legacy.i386.rpm
0b42963350b57d6c8f4d77fc9e611d6e976d80b1 redhat/7.3/updates/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm
e975fad01109fe3e9efb1b1ab2d47db32b0b83ee redhat/7.3/updates/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm
5d06ac2e6c81087e13c175b457116c0fd6950057 redhat/9/updates/i386/gtk2-2.2.1-4.2.legacy.i386.rpm
99ef7dc3fdd67673358acc791ef306b914653271 redhat/9/updates/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm
8ada7b7f6ee51a281d6e0079aba0f2c150fdbf06 redhat/9/updates/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm
be0ba4a1776f9849cd5734ccb655b9dabb97011b fedora/1/updates/i386/gtk2-2.2.4-10.3.legacy.i386.rpm
501aa3181b863c6904004ec8ef5c9e38cef77652 fedora/1/updates/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm
76c60fd3ca93a1291f6bb60403b3c080323fa855 fedora/1/updates/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0891

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated openssl packages fix security issues
Advisory ID: FLSA:166939
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0079 CVE-2005-0109 CVE-2005-2969



1. Topic:

Updated OpenSSL packages that fix security issues are now available.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a "man in the middle" to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2005-2969 to this issue.

A bug was fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in a previous advisory which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2005-0109 to this issue.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079)

Users are advised to update to these erratum packages which contain patches to correct these issues.

Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166939

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl096-0.9.6-25.11.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl096-0.9.6-25.12.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl096-0.9.6-26.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


772eb428fce0f9244879936da6de8540c4a0da19 redhat/7.3/updates/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm
2abb561452161340c02522e5b304685bded02acc redhat/7.3/updates/i386/openssl096-0.9.6-25.11.legacy.i386.rpm
1c00535c2fd6314aba666132c49b62850387fa2e redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i386.rpm
eb04713acd216bf3e2b46ed11f5627af2937d726 redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i686.rpm
5339f0df2ca59678b043c356000c80d6a06350e9 redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm
602fb4b040aa26656f60771e56495f894da7a7d1 redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm
94c051599af2faaaf771df548c801d8f046b2d94 redhat/7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm
876c535d8b28b2ffa22be646aa7021c57a62046c redhat/7.3/updates/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm
046b9d93eee9dcd9b69f89f185ad3065c78fd4ec redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm
a404db788cdcdf1b267dde272dd6db3cf1891ba2 redhat/9/updates/i386/openssl096-0.9.6-25.12.legacy.i386.rpm
11cf0a7546f054b5fcff676a88deb27e45cdb0cd redhat/9/updates/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm
62eb39923eb2a98a1749a58a28fce5c425587387 redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i386.rpm
e97a1fb8963711a2c97e298173d30fe64abd7a3f redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i686.rpm
dca80e912b43137b71e966cdc956b50324fd59fc redhat/9/updates/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm
1f34a94f36d3b7fa56b633fc134eac3d99a08f45 redhat/9/updates/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm
daa7c0eb8f988a152db550398ec6c3e9ad08418e redhat/9/updates/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm
beff357b1eabf4dbd89bd2776d83ad8157e4668b redhat/9/updates/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm
d010302930f88638255581d7f4d8d245fc5f1f4f redhat/9/updates/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm
6e2a5333e1a41cf7c87b0bd704f37ebeefb19011 fedora/1/updates/i386/openssl096-0.9.6-26.3.legacy.i386.rpm
aca4f861c4dde379cec5351f56c7aec4b2e47310 fedora/1/updates/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm
620c574712782b4e349ed1392d1d674507a146cc fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i386.rpm
5518b5e24176b056dae1e653a4abb9f2dd227d99 fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i686.rpm
5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a fedora/1/updates/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm
1bee0f14e627fde0951377e1bf2f90b190152967 fedora/1/updates/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm
0d7079c953bb754c45c5a0231c5b292b814ce3f6 fedora/1/updates/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm
8350ee0de5d81a3a0a842745997f89f8aae9e37f fedora/1/updates/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm
b116a8978d0ea6720193ac67c927d1c07eb122c4 fedora/1/updates/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm
0b4dd57385c42886afbd62bc17c3b10fb3b28d38 fedora/2/updates/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm
d8773965612fda44388b73296ba8fb9caea9db1f fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i386.rpm
45c1a884034056c1f3f31f6a61af617a44a31e47 fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i686.rpm
24f03de813df1d534d3d847fde68ffd603a2e234 fedora/2/updates/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm
a990c20059b07984cc06a1029219b713650b0cfd fedora/2/updates/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm
b39cd980bda3350d69ee5a4da934fb54c956c965 fedora/2/updates/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm
63d5d41cd2be5a010c2ad2c6276f0ddba2948e38 fedora/2/updates/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0109