dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Advisories: February 28, 2006

Mar 01, 2006, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 983-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 28th, 2006 http://www.debian.org/security/faq


Package : pdftohtml
Vulnerability : several
Problem type : local (remote)
Debian-specific: no

Derek Noonburg has fixed several potential vulnerabilities in xpdf, which are also present in pdftohtml, a utility that translates PDF documents into HTML format.

The old stable distribution (woody) does not contain pdftohtml packages.

For the stable distribution (sarge) these problems have been fixed in version 0.36-11sarge2.

For the unstable distribution (sid) these problems have been fixed in version 0.36-12.

We recommend that you upgrade your gpdf package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.dsc
      Size/MD5 checksum: 602 8dc87f9f04bf4e95d628a81540b5320e
    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.diff.gz
      Size/MD5 checksum: 11953 aa4fe47eeec4ff81df92aab8f218f1f1
    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36.orig.tar.gz
      Size/MD5 checksum: 300922 75ad095bb51e1f66c9f7691e6af12f44

Alpha architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_alpha.deb
      Size/MD5 checksum: 314142 b5bd8a0387aaaa69a31b74bc9baf7498

AMD64 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_amd64.deb
      Size/MD5 checksum: 259728 a16f018455f8e3409399f9123af3c17a

ARM architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_arm.deb
      Size/MD5 checksum: 266500 bbf302ca14ddad34769b0b8a5822d139

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_i386.deb
      Size/MD5 checksum: 253988 fd6e84484e62b90ff4eb419bdff63044

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_ia64.deb
      Size/MD5 checksum: 374206 900ea16bffd41ff59272bab4e89077a9

HP Precision architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_hppa.deb
      Size/MD5 checksum: 330356 4bf2182b3dc9f1269efb039c07fceea3

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_m68k.deb
      Size/MD5 checksum: 234812 34eb54fb6c07676aee15a9cc15110c28

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mips.deb
      Size/MD5 checksum: 311482 2540b6b4c0b523087a40fb4ef7b57c46

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mipsel.deb
      Size/MD5 checksum: 307188 16034038f8c3c206623702c4b3695b69

PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_powerpc.deb
      Size/MD5 checksum: 269634 4053b1c0d6c76ca5c94ee97df412b5e5

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_s390.deb
      Size/MD5 checksum: 242482 ff9f29460ad1cb56b4c92dfd3e1e2d57

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_sparc.deb
      Size/MD5 checksum: 245378 d1ecf4c546240dab174947827b01766e

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Legacy


Fedora Legacy Update Advisory

Synopsis: Updated PostgreSQL packages fix security issues
Advisory ID: FLSA:157366
Issue date: 2006-02-27
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-1409 CVE-2005-1410



1. Topic:

Updated postgresql packages that fix several security vulnerabilities and risks of data loss are now available.

PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions).

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names CVE-2005-1409 and CVE-2005-1410 to these issues.

Although installing this update will protect new (freshly initdb'd) database installations from these errors, administrators MUST TAKE MANUAL ACTION to repair the errors in pre-existing databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html for Fedora Core 2 users, or
http://www.postgresql.org/docs/8.0/static/release-7-3-10.html for Fedora Core 1 and Red Hat Linux 9 users.

This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss.

All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


88bf97be3530effdf1c7c3a779bfe7f80e7ea6be redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
6130777335db38d64a44d52106353cd76154ca23 redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm
4bce5f9e6e80edb944a7aa24839f34c609c44c99 redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm
f6d7a63730df0a33b4f7582077472bf8cecc0f4e redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm
3f76bb95ef0ce2da9b6a58993cdf7a1000e33019 redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm
a7a9187c41f2820ca9c2d2364f63859d33d21044 redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm
0d0e4d4e566583111f30f4c06f255daeaf9bbd49 redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm
def9d9581141c219e013a875146c75b65af67e91 redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm
43590dabe9601ddbefbc6d9086c9b7dfb363acaa redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm
e4769b82d862178d6d395f52ebcbd56a75e36e71 redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm
fbd07e5eaad5e4ee5bd1b30e02001a043331daff redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm
57fc00132f9d66263729566666fd1eba3d7a9d2f redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

de59e42459e24cd8846fbd6d765bc892d621a0dc fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
88abba3e24f01c6189be15b6481d77b135b6191c fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm
39a6163dffc299ba088f8f71c0393fca08648ae9 fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm
0ac78a44e03f5b31113b7b110d35472aded5ecbd fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm
e8a17936599c1c2aa7a26056ee3449e43a460d07 fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm
421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9 fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm
f79b142305ab70af54594478e248830edfdb8247 fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm
ab86d2fbf57b470934131cb78916117fdf177a4d fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm
71c2abb0a89a19fa88eaa3a22048062ea4d938f3 fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm
92e2b78d179c4aa378875b6ab42c488cad6b44c7 fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm
44a3837dd2f7ae68790637be50fe1f29b8d86814 fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm
de79d4182b566ec3c4a623cd26c51af2e8938ffb fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm

0046d088278b0c08740222a41ca511d0c0fa3d99 fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm
184dd4304908b60a216f3be9f0756fde449c729e fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm
8ae68e66295eddb1936c31fe15cf95662db4b345 fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm
7e547b6ee8c0e1b06bc803aa45086971158ced10 fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm
646cba1375fa3548aff2a791035f5eacb7927869 fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm
642feb043c19a5584f60ef45713bf8249c689216 fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm
6955df9f381e1683d1d79aa779f5f295e74e2b68 fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm
99b1ee5e4c26370d39e52437c10bb9cdcbc5d273 fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm
167fb15d6f300bd4aaf8a0b080dfa42136ee9f1c fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm
62f4e5798b3179a49cbe8c515343a0db4687834b fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm
1c8feebe8cf8d2ef07cb004b10cd4cf69e654989 fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm
c2b44a61fdbf644cecccb3edcf78a80dbda9cfa4 fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1410

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated udev packages fix a security issue
Advisory ID: FLSA:175818
Issue date: 2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-3631



1. Topic:

Updated udev packages that fix a security issue are now available.

The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug.

2. Relevant releases/architectures:

Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue.

All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818

6. RPMs required:

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name


d2b2850b4066a595a4d3c162e151dc27c5b43198 fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm
9ed5ef68d64987f8f644da065399d6885e7e1176 fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm

a2682a89f6fe03c2f2c2401caa511c299c1ae1cc fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm
fbcf92e15337b34511d4a305100d6797d644a84e fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm
fe4e15a6ac3d4d80ce3db01f08a75c93985964e8 fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated mod_auth_pgsql package fixes security issue
Advisory ID: FLSA:177326
Issue date: 2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-3656



1. Topic:

An updated mod_auth_pgsql package that fixes a format string flaw is now available.

The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue.

Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database.

All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm
119b3b6045eaa3b175ebe3d613daca8e9c81b35c fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm

8f9c2503b417db84b73483e6daca445c4789e4e4 fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm
52aabaff10fb0f862e1b96199facb7da046e94dc fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated auth_ldap package fixes security issue
Advisory ID: FLSA:177694
Issue date: 2006-02-27
Product: Red Hat Linux
Keywords: Bugfix
CVE Names: CVE-2006-0150



1. Topic:

An updated auth_ldap package that fixes a format string security issue is now available for Red Hat Linux 7.3.

The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386

3. Problem description:

A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org/) assigned the name CVE-2006-0150 to this issue.

Note that this issue only affects servers that have auth_ldap installed and configured to perform user authentication against an LDAP database.

All users of auth_ldap should upgrade to this updated package, which contains a backported patch to resolve this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


38f70135bc17c313fecdb81f61e776ac032b796e redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm
78b7ee876d5b900ff5268b1a396a59ca9f2385f0 redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated gnutls packages fix a security issue
Advisory ID: FLSA:181014
Issue date: 2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0645



1. Topic:

Updated gnutls packages that fix a security issue are now available.

The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue.

Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name


87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm
dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23 fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm
87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm
742be40634dc2a32b245f78caf610d0a6b45cb75 fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm
762630c8973f02bcc934adc8f5a946383f8479cc fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm
cce2a463b57be400362624f09dc49a4fdde09305 fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org


Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:049
http://www.mandriva.com/security/


Package : squirrelmail
Date : February 27, 2006
Affected: Corporate 3.0


Problem Description:

Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188)

Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195)

CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377)

Updated packages are patched to address these issues.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377


Updated Packages:

Corporate 3.0:
a8a4f0d87a51ad6507b022d0969090b7 corporate/3.0/RPMS/squirrelmail-1.4.5-1.2.C30mdk.noarch.rpm
4c2c56ffffe0613d8357dc3f3b83558b corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.2.C30mdk.noarch.rpm
ffab86ae7438d6f23bd934d17d38c41f corporate/3.0/SRPMS/squirrelmail-1.4.5-1.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
ef2a5ee98b793f81be3e87ec8efb1f30 x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.2.C30mdk.noarch.rpm
cf91cf6ca3f2bd737b475a1037a521ef x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.2.C30mdk.noarch.rpm
ffab86ae7438d6f23bd934d17d38c41f x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.2.C30mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2005:050
http://www.mandriva.com/security/


Package : unzip
Date : February 27, 2005
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0


Problem Description:

A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges.

The updated packages have been patched to address this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667


Updated Packages:

Mandriva Linux 10.2:
56ed53b98b79934d0f4292a4e067eae6 10.2/RPMS/unzip-5.51-1.3.102mdk.i586.rpm
33b9f50fab728e3b3c38c6d4f4002314 10.2/SRPMS/unzip-5.51-1.3.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
4dde5ce888845056867be10129f61df4 x86_64/10.2/RPMS/unzip-5.51-1.3.102mdk.x86_64.rpm
33b9f50fab728e3b3c38c6d4f4002314 x86_64/10.2/SRPMS/unzip-5.51-1.3.102mdk.src.rpm

Mandriva Linux 2006.0:
3d3dcc95fccacd8033c452774994da1e 2006.0/RPMS/unzip-5.52-1.3.20060mdk.i586.rpm
d45d6caaf656e5f04ce934a61a48a3e6 2006.0/SRPMS/unzip-5.52-1.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
b73080d55771a4a9572d9879b55db012 x86_64/2006.0/RPMS/unzip-5.52-1.3.20060mdk.x86_64.rpm
d45d6caaf656e5f04ce934a61a48a3e6 x86_64/2006.0/SRPMS/unzip-5.52-1.3.20060mdk.src.rpm

Corporate 3.0:
9ebf9de576ed5f9ca73362e7bea27849 corporate/3.0/RPMS/unzip-5.50-9.3.C30mdk.i586.rpm
f3693c4ebec532b5a86f382981c81a4c corporate/3.0/SRPMS/unzip-5.50-9.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
adce6e507a360b3132ec83f038d44bd7 x86_64/corporate/3.0/RPMS/unzip-5.50-9.3.C30mdk.x86_64.rpm
f3693c4ebec532b5a86f382981c81a4c x86_64/corporate/3.0/SRPMS/unzip-5.50-9.3.C30mdk.src.rpm

Multi Network Firewall 2.0:
075d5b7cefc2a93053e48dde5adb09ee mnf/2.0/RPMS/unzip-5.50-9.3.M20mdk.i586.rpm
12e0a95ab72239096c9110f8a1f98661 mnf/2.0/SRPMS/unzip-5.50-9.3.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:051
http://www.mandriva.com/security/


Package : gettext
Date : February 28, 2006
Affected: Corporate 3.0, Multi Network Firewall 2.0


Problem Description:

The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack.

The updated packages have been patched to address this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966


Updated Packages:

Corporate 3.0:
3e90a65b63c6cef50ea2362b97d601af corporate/3.0/RPMS/gettext-0.13.1-1.3.C30mdk.i586.rpm
88645a36cc137b6d15baff31df84bb5f corporate/3.0/RPMS/gettext-base-0.13.1-1.3.C30mdk.i586.rpm
122cf7a4d0173cd80c3c6a388b76ec5a corporate/3.0/RPMS/gettext-devel-0.13.1-1.3.C30mdk.i586.rpm
d9e9d121c5833e80c9bbd642af24fb40 corporate/3.0/RPMS/gettext-java-0.13.1-1.3.C30mdk.i586.rpm
7aa6d70debb3c1814333fca662e23cac corporate/3.0/RPMS/libgettextmisc-0.13.1-1.3.C30mdk.i586.rpm
cfe279f682d65f910505e069b911d7c7 corporate/3.0/RPMS/libintl2-0.13.1-1.3.C30mdk.i586.rpm
fc15df73311804bf0fd371fa9682c0c5 corporate/3.0/SRPMS/gettext-0.13.1-1.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
c3648f970e7794014773ddedd68eaf91 x86_64/corporate/3.0/RPMS/gettext-0.13.1-1.3.C30mdk.x86_64.rpm
d876576394822262df7e2351775c1aaa x86_64/corporate/3.0/RPMS/gettext-base-0.13.1-1.3.C30mdk.x86_64.rpm
af77cf6ee5a7d238ec122fbc4af7d353 x86_64/corporate/3.0/RPMS/gettext-devel-0.13.1-1.3.C30mdk.x86_64.rpm
1173d049f6621cd8ff8d0396d24eb097 x86_64/corporate/3.0/RPMS/gettext-java-0.13.1-1.3.C30mdk.x86_64.rpm
f757f8a584bfc7ebd99d13a92415241b x86_64/corporate/3.0/RPMS/lib64gettextmisc-0.13.1-1.3.C30mdk.x86_64.rpm
ecb7b9c26a607287c10f12bc70d5ffa9 x86_64/corporate/3.0/RPMS/lib64intl2-0.13.1-1.3.C30mdk.x86_64.rpm
fc15df73311804bf0fd371fa9682c0c5 x86_64/corporate/3.0/SRPMS/gettext-0.13.1-1.3.C30mdk.src.rpm

Multi Network Firewall 2.0:
bf7a130a64632e27c4c0e35bcce1838d mnf/2.0/RPMS/gettext-0.13.1-1.3.M20mdk.i586.rpm
26b569b31b5786eb3dc90c466ad42951 mnf/2.0/RPMS/gettext-base-0.13.1-1.3.M20mdk.i586.rpm
513319968508b7d6c22135aed2a4ebcf mnf/2.0/RPMS/gettext-devel-0.13.1-1.3.M20mdk.i586.rpm
8ebc491dd574ec6e9624776b39adb08e mnf/2.0/RPMS/gettext-java-0.13.1-1.3.M20mdk.i586.rpm
d7efcc35298ade62c0d21b75cec11d35 mnf/2.0/RPMS/libgettextmisc-0.13.1-1.3.M20mdk.i586.rpm
d0993ab7f263642207f1ae95f4861525 mnf/2.0/RPMS/libintl2-0.13.1-1.3.M20mdk.i586.rpm
76fec48911a57db5edad551ae40cb3d1 mnf/2.0/SRPMS/gettext-0.13.1-1.3.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>