---

Home Security

Advisories, December 13, 2005

By

Debian GNU/Linux

Debian Security Advisory DSA 920-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
December 13th, 2005 http://www.debian.org/security/faq

Package : ethereal
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-3651
BugTraq ID : 15794
Debian Bug : 342911

A buffer overflow has been discovered in ethereal, a commonly
used network traffic analyser that causes a denial of service and
may potentially allow the execution of arbitrary code.

For the old stable distribution (woody) this problem has been
fixed in version 0.9.4-1woody14.

For the stable distribution (sarge) this problem has been fixed
in version 0.10.10-2sarge3.

For the unstable distribution (sid) this problem will be fixed
soon.

We recommend that you upgrade your ethereal packages.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14.dsc

      Size/MD5 checksum: 681
fd2549fde25a12ea89ff76f16f476a1b
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14.diff.gz

      Size/MD5 checksum: 46176
b28a169806ac6c7357bc59cb684ce067
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz

      Size/MD5 checksum: 3278908
42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_alpha.deb

      Size/MD5 checksum: 1941098
7ea04145418237e513e15021dc7f7b95
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_alpha.deb

      Size/MD5 checksum: 334948
cef7bebe414cbf9d7ba06dded593e087
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_alpha.deb

      Size/MD5 checksum: 223218
648d49081514871e244690c8d5f33691
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_alpha.deb

      Size/MD5 checksum: 1708326
42b0e3d2014feb624df9b899ff620a0b

ARM architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_arm.deb

      Size/MD5 checksum: 1635960
b04119f7705cf79e7172f1d18948fa8d
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_arm.deb

      Size/MD5 checksum: 298554
3fd358c7da7eb738eb6873ef7af66d7f
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_arm.deb

      Size/MD5 checksum: 207122
45c7b2fd84a7eb3e36e8d69ea9b6dcdf
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_arm.deb

      Size/MD5 checksum: 1440018
9e3b3a723071fbd018ad3ac73183da68

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_i386.deb

      Size/MD5 checksum: 1513538
b953ab41e1961c68629b925bbc56dd83
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_i386.deb

      Size/MD5 checksum: 287406
5ef238518e168e5a46319493c15c4e19
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_i386.deb

      Size/MD5 checksum: 199112
56c7fb6de85158b326b90488a0752cb1
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_i386.deb

      Size/MD5 checksum: 1327200
3efaf5307fd7d6f34814e155caa33a7a

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_ia64.deb

      Size/MD5 checksum: 2150464
14f206f1245e654828dc70458d7b6ec6
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_ia64.deb

      Size/MD5 checksum: 373888
3e18fd820eaef70e178e1e54f35b163b
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_ia64.deb

      Size/MD5 checksum: 234768
0e01b34d747883840309fbe0a82b9d90
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_ia64.deb

      Size/MD5 checksum: 1862118
759d0b8533a34f25e2cd44e77b22b4c8

HP Precision architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_hppa.deb

      Size/MD5 checksum: 1805078
e84cbe1d3502ddaf4d34e3a969a14736
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_hppa.deb

      Size/MD5 checksum: 323354
37c86ac01668a204d7808a9fdcbb81be
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_hppa.deb

      Size/MD5 checksum: 217748
a9a0acb50c691d7bc451cfae45c9d51e
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_hppa.deb

      Size/MD5 checksum: 1576466
8c1be59eac51ed8a610285a15a058e22

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_m68k.deb

      Size/MD5 checksum: 1425116
544e1f11c2d772762396cf4d50cc93b8
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_m68k.deb

      Size/MD5 checksum: 283738
77f3c1a0ee662058b9e55cafe1d1ae7c
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_m68k.deb

      Size/MD5 checksum: 196008
b0dfb3b8d3d1e37c6a077930ea3dbf3b
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_m68k.deb

      Size/MD5 checksum: 1249126
60a2d75460899934f40c2ea649c7bf7d

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_mips.deb

      Size/MD5 checksum: 1617300
8538bf50fd13015ec371a625f8eaeae7
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_mips.deb

      Size/MD5 checksum: 306118
7efffa6fb386ddda82d2669ffc575db4
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_mips.deb

      Size/MD5 checksum: 214658
189f2f3621ebde6a7455bc2be6e09c3e
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_mips.deb

      Size/MD5 checksum: 1422282
9b066162a09a3c53d82f5c9463fe239b

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_mipsel.deb

      Size/MD5 checksum: 1598586
6ed002e3b9d37f57b3cb782270ae26cb
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_mipsel.deb

      Size/MD5 checksum: 305606
557d7ecf335f4f60f57e6e2483a81888
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_mipsel.deb

      Size/MD5 checksum: 214304
cd62dba02317002a5d78472b18c9603b
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_mipsel.deb

      Size/MD5 checksum: 1406756
b106a0b8c8ab20d663c342367a556a5e

PowerPC architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_powerpc.deb

      Size/MD5 checksum: 1618532
c41f2a97a6853433772f5f2a0c8e32de
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_powerpc.deb

      Size/MD5 checksum: 302842
245c32c2385672854ea654206a6a0db7
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_powerpc.deb

      Size/MD5 checksum: 209956
8336298c3c08e4213c617f4fb9922dcf
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_powerpc.deb

      Size/MD5 checksum: 1419734
1bd2b78f8a25b9da6f70c3f05b580be3

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_s390.deb

      Size/MD5 checksum: 1575174
54dc9af554d9b748a1e3ff7d9e805f1a
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_s390.deb

      Size/MD5 checksum: 301632
dedef85bb14b6b45f92085f90314034d
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_s390.deb

      Size/MD5 checksum: 205000
b6200c4c1f9015261a7ac43ac6c43252
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_s390.deb

      Size/MD5 checksum: 1388014
45b14ef2e45ab75949227acc26878b6b

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody14_sparc.deb

      Size/MD5 checksum: 1583708
acfac4316a7e5a71158bb25af5689293
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody14_sparc.deb

      Size/MD5 checksum: 318896
aca734b7ec2a1d7f631159b568b8b999
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody14_sparc.deb

      Size/MD5 checksum: 205782
2a5a107881b218d3adf4662578a1a108
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody14_sparc.deb

      Size/MD5 checksum: 1389940
7b383ffec5230f7766935089fcff0e0e

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4.dsc

      Size/MD5 checksum: 855
29cbef6699e9e51ae35c4745b978c1e4
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4.diff.gz

      Size/MD5 checksum: 167246
2230337a164906c33ca978abc5b57c65
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10.orig.tar.gz

      Size/MD5 checksum: 7411510
e6b74468412c17bb66cd459bfb61471c

Alpha architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_alpha.deb

      Size/MD5 checksum: 541818
a6c44210b359d74ed16ed23fe386759d
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_alpha.deb

      Size/MD5 checksum: 5474866
5924bfdf784578df4dd2df46392d2a0c
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_alpha.deb

      Size/MD5 checksum: 153864
e687ab4c0c2dec8d62065d18484fadce
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_alpha.deb

      Size/MD5 checksum: 105162
431908b433045153e7360c53bde3e900

AMD64 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_amd64.deb

      Size/MD5 checksum: 485392
16a454068f8ce4997d7df6808d66b64b
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_amd64.deb

      Size/MD5 checksum: 5334066
79eeb45de736a575fcbfdc7e40fd0083
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_amd64.deb

      Size/MD5 checksum: 153864
980cd2da44c4d1bc32ae6336acb2c79f
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_amd64.deb

      Size/MD5 checksum: 98444
08817a1f964ab391ffec8da425020572

ARM architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_arm.deb

      Size/MD5 checksum: 471758
37774606d0d4d050dece6b73907a9885
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_arm.deb

      Size/MD5 checksum: 4685936
54446e011296caf441369bab0bd7aecd
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_arm.deb

      Size/MD5 checksum: 153890
00002cca682ca3c3abf2e7c97e41e841
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_arm.deb

      Size/MD5 checksum: 94388
ddf5908a309c89acadac3962dec222c3

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_i386.deb

      Size/MD5 checksum: 442462
22585d584a56ade669ef45e23a460c13
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_i386.deb

      Size/MD5 checksum: 4491616
db1efd0f3a3f9e5ac03f82f56d435048
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_i386.deb

      Size/MD5 checksum: 153658
f754988305495aa0babd2ffc6c05dfb7
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_i386.deb

      Size/MD5 checksum: 89874
7f9b4b8731d3b7cc770d1e81fdf9edff

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_ia64.deb

      Size/MD5 checksum: 673480
2accbfffd291f3b424d0f0203bfeaf95
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_ia64.deb

      Size/MD5 checksum: 6625668
951a0d38bf3f2ff63fabb3aeed861719
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_ia64.deb

      Size/MD5 checksum: 153864
151d53ada1dcc87f45bd5c9eac830a8b
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_ia64.deb

      Size/MD5 checksum: 128148
5b970496851ecc3c8034c4a6050d39d9

HP Precision architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_hppa.deb

      Size/MD5 checksum: 488198
16e109738a8788eff83b2a94426bc90d
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_hppa.deb

      Size/MD5 checksum: 5785972
915abaae95c1620129d982b4f742e998
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_hppa.deb

      Size/MD5 checksum: 153880
deb9a9396bc7e6b9e4a9c98a3b0997be
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_hppa.deb

      Size/MD5 checksum: 97420
4d15ca9df16e677ec167e918d1df3262

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_m68k.deb

      Size/MD5 checksum: 446824
a24b34013583a4e3497a1ebf6142ff22
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_m68k.deb

      Size/MD5 checksum: 5564090
ec403a6ef8f92839ec3e48c031f427be
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_m68k.deb

      Size/MD5 checksum: 153992
388cce8ba0ecddede0d2a0eb7b41f976
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_m68k.deb

      Size/MD5 checksum: 89958
de2aa186345897a64577ed6991de0f16

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_mips.deb

      Size/MD5 checksum: 461508
944dbf1184d71f3420aa0e0f998e4951
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_mips.deb

      Size/MD5 checksum: 4722696
7ecb7db0539d885c010141d2307d2309
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_mips.deb

      Size/MD5 checksum: 153882
b4ffbc14b75db5a2d80ea8ab2dc098d9
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_mips.deb

      Size/MD5 checksum: 93670
edfbeb906903497b741ce491d062fe8d

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_mipsel.deb

      Size/MD5 checksum: 456796
61db19e60b59ca08539139f133161ecd
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_mipsel.deb

      Size/MD5 checksum: 4458954
3f85051d87e652474f35c93df894668d
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_mipsel.deb

      Size/MD5 checksum: 153896
6b4fa165eb5fc6c85ea5443f9cc8627c
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_mipsel.deb

      Size/MD5 checksum: 93596
f3fbc2765b9eef5589ae8b67b3fc507b

PowerPC architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_powerpc.deb

      Size/MD5 checksum: 454624
ac160f2dfaf9480ec2ddb284b16969b2
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_powerpc.deb

      Size/MD5 checksum: 5069322
b505bbd6c34a9fc83d3ab34161751b89
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_powerpc.deb

      Size/MD5 checksum: 153888
0ac314e84694a76fd5475f8318c0bd0c
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_powerpc.deb

      Size/MD5 checksum: 93460
89763605c5fc59034a6b3b4399920a51

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_s390.deb

      Size/MD5 checksum: 478832
f58c4f3e2f5f185cb40818aad6bcba76
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_s390.deb

      Size/MD5 checksum: 5620232
a8ad7eceaa81bbacbd70a3f4d2201edf
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_s390.deb

      Size/MD5 checksum: 153878
837cf0ef9571ee6abdeb382d54412d90
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_s390.deb

      Size/MD5 checksum: 98982
e5bad7bb8bf3964b47b41ec84b62e342

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge4_sparc.deb

      Size/MD5 checksum: 464160
3e21acc4249b2032b1d7ed474486189e
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge4_sparc.deb

      Size/MD5 checksum: 5127616
f418acff6a83220d1b3ba544856b60ed
    http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge4_sparc.deb

      Size/MD5 checksum: 153870
e45257dbd6a4799b26be761fcc79e835
    http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge4_sparc.deb

      Size/MD5 checksum: 92840
aa61f8545872884a69df77aa3a8e35d6

These files will probably be moved into the stable distribution
on its next update.

For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200512-04

http://security.gentoo.org/

Severity: Normal
Title: Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol
implementation
Date: December 12, 2005
Bugs: #112568, #113201
ID: 200512-04

Synopsis

Openswan and IPsec-Tools suffer from an implementation flaw
which may allow a Denial of Service attack.

Background

Openswan is an implementation of IPsec for Linux. IPsec-Tools is
a port of KAME’s implementation of the IPsec utilities, including
racoon, an Internet Key Exchange daemon. Internet Key Exchange
version 1 (IKEv1), a derivate of ISAKMP, is an important part of
IPsec. IPsec is widely used to secure exchange of packets at the IP
layer and mostly used to implement Virtual Private Networks
(VPNs).

Affected packages

     Package                   /  Vulnerable  /             Unaffected



  1  net-misc/openswan              < 2.4.4                   >= 2.4.4
  2  net-firewall/ipsec-tools       < 0.6.3                   >= 0.6.3
                                                          *>= 0.6.2-r1
                                                            *>= 0.4-r2
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

The Oulu University Secure Programming Group (OUSPG) discovered
that various ISAKMP implementations, including Openswan and racoon
(included in the IPsec-Tools package), behave in an anomalous way
when they receive and handle ISAKMP Phase 1 packets with invalid or
abnormal contents.

Impact

A remote attacker can create a specially crafted packet using
3DES with an invalid key length, resulting in a Denial of Service
attack, format string vulnerabilities or buffer overflows.

Workaround

Avoid using “aggressive mode” in ISAKMP Phase 1, which exchanges
information between the sides before there is a secure channel.

Resolution

All Openswan users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.4"

All IPsec-Tools users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose net-firewall/ipsec-tools

References

[ 1 ] CVE-2005-3671

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3671

[ 2 ] CVE-2005-3732

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3732

[ 3 ] Original Advisory

http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-04.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux

Mandriva Linux Security Advisory MDKSA-2005:226
http://www.mandriva.com/security/

Package : mozilla-thunderbird
Date : December 12, 2005
Affected: 2006.0, Corporate 3.0

Problem Description:

A bug in enigmail, the GPG support extension for Mozilla
MailNews and Mozilla Thunderbird was discovered that could lead to
the encryption of an email with the wrong public key. This could
potentially disclose confidential data to unintended
recipients.

The updated packages have been patched to prevent this
problem.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3256

Updated Packages:

Mandriva Linux 2006.0:
a76040e992150836998fc822a99b7624
2006.0/RPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.i586.rpm
591b78809b7425ece0f63f96b65d2d2b
2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.2.20060mdk.i586.rpm

72f81a292f80666ac90f6b4d6da8a694
2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.2.20060mdk.i586.rpm

5b45958f898c7a0da52227b1b7791eb8
2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
7732c8c52831cdc49dcad7f27bf02ff7
x86_64/2006.0/RPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.x86_64.rpm

63d0f9a9e474b6cf8259ee0e3e867c54
x86_64/2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.2.20060mdk.x86_64.rpm

3440b4677c7938a8d948d1f20b97ec33
x86_64/2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.2.20060mdk.x86_64.rpm

5b45958f898c7a0da52227b1b7791eb8
x86_64/2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.src.rpm

Corporate 3.0:
fb13fdba83a8fb58fa7be5f879387776
corporate/3.0/RPMS/libnspr4-1.7.8-0.4.C30mdk.i586.rpm
d2c026c3005bb117b168fa710b6707eb
corporate/3.0/RPMS/libnspr4-devel-1.7.8-0.4.C30mdk.i586.rpm
00fe306b2e32a43b668855ac07a7bc3a
corporate/3.0/RPMS/libnss3-1.7.8-0.4.C30mdk.i586.rpm
a1f58fd330e354d64098584a21075683
corporate/3.0/RPMS/libnss3-devel-1.7.8-0.4.C30mdk.i586.rpm
ed922dcfda867e3e6aae232358e410d9
corporate/3.0/RPMS/mozilla-1.7.8-0.4.C30mdk.i586.rpm
9af2dc6b388b787fa489dd6d50fd85e5
corporate/3.0/RPMS/mozilla-devel-1.7.8-0.4.C30mdk.i586.rpm
f8b427e76177e505f4c461c36c58a6f4
corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.4.C30mdk.i586.rpm

35ce2664bb8516b0adeb0bcf23814ffa
corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.4.C30mdk.i586.rpm
f794287f76a7aa84f8ab26a5f9e1390d
corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.4.C30mdk.i586.rpm
886465435f0c81de9888a406ecfaf731
corporate/3.0/RPMS/mozilla-irc-1.7.8-0.4.C30mdk.i586.rpm
7852834c9f2b9b95d39abe8751d3849b
corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.4.C30mdk.i586.rpm

42968285510df5716902b6566c8fc9fc
corporate/3.0/RPMS/mozilla-mail-1.7.8-0.4.C30mdk.i586.rpm
72ce466eed134f651d10ea9120d21f53
corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.4.C30mdk.i586.rpm

99c49b1370c18c2fa14c9f20b04e148d
corporate/3.0/SRPMS/mozilla-1.7.8-0.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
6642da49a0bdbec886a932fdab4d41e5
x86_64/corporate/3.0/RPMS/lib64nspr4-1.7.8-0.4.C30mdk.x86_64.rpm

065391d250b7ceb31c01f12386cf3a04
x86_64/corporate/3.0/RPMS/lib64nspr4-devel-1.7.8-0.4.C30mdk.x86_64.rpm

07cf6b5f1d4ce2212b76fc265aace41a
x86_64/corporate/3.0/RPMS/lib64nss3-1.7.8-0.4.C30mdk.x86_64.rpm
e65788bcc7d582095b30a87431947a8f
x86_64/corporate/3.0/RPMS/lib64nss3-devel-1.7.8-0.4.C30mdk.x86_64.rpm

a855523066d7b231da9ed889a995ad1a
x86_64/corporate/3.0/RPMS/mozilla-1.7.8-0.4.C30mdk.x86_64.rpm
7b894f998bd344841c861387be21c2b3
x86_64/corporate/3.0/RPMS/mozilla-devel-1.7.8-0.4.C30mdk.x86_64.rpm

7b5fc684552363acea77ab8f344d38f5
x86_64/corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.4.C30mdk.x86_64.rpm

4e969e057bcdc0f763e269cbbfcd0fb9
x86_64/corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.4.C30mdk.x86_64.rpm

c84f31cefbbe5a92c1f1e6105a184fe8
x86_64/corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.4.C30mdk.x86_64.rpm

28791c7db8d3d9802e8198dc599fad87
x86_64/corporate/3.0/RPMS/mozilla-irc-1.7.8-0.4.C30mdk.x86_64.rpm

0308af9d9050d5cdeafd0a9baac05d48
x86_64/corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.4.C30mdk.x86_64.rpm

a993afbf2ed3e7d17734631b2ccee05c
x86_64/corporate/3.0/RPMS/mozilla-mail-1.7.8-0.4.C30mdk.x86_64.rpm

86f109cecac0a9de786f88d9400b0cf5
x86_64/corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.4.C30mdk.x86_64.rpm

99c49b1370c18c2fa14c9f20b04e148d
x86_64/corporate/3.0/SRPMS/mozilla-1.7.8-0.4.C30mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Ubuntu Linux

Ubuntu Security Notice USN-229-1 December 13, 2005
zope2.8 vulnerability
CVE-2005-3323

A security issue affects the following Ubuntu releases:

Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

zope2.8
zope2.8-sandbox

The problem can be corrected by upgrading the affected package
to version 2.8.1-5ubuntu0.1. In general, a standard system upgrade
is sufficient to effect the necessary changes.

Details follow:

Zope did not deactivate the file inclusion feature when exposing
RestructuredText functionalities to untrusted users. A remote user
with the privilege of editing Zope webpages with RestructuredText
could exploit this to expose arbitrary files that can be read with
the privileges of the Zope server, or execute arbitrary Zope
code.

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1.diff.gz

      Size/MD5: 12721
12280d0cc8ba16dc3565199620486f59
    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1.dsc

      Size/MD5: 826
bef9b6d223a40195bc51d4d30b81f73d
    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1.orig.tar.gz

      Size/MD5: 5343921
0ec441a35175bb8d8c557b7d3c63f6f6

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8-sandbox_2.8.1-5ubuntu0.1_all.deb

      Size/MD5: 18484
956dae0711ab24cf2b58e69dc79856ce

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1_amd64.deb

      Size/MD5: 5521388
162861be153d25a7fb0319502fd4046b

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1_i386.deb

      Size/MD5: 5463616
17e5eaf3029498f507de22f7ff97ba24

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1_powerpc.deb

      Size/MD5: 5551644
e8ee35fca963b06fa6bab479785155ee

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.