---

Advisories: February 28, 2006

Debian GNU/Linux


Debian Security Advisory DSA 983-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
February 28th, 2006 http://www.debian.org/security/faq


Package : pdftohtml
Vulnerability : several
Problem type : local (remote)
Debian-specific: no

Derek Noonburg has fixed several potential vulnerabilities in
xpdf, which are also present in pdftohtml, a utility that
translates PDF documents into HTML format.

The old stable distribution (woody) does not contain pdftohtml
packages.

For the stable distribution (sarge) these problems have been
fixed in version 0.36-11sarge2.

For the unstable distribution (sid) these problems have been
fixed in version 0.36-12.

We recommend that you upgrade your gpdf package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.dsc

      Size/MD5 checksum: 602
8dc87f9f04bf4e95d628a81540b5320e
    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.diff.gz

      Size/MD5 checksum: 11953
aa4fe47eeec4ff81df92aab8f218f1f1
    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36.orig.tar.gz

      Size/MD5 checksum: 300922
75ad095bb51e1f66c9f7691e6af12f44

Alpha architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_alpha.deb

      Size/MD5 checksum: 314142
b5bd8a0387aaaa69a31b74bc9baf7498

AMD64 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_amd64.deb

      Size/MD5 checksum: 259728
a16f018455f8e3409399f9123af3c17a

ARM architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_arm.deb

      Size/MD5 checksum: 266500
bbf302ca14ddad34769b0b8a5822d139

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_i386.deb

      Size/MD5 checksum: 253988
fd6e84484e62b90ff4eb419bdff63044

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_ia64.deb

      Size/MD5 checksum: 374206
900ea16bffd41ff59272bab4e89077a9

HP Precision architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_hppa.deb

      Size/MD5 checksum: 330356
4bf2182b3dc9f1269efb039c07fceea3

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_m68k.deb

      Size/MD5 checksum: 234812
34eb54fb6c07676aee15a9cc15110c28

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mips.deb

      Size/MD5 checksum: 311482
2540b6b4c0b523087a40fb4ef7b57c46

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mipsel.deb

      Size/MD5 checksum: 307188
16034038f8c3c206623702c4b3695b69

PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_powerpc.deb

      Size/MD5 checksum: 269634
4053b1c0d6c76ca5c94ee97df412b5e5

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_s390.deb

      Size/MD5 checksum: 242482
ff9f29460ad1cb56b4c92dfd3e1e2d57

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_sparc.deb

      Size/MD5 checksum: 245378
d1ecf4c546240dab174947827b01766e

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Fedora Legacy


Fedora Legacy Update Advisory

Synopsis: Updated PostgreSQL packages fix security issues
Advisory ID: FLSA:157366
Issue date: 2006-02-27
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-1409 CVE-2005-1410



1. Topic:

Updated postgresql packages that fix several security
vulnerabilities and risks of data loss are now available.

PostgreSQL is an advanced Object-Relational database management
system (DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions).

2. Relevant releases/architectures:

Red Hat Linux 9 – i386
Fedora Core 1 – i386
Fedora Core 2 – i386

3. Problem description:

The PostgreSQL community discovered two distinct errors in
initial system catalog entries that could allow authorized database
users to crash the database and possibly escalate their privileges.
The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names
CVE-2005-1409 and CVE-2005-1410 to these issues.

Although installing this update will protect new (freshly
initdb’d) database installations from these errors, administrators
MUST TAKE MANUAL ACTION to repair the errors in pre-existing
databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html
for Fedora Core 2 users, or
http://www.postgresql.org/docs/8.0/static/release-7-3-10.html
for Fedora Core 1 and Red Hat Linux 9 users.

This update also includes fixes for several other errors,
including two race conditions that could result in apparent data
inconsistency or actual data loss.

All users of PostgreSQL are advised to upgrade to these updated
packages and to apply the recommended manual corrections to
existing databases.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366

6. RPMs required:

Red Hat Linux 9:

SRPM:

http://download.fedoralegacy.org/redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm

Fedora Core 1:

SRPM:

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm

Fedora Core 2:

SRPM:

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


88bf97be3530effdf1c7c3a779bfe7f80e7ea6be
redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
6130777335db38d64a44d52106353cd76154ca23
redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm

4bce5f9e6e80edb944a7aa24839f34c609c44c99
redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm

f6d7a63730df0a33b4f7582077472bf8cecc0f4e
redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm

3f76bb95ef0ce2da9b6a58993cdf7a1000e33019
redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm

a7a9187c41f2820ca9c2d2364f63859d33d21044
redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm

0d0e4d4e566583111f30f4c06f255daeaf9bbd49
redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm

def9d9581141c219e013a875146c75b65af67e91
redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm

43590dabe9601ddbefbc6d9086c9b7dfb363acaa
redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm

e4769b82d862178d6d395f52ebcbd56a75e36e71
redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm

fbd07e5eaad5e4ee5bd1b30e02001a043331daff
redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm

57fc00132f9d66263729566666fd1eba3d7a9d2f
redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

de59e42459e24cd8846fbd6d765bc892d621a0dc
fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
88abba3e24f01c6189be15b6481d77b135b6191c
fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm

39a6163dffc299ba088f8f71c0393fca08648ae9
fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm

0ac78a44e03f5b31113b7b110d35472aded5ecbd
fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm

e8a17936599c1c2aa7a26056ee3449e43a460d07
fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm

421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9
fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm

f79b142305ab70af54594478e248830edfdb8247
fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm
ab86d2fbf57b470934131cb78916117fdf177a4d
fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm

71c2abb0a89a19fa88eaa3a22048062ea4d938f3
fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm

92e2b78d179c4aa378875b6ab42c488cad6b44c7
fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm
44a3837dd2f7ae68790637be50fe1f29b8d86814
fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm

de79d4182b566ec3c4a623cd26c51af2e8938ffb
fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm

0046d088278b0c08740222a41ca511d0c0fa3d99
fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm
184dd4304908b60a216f3be9f0756fde449c729e
fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm

8ae68e66295eddb1936c31fe15cf95662db4b345
fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm

7e547b6ee8c0e1b06bc803aa45086971158ced10
fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm

646cba1375fa3548aff2a791035f5eacb7927869
fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm

642feb043c19a5584f60ef45713bf8249c689216
fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm

6955df9f381e1683d1d79aa779f5f295e74e2b68
fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm

99b1ee5e4c26370d39e52437c10bb9cdcbc5d273
fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm

167fb15d6f300bd4aaf8a0b080dfa42136ee9f1c
fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm

62f4e5798b3179a49cbe8c515343a0db4687834b
fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm

1c8feebe8cf8d2ef07cb004b10cd4cf69e654989
fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm

c2b44a61fdbf644cecccb3edcf78a80dbda9cfa4
fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1409

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1410

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated udev packages fix a security issue
Advisory ID: FLSA:175818
Issue date: 2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-3631



1. Topic:

Updated udev packages that fix a security issue are now
available.

The udev package contains an implementation of devfs in
userspace using sysfs and /sbin/hotplug.

2. Relevant releases/architectures:

Fedora Core 2 – i386
Fedora Core 3 – i386, x86_64

3. Problem description:

Richard Cunningham discovered a flaw in the way udev sets
permissions on various files in /dev/input. It may be possible for
an authenticated attacker to gather sensitive data entered by a
user at the console, such as passwords. The Common Vulnerabilities
and Exposures project has assigned the name CVE-2005-3631 to this
issue.

All users of udev should upgrade to these updated packages,
which contain a backported patch and are not vulnerable to this
issue.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818

6. RPMs required:

Fedora Core 2:

SRPM:

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm

Fedora Core 3:

SRPM:

http://download.fedoralegacy.org/fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm

x86_64:

http://download.fedoralegacy.org/fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name


d2b2850b4066a595a4d3c162e151dc27c5b43198
fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm
9ed5ef68d64987f8f644da065399d6885e7e1176
fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm

a2682a89f6fe03c2f2c2401caa511c299c1ae1cc
fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm
fbcf92e15337b34511d4a305100d6797d644a84e
fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm
fe4e15a6ac3d4d80ce3db01f08a75c93985964e8
fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated mod_auth_pgsql package fixes security
issue
Advisory ID: FLSA:177326
Issue date: 2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-3656



1. Topic:

An updated mod_auth_pgsql package that fixes a format string
flaw is now available.

The mod_auth_pgsql package is an httpd module that allows user
authentication against information stored in a PostgreSQL
database.

2. Relevant releases/architectures:

Fedora Core 1 – i386
Fedora Core 2 – i386

3. Problem description:

Several format string flaws were found in the way mod_auth_pgsql
logs information. It may be possible for a remote attacker to
execute arbitrary code as the ‘apache’ user if mod_auth_pgsql is
used for user authentication. The Common Vulnerabilities and
Exposures project assigned the name CVE-2005-3656 to this
issue.

Please note that this issue only affects servers which have
mod_auth_pgsql installed and configured to perform user
authentication against a PostgreSQL database.

All users of mod_auth_pgsql should upgrade to these updated
packages, which contain a backported patch to resolve this
issue.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326

6. RPMs required:

Fedora Core 1:

SRPM:

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

Fedora Core 2:

SRPM:

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f
fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm
119b3b6045eaa3b175ebe3d613daca8e9c81b35c
fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm

8f9c2503b417db84b73483e6daca445c4789e4e4
fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm
52aabaff10fb0f862e1b96199facb7da046e94dc
fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated auth_ldap package fixes security issue
Advisory ID: FLSA:177694
Issue date: 2006-02-27
Product: Red Hat Linux
Keywords: Bugfix
CVE Names: CVE-2006-0150



1. Topic:

An updated auth_ldap package that fixes a format string security
issue is now available for Red Hat Linux 7.3.

The auth_ldap package is an httpd module that allows user
authentication against information stored in an LDAP database.

2. Relevant releases/architectures:

Red Hat Linux 7.3 – i386

3. Problem description:

A format string flaw was found in the way auth_ldap logs
information. It may be possible for a remote attacker to execute
arbitrary code as the ‘apache’ user if auth_ldap is used for user
authentication. The Common Vulnerabilities and Exposures project
(cve.mitre.org/) assigned the
name CVE-2006-0150 to this issue.

Note that this issue only affects servers that have auth_ldap
installed and configured to perform user authentication against an
LDAP database.

All users of auth_ldap should upgrade to this updated package,
which contains a backported patch to resolve this issue.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694

6. RPMs required:

Red Hat Linux 7.3:
SRPM:

http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name


38f70135bc17c313fecdb81f61e776ac032b796e
redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm
78b7ee876d5b900ff5268b1a396a59ca9f2385f0
redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org



Fedora Legacy Update Advisory

Synopsis: Updated gnutls packages fix a security issue
Advisory ID: FLSA:181014
Issue date: 2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0645



1. Topic:

Updated gnutls packages that fix a security issue are now
available.

The GNU TLS Library provides support for cryptographic
algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a
library developed for ASN.1 structures management that includes DER
encoding and decoding.

2. Relevant releases/architectures:

Fedora Core 3 – i386, x86_64

3. Problem description:

Several flaws were found in the way libtasn1 decodes DER. An
attacker could create a carefully crafted invalid X.509 certificate
in such a way that could trigger this flaw if parsed by an
application that uses GNU TLS. This could lead to a denial of
service (application crash). It is not certain if this issue could
be escalated to allow arbitrary code execution. The Common
Vulnerabilities and Exposures project assigned the name
CVE-2006-0645 to this issue.

Users are advised to upgrade to these updated packages, which
contain a backported patch from the GNU TLS maintainers to correct
this issue.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014

6. RPMs required:

Fedora Core 3:

SRPM:

http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm

x86_64:

http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm


http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm


http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name


87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm
dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23
fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm
87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm
742be40634dc2a32b245f78caf610d0a6b45cb75
fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm
762630c8973f02bcc934adc8f5a946383f8479cc
fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm

cce2a463b57be400362624f09dc49a4fdde09305
fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org


Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:049
http://www.mandriva.com/security/


Package : squirrelmail
Date : February 27, 2006
Affected: Corporate 3.0


Problem Description:

Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote
attackers to inject arbitrary web pages into the right frame via a
URL in the right_frame parameter. NOTE: this has been called a
cross-site scripting (XSS) issue, but it is different than what is
normally identified as XSS. (CVE-2006-0188)

Interpretation conflict in the MagicHTML filter in SquirrelMail
1.4.0 to 1.4.5 allows remote attackers to conduct cross-site
scripting (XSS) attacks via style sheet specifiers with invalid (1)
“/*” and “*/” comments, or (2) a newline in a “url” specifier,
which is processed by certain web browsers including Internet
Explorer. (CVE-2006-0195)

CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5
allows remote attackers to inject arbitrary IMAP commands via
newline characters in the mailbox parameter of the
sqimap_mailbox_select command, aka “IMAP injection.”
(CVE-2006-0377)

Updated packages are patched to address these issues.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377


Updated Packages:

Corporate 3.0:
a8a4f0d87a51ad6507b022d0969090b7
corporate/3.0/RPMS/squirrelmail-1.4.5-1.2.C30mdk.noarch.rpm
4c2c56ffffe0613d8357dc3f3b83558b
corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.2.C30mdk.noarch.rpm

ffab86ae7438d6f23bd934d17d38c41f
corporate/3.0/SRPMS/squirrelmail-1.4.5-1.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
ef2a5ee98b793f81be3e87ec8efb1f30
x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.2.C30mdk.noarch.rpm

cf91cf6ca3f2bd737b475a1037a521ef
x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.2.C30mdk.noarch.rpm

ffab86ae7438d6f23bd934d17d38c41f
x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.2.C30mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2005:050
http://www.mandriva.com/security/


Package : unzip
Date : February 27, 2005
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall
2.0


Problem Description:

A buffer overflow was foiund in how unzip handles file name
arguments. If a user could tricked into processing a specially
crafted, excessively long file name with unzip, an attacker could
execute arbitrary code with the user’s privileges.

The updated packages have been patched to address this
issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667


Updated Packages:

Mandriva Linux 10.2:
56ed53b98b79934d0f4292a4e067eae6
10.2/RPMS/unzip-5.51-1.3.102mdk.i586.rpm
33b9f50fab728e3b3c38c6d4f4002314
10.2/SRPMS/unzip-5.51-1.3.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
4dde5ce888845056867be10129f61df4
x86_64/10.2/RPMS/unzip-5.51-1.3.102mdk.x86_64.rpm
33b9f50fab728e3b3c38c6d4f4002314
x86_64/10.2/SRPMS/unzip-5.51-1.3.102mdk.src.rpm

Mandriva Linux 2006.0:
3d3dcc95fccacd8033c452774994da1e
2006.0/RPMS/unzip-5.52-1.3.20060mdk.i586.rpm
d45d6caaf656e5f04ce934a61a48a3e6
2006.0/SRPMS/unzip-5.52-1.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
b73080d55771a4a9572d9879b55db012
x86_64/2006.0/RPMS/unzip-5.52-1.3.20060mdk.x86_64.rpm
d45d6caaf656e5f04ce934a61a48a3e6
x86_64/2006.0/SRPMS/unzip-5.52-1.3.20060mdk.src.rpm

Corporate 3.0:
9ebf9de576ed5f9ca73362e7bea27849
corporate/3.0/RPMS/unzip-5.50-9.3.C30mdk.i586.rpm
f3693c4ebec532b5a86f382981c81a4c
corporate/3.0/SRPMS/unzip-5.50-9.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
adce6e507a360b3132ec83f038d44bd7
x86_64/corporate/3.0/RPMS/unzip-5.50-9.3.C30mdk.x86_64.rpm
f3693c4ebec532b5a86f382981c81a4c
x86_64/corporate/3.0/SRPMS/unzip-5.50-9.3.C30mdk.src.rpm

Multi Network Firewall 2.0:
075d5b7cefc2a93053e48dde5adb09ee
mnf/2.0/RPMS/unzip-5.50-9.3.M20mdk.i586.rpm
12e0a95ab72239096c9110f8a1f98661
mnf/2.0/SRPMS/unzip-5.50-9.3.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:051
http://www.mandriva.com/security/


Package : gettext
Date : February 28, 2006
Affected: Corporate 3.0, Multi Network Firewall 2.0


Problem Description:

The Trustix developers discovered temporary file vulnerabilities
in the autopoint and gettextize scripts, part of GNU gettext. These
scripts insecurely created temporary files which could allow a
malicious user to overwrite another user’s files via a symlink
attack.

The updated packages have been patched to address this
issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966


Updated Packages:

Corporate 3.0:
3e90a65b63c6cef50ea2362b97d601af
corporate/3.0/RPMS/gettext-0.13.1-1.3.C30mdk.i586.rpm
88645a36cc137b6d15baff31df84bb5f
corporate/3.0/RPMS/gettext-base-0.13.1-1.3.C30mdk.i586.rpm
122cf7a4d0173cd80c3c6a388b76ec5a
corporate/3.0/RPMS/gettext-devel-0.13.1-1.3.C30mdk.i586.rpm
d9e9d121c5833e80c9bbd642af24fb40
corporate/3.0/RPMS/gettext-java-0.13.1-1.3.C30mdk.i586.rpm
7aa6d70debb3c1814333fca662e23cac
corporate/3.0/RPMS/libgettextmisc-0.13.1-1.3.C30mdk.i586.rpm
cfe279f682d65f910505e069b911d7c7
corporate/3.0/RPMS/libintl2-0.13.1-1.3.C30mdk.i586.rpm
fc15df73311804bf0fd371fa9682c0c5
corporate/3.0/SRPMS/gettext-0.13.1-1.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
c3648f970e7794014773ddedd68eaf91
x86_64/corporate/3.0/RPMS/gettext-0.13.1-1.3.C30mdk.x86_64.rpm
d876576394822262df7e2351775c1aaa
x86_64/corporate/3.0/RPMS/gettext-base-0.13.1-1.3.C30mdk.x86_64.rpm

af77cf6ee5a7d238ec122fbc4af7d353
x86_64/corporate/3.0/RPMS/gettext-devel-0.13.1-1.3.C30mdk.x86_64.rpm

1173d049f6621cd8ff8d0396d24eb097
x86_64/corporate/3.0/RPMS/gettext-java-0.13.1-1.3.C30mdk.x86_64.rpm

f757f8a584bfc7ebd99d13a92415241b
x86_64/corporate/3.0/RPMS/lib64gettextmisc-0.13.1-1.3.C30mdk.x86_64.rpm

ecb7b9c26a607287c10f12bc70d5ffa9
x86_64/corporate/3.0/RPMS/lib64intl2-0.13.1-1.3.C30mdk.x86_64.rpm

fc15df73311804bf0fd371fa9682c0c5
x86_64/corporate/3.0/SRPMS/gettext-0.13.1-1.3.C30mdk.src.rpm

Multi Network Firewall 2.0:
bf7a130a64632e27c4c0e35bcce1838d
mnf/2.0/RPMS/gettext-0.13.1-1.3.M20mdk.i586.rpm
26b569b31b5786eb3dc90c466ad42951
mnf/2.0/RPMS/gettext-base-0.13.1-1.3.M20mdk.i586.rpm
513319968508b7d6c22135aed2a4ebcf
mnf/2.0/RPMS/gettext-devel-0.13.1-1.3.M20mdk.i586.rpm
8ebc491dd574ec6e9624776b39adb08e
mnf/2.0/RPMS/gettext-java-0.13.1-1.3.M20mdk.i586.rpm
d7efcc35298ade62c0d21b75cec11d35
mnf/2.0/RPMS/libgettextmisc-0.13.1-1.3.M20mdk.i586.rpm
d0993ab7f263642207f1ae95f4861525
mnf/2.0/RPMS/libintl2-0.13.1-1.3.M20mdk.i586.rpm
76fec48911a57db5edad551ae40cb3d1
mnf/2.0/SRPMS/gettext-0.13.1-1.3.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis