Advisories: May 18, 2005

Debian GNU/Linux

Debian Security Advisory DSA 724-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
May 18th, 2005 http://www.debian.org/security/faq

Package : phpsysinfo
Vulnerability : design flaw
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0870
Debian Bug : 301118

Maksymilian Arciemowicz discoverd several cross site scripting
issues in phpsysinfo, a PHP based host information application.

For the stable distribution (woody) these problems have been
fixed in version 2.0-3woody2.

For the testing (sarge) and unstable (sid) distribution these
problems have been fixed in version 2.3-3.

We recommend that you upgrade your phpsysinfo package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

http://security.debian.org/pool/updates/main/p/phpsysinfo/phpsysinfo_2.0-3woody2.dsc

Size/MD5 checksum: 622 bc59ec24d7ef4b8b1c0e17cd7753fa19

http://security.debian.org/pool/updates/main/p/phpsysinfo/phpsysinfo_2.0-3woody2.diff.gz

Size/MD5 checksum: 2765 a6933aed26ea8425379b37b2ae7c8ba8

http://security.debian.org/pool/updates/main/p/phpsysinfo/phpsysinfo_2.0.orig.tar.gz

Size/MD5 checksum: 48104 abd184ebc003aeba07d9945bb9c6ff0f

Architecture independent components:

http://security.debian.org/pool/updates/main/p/phpsysinfo/phpsysinfo_2.0-3woody2_all.deb

Size/MD5 checksum: 42256 f714e679fc08c95a2bdada5c4371f07c

These files will probably be moved into the stable distribution
on its next update.

For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Fedora Legacy

Fedora Legacy Update Advisory

Synopsis: Updated pam packages fix security issue
Advisory ID: FLSA:152771
Issue date: 2005-05-18
Product: Red Hat Linux
Keywords: Bugfix
CVE Names: CAN-2003-0388

1. Topic:

Updated pam packages that fix a security vulnerability are now
available.

PAM (Pluggable Authentication Modules) is a system security tool
that allows system administrators to set an authentication policy
without having to recompile programs that handle
authentication.

2. Relevant releases/architectures:

Red Hat Linux 7.3 – i386
Red Hat Linux 9 – i386

3. Problem description:

These updates fix a potential security problem present in the
pam_wheel module. These updates correct a bug in the pam_lastlog
module which prevented it from properly manipulating the
/var/log/lastlog entry for users with very high user IDs.

The pam_wheel module is used to restrict access to a particular
service based on group membership. If the pam_wheel module was used
with the “trust” option enabled, but without the “use_uid” option,
any local user would be able to spoof the username returned by
getlogin(). The user could therefore gain access to a superuser
account without supplying a password. The Common Vulnerabilities
and Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0388 to this issue.

When manipulating the entry in /var/log/lastlog, which
corresponds to a given user, the pam_lastlog module calculates the
location of the entry by multiplying the UID and the length of an
entry in the file. On some systems, the result of this calculation
would mistakenly be truncated to 32 bits for users with
sufficiently high UIDs.

All users of pam should upgrade to these updated packages, which
resolve these issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/docs
for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152771

6. RPMs required:

Red Hat Linux 7.3:
SRPM:

http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/pam-0.75-46.10.legacy.7x.src.rpm

i386:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/pam-0.75-46.10.legacy.7x.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/pam-devel-0.75-46.10.legacy.7x.i386.rpm

Red Hat Linux 9:

SRPM:

http://download.fedoralegacy.org/redhat/9/updates/SRPMS/pam-0.75-62.10.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/9/updates/i386/pam-0.75-62.10.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/pam-devel-0.75-62.10.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name

bb7b9e1c63be2eb2064b46eacaf8d0ce68594d11
redhat/7.3/updates/i386/pam-0.75-46.10.legacy.7x.i386.rpm
9af62c26654ba14bde7bf6e3b59b9b4f62fd5d35
redhat/7.3/updates/i386/pam-devel-0.75-46.10.legacy.7x.i386.rpm
8f06c0d3a0cb5938206c4d2d20484f325ebcca42
redhat/7.3/updates/SRPMS/pam-0.75-46.10.legacy.7x.src.rpm
622eac1455b5ccb0cf75705cc0f42b3226f9cc31
redhat/9/updates/i386/pam-0.75-62.10.legacy.i386.rpm
18c330ff1ef063f21a3b3c8eb297d09bb004ee67
redhat/9/updates/i386/pam-devel-0.75-62.10.legacy.i386.rpm
8c10c919199f35e5ef785b57f35a8d300d3ea01e
redhat/9/updates/SRPMS/pam-0.75-62.10.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0388

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org

Fedora Legacy Update Advisory

Synopsis: Updated mozilla packages fix security issues
Advisory ID: FLSA:152883
Issue date: 2005-05-18
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2004-0906 CAN-2004-1156 CAN-2004-1316
CAN-2004-1380 CAN-2004-1613 CAN-2005-0141
CAN-2005-0142 CAN-2005-0578 CAN-2005-0143
CAN-2005-0593 CAN-2005-0144 CAN-2005-0146
CAN-2005-0147 CAN-2005-0149 CAN-2005-0231
CAN-2005-0232 CAN-2005-0527 CAN-2005-0233
CAN-2005-0399 CAN-2005-0401 CAN-2005-0584
CAN-2005-0585 CAN-2005-0586 CAN-2005-0590
CAN-2005-0591 CAN-2005-0588 CAN-2005-0989
CAN-2005-1153 CAN-2005-1154 CAN-2005-1155
CAN-2005-1159 CAN-2005-1160 CAN-2005-1156
CAN-2005-1157

1. Topic:

Updated mozilla packages that fix various bugs are now
available.

Mozilla is an open source Web browser, advanced email and
newsgroup client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 – i386
Red Hat Linux 9 – i386
Fedora Core 1 – i386
Fedora Core 2 – i386

3. Problem description:

A bug was found in the way Mozilla sets file permissions when
installing XPI packages. It is possible for an XPI package to
install some files world readable or writable, allowing a malicious
local user to steal information or execute arbitrary code. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0906 to this issue.

A bug was found in the way Mozilla handles pop-up windows. It is
possible for a malicious website to control the content in an
unrelated site’s pop-up window. (CAN-2004-1156)

iSEC Security Research has discovered a buffer overflow bug in
the way Mozilla handles NNTP URLs. If a user visits a malicious web
page or is convinced to click on a malicious link, it may be
possible for an attacker to execute arbitrary code on the victim’s
machine. (CAN-2004-1316)

A bug was found in the way Mozilla displays dialog windows. It
is possible that a malicious web page which is being displayed in a
background tab could present the user with a dialog window
appearing to come from the active page. (CAN-2004-1380)

A bug was found in the way Mozilla handles certain start tags
followed by a NULL character. A malicious web page could cause
Mozilla to crash when viewed by a victim. (CAN-2004-1613)

A bug was found in the way Mozilla loads links in a new tab
which are middle clicked. A malicious web page could read local
files or modify privileged chrom settings. (CAN-2005-0141)

Several bugs were found with the way Mozilla handles temporary
files. A local user could view sensitive temporary information or
delete arbitrary files. (CAN-2005-0142 CAN-2005-0578)

Several bugs were found with the way Mozilla displays the secure
site icon. It is possible that a malicious website could display
the secure site icon along with incorrect certificate information.
(CAN-2005-0143 CAN-2005-0593)

A bug was found in the way Mozilla displays the secure site
icon. A malicious web page can use a view-source URL targetted at a
secure page, while loading an insecure page, yet the secure site
icon shows the previous secure state. (CAN-2005-0144)

A bug was found in the way Mozilla handles synthetic middle
click events. It is possible for a malicious web page to steal the
contents of a victims clipboard. (CAN-2005-0146)

A bug was found in the way Mozilla responds to proxy auth
requests. It is possible for a malicious webserver to steal
credentials from a victims browser by issuing a 407 proxy
authentication request. (CAN-2005-0147)

A bug was found in the way Mozilla Mail handles cookies when
loading content over HTTP regardless of the user’s preference. It
is possible that a particular user could be tracked through the use
of malicious mail messages which load content over HTTP.
(CAN-2005-0149)

A bug was found in the Mozilla javascript security manager. If a
user drags a malicious link to a tab, the javascript security
manager is bypassed, which could result in remote code execution or
information disclosure. (CAN-2005-0231)

A bug was found in the way Mozilla allows plug-ins to load
privileged content into a frame. It is possible that a malicious
webpage could trick a user into clicking in certain places to
modify configuration settings or execute arbitrary code.
(CAN-2005-0232 and CAN-2005-0527)

A flaw was found in the way Mozilla displays international
domain names. It is possible for an attacker to display a valid
URL, tricking the user into thinking they are viewing a legitimate
webpage when they are not. (CAN-2005-0233)

A buffer overflow bug was found in the way Mozilla processes GIF
images. It is possible for an attacker to create a specially
crafted GIF image, which when viewed by a victim will execute
arbitrary code as the victim. (CAN-2005-0399)

A bug was found in the way Mozilla processes XUL content. If a
malicious web page can trick a user into dragging an object, it is
possible to load malicious XUL content. (CAN-2005-0401)

Several bugs were found in the way Mozilla displays alert
dialogs. It is possible for a malicious webserver or website to
trick a user into thinking the dialog window is being generated
from a trusted site. (CAN-2005-0584 CAN-2005-0585 CAN-2005-0586
CAN-2005-0590 CAN-2005-0591)

A bug was found in the way Mozilla handles xsl:include and
xsl:import directives. It is possible for a malicious website to
import XSLT stylesheets from a domain behind a firewall, leaking
information to an attacker. (CAN-2005-0588)

A bug was found in the way Mozilla handles anonymous functions
during regular expression string replacement. It is possible for a
malicious web page to capture a random block of browser memory.
(CAN-2005-0989)

A bug was found in the way Mozilla displays pop-up windows. If a
user choses to open a pop-up window whose URL is malicious
javascript, the script will be executed with elevated privileges.
(CAN-2005-1153)

Several bugs were found in the Mozilla javascript engine. A
malicious web page could leverage these issues to execute
javascript with elevated privileges or steal sensitive information.
(CAN-2005-1154 CAN-2005-1155 CAN-2005-1159 CAN-2005-1160)

A bug was found in the way Mozilla installed search plugins. If
a user chooses to install a search plugin from a malicious site,
the new plugin could silently overwrite an existing plugin. This
could allow the malicious plugin to execute arbitrary code and
stealm sensitive information. (CAN-2005-1156 CAN-2005-1157)

Users of Mozilla are advised to upgrade to this updated package
which contains Mozilla version 1.7.7 to correct these issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152883

6. RPMs required:

Red Hat Linux 7.3:
SRPM:

http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.7-0.73.2.legacy.src.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.2.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:

http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.7-0.90.1.legacy.src.rpm

http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.2.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.7-0.90.1.legacy.i386.rpm

http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.2.legacy.i386.rpm

Fedora Core 1:

SRPM:

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.7-1.1.2.legacy.src.rpm

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.2.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.7-1.1.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.2.legacy.i386.rpm

Fedora Core 2:

SRPM:

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.7-1.2.2.legacy.src.rpm

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.3.legacy.src.rpm

http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.6.legacy.src.rpm

i386:

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.7-1.2.2.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.3.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.6.legacy.i386.rpm

http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.6.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name

9acd3892e1ec3b272274ed250f630e316e72334c
redhat/7.3/updates/i386/mozilla-1.7.7-0.73.2.legacy.i386.rpm
bdf6c767bd8d8a1dc74138e8da7c1672b1934764
redhat/7.3/updates/i386/mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm

7168b5bfcd5a090b62464f8b7d82d20bff365ba5
redhat/7.3/updates/i386/mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm

6baa66d77ecbaf4aefcd99e42dbc81dee8b5533b
redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm

c8fd69f3e6e3a63554382ec412208f74a48ba8fe
redhat/7.3/updates/i386/mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm

83a181ed9ecade3c9cb3cd3f64ac7cdd5add9057
redhat/7.3/updates/i386/mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm

904dd59f1b4d5e4426232549848b83a9e407e2ba
redhat/7.3/updates/i386/mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm

3513150062f0d54dfa14f3d4fc320114b72a95ad
redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm

f56ac87aae05c1530cfc49844f59410ac3db82d9
redhat/7.3/updates/i386/mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm

d4a42d185260a6778133dc51beb0098b637306c5
redhat/7.3/updates/i386/mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm

8f731240e4c04d12861836a20ebd51faac33db54
redhat/7.3/updates/SRPMS/mozilla-1.7.7-0.73.2.legacy.src.rpm
265ca0a31dd9a66b3de6364b1a8e0bab108ebedc
redhat/7.3/updates/i386/galeon-1.2.14-0.73.2.legacy.i386.rpm
591f6a2ab89ae9b5995cc172017bc8d5b39f0236
redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.2.legacy.src.rpm
3d70328b95b7af8ebb4a808ed2c6d58f8d8d3f32
redhat/9/updates/i386/mozilla-1.7.7-0.90.1.legacy.i386.rpm
f0602f47ebb9e66a600749832bf68b63787bde35
redhat/9/updates/i386/mozilla-chat-1.7.7-0.90.1.legacy.i386.rpm
005590efef49bb5d39f665d61b335496ca18798d
redhat/9/updates/i386/mozilla-devel-1.7.7-0.90.1.legacy.i386.rpm

5a54884ce7108215746ac96668018bdbe2e70494
redhat/9/updates/i386/mozilla-dom-inspector-1.7.7-0.90.1.legacy.i386.rpm

5fd7e6f7145787da6926807ad22a8cddaa14b927
redhat/9/updates/i386/mozilla-js-debugger-1.7.7-0.90.1.legacy.i386.rpm

0ea4683b6d02b6605e7c515ee6c4717ee443eee3
redhat/9/updates/i386/mozilla-mail-1.7.7-0.90.1.legacy.i386.rpm
cd8c01029571274c79dc3b0b083a68f61f8276b4
redhat/9/updates/i386/mozilla-nspr-1.7.7-0.90.1.legacy.i386.rpm
c043f95965b668bc18adb9a58b8e0f332f295285
redhat/9/updates/i386/mozilla-nspr-devel-1.7.7-0.90.1.legacy.i386.rpm

1b9952e1ae88be813398d47c56ccdb1c6297defb
redhat/9/updates/i386/mozilla-nss-1.7.7-0.90.1.legacy.i386.rpm
0048ddbfbccca48c2e3a20d436a8eeaeaa5e7d27
redhat/9/updates/i386/mozilla-nss-devel-1.7.7-0.90.1.legacy.i386.rpm

3ef84161c6d31a0a022e30dccfa38c3e48bfc826
redhat/9/updates/SRPMS/mozilla-1.7.7-0.90.1.legacy.src.rpm
f34febaaa2e03ffc62097a8abf977cfa98bce03a
redhat/9/updates/i386/galeon-1.2.14-0.90.2.legacy.i386.rpm
72ddc204978e74630ef9cab1e17a80a6a2e06658
redhat/9/updates/SRPMS/galeon-1.2.14-0.90.2.legacy.src.rpm
57100cb971334d7af508b63786aa08605515ca1c
fedora/1/updates/i386/mozilla-1.7.7-1.1.2.legacy.i386.rpm
d46f3963c22c7dd5460e5dcb54fe48001b9f2bf0
fedora/1/updates/i386/mozilla-chat-1.7.7-1.1.2.legacy.i386.rpm
c1fb6304d59a2b40afb0f897068d4790f7188d58
fedora/1/updates/i386/mozilla-devel-1.7.7-1.1.2.legacy.i386.rpm
2e6e6c51cc5f2ec33ed9da3f3cba5b8894cc41c6
fedora/1/updates/i386/mozilla-dom-inspector-1.7.7-1.1.2.legacy.i386.rpm

c341b4c436e57743b14fb535117fd22b0cbec5d9
fedora/1/updates/i386/mozilla-js-debugger-1.7.7-1.1.2.legacy.i386.rpm

7132f5a85829789980a6d3e99dcb8b693c2ca2f5
fedora/1/updates/i386/mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm
97fc2ebf5fac4a9db7515d6ce040f69800d4b76f
fedora/1/updates/i386/mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm
4fc55c563a2dab1acea189205a74a55a3193fd90
fedora/1/updates/i386/mozilla-nspr-devel-1.7.7-1.1.2.legacy.i386.rpm

013b70581b5719c09d31a3cd642c9508326ee785
fedora/1/updates/i386/mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm
0b166a9b048615bed8963512f3c14d0fe2b55df3
fedora/1/updates/i386/mozilla-nss-devel-1.7.7-1.1.2.legacy.i386.rpm

78028c39bd74519585f30c5e9fb1811c17174ae6
fedora/1/updates/SRPMS/mozilla-1.7.7-1.1.2.legacy.src.rpm
288dc1525d58a9bfb547dae233217f8560f793da
fedora/1/updates/i386/epiphany-1.0.8-1.fc1.2.legacy.i386.rpm
6d7fc5695a4dc5dfda8061d6f15f5f49d9e0ca25
fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.2.legacy.src.rpm
e30cf25bc4833e0b19464b80edc6a40a022d84ec
fedora/2/updates/i386/mozilla-1.7.7-1.2.2.legacy.i386.rpm
f6272d64f623060b3e3c312a51d9c4cf79517dbf
fedora/2/updates/i386/mozilla-chat-1.7.7-1.2.2.legacy.i386.rpm
3de604792b03c9be05094f93dfab05dc4025bf28
fedora/2/updates/i386/mozilla-devel-1.7.7-1.2.2.legacy.i386.rpm
be68ea6a7694e26583788619fd2983d79e7de2a0
fedora/2/updates/i386/mozilla-dom-inspector-1.7.7-1.2.2.legacy.i386.rpm

5fb0ec03a8477716720fa5717096f51b947b3fc7
fedora/2/updates/i386/mozilla-js-debugger-1.7.7-1.2.2.legacy.i386.rpm

eaad0dd9b651f50a95645a483874e388c8e8d6ff
fedora/2/updates/i386/mozilla-mail-1.7.7-1.2.2.legacy.i386.rpm
eab0bd24445c45116bb438c3ab039549aeaf9fff
fedora/2/updates/i386/mozilla-nspr-1.7.7-1.2.2.legacy.i386.rpm
230443db97ade4cd419149aac9be2647b9d8e1a9
fedora/2/updates/i386/mozilla-nspr-devel-1.7.7-1.2.2.legacy.i386.rpm

93d1521088d28943d1bb8a3f95b9fe33afbb6cce
fedora/2/updates/i386/mozilla-nss-1.7.7-1.2.2.legacy.i386.rpm
69f0872295fcc76410236cbdcfa68ad714fd1019
fedora/2/updates/i386/mozilla-nss-devel-1.7.7-1.2.2.legacy.i386.rpm

9ee87c561862efad6914604117ca1b77347ddce2
fedora/2/updates/SRPMS/mozilla-1.7.7-1.2.2.legacy.src.rpm
2a2d210670d354d8640266735d2ce15ca3a6c637
fedora/2/updates/i386/epiphany-1.2.10-0.2.3.legacy.i386.rpm
0b8dcb95ee3ac871fac5adda63cbe1ec62340540
fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.3.legacy.src.rpm
50bab23717bd9e8f80c1f037d89fea75c240404a
fedora/2/updates/i386/devhelp-0.9.1-0.2.6.legacy.i386.rpm
19dd014eda39deb1bafdfa34c47a4e81bf9cf880
fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.6.legacy.i386.rpm
1fa21cf570fa5a210594820c17eacfe764df8a52
fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.6.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0906

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1316

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1380

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1613

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0141

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0142

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0578

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0143

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0593

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0144

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0146

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0147

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0149

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0233

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0585

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0586

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0591

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0588

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0989

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1153

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1154

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1155

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1159

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1160

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1156

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1157

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>.
More project details at http://www.fedoralegacy.org

Red Hat Linux

Red Hat Security Advisory

Synopsis: Low: rsh security update
Advisory ID: RHSA-2005:074-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-074.html

Issue date: 2005-05-18
Updated on: 2005-05-18
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0175

1. Summary:

Updated rsh packages that fix various bugs and a theoretical
security issue are now available.

This update has been rated as having low security impact by the
Red Hat Security Response Team

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 – i386, ia64, ppc, s390,
s390x, x86_64
Red Hat Desktop version 3 – i386, x86_64
Red Hat Enterprise Linux ES version 3 – i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 – i386, ia64, x86_64

3. Problem description:

The rsh package contains a set of programs that allow users to
run commands on remote machines, login to other machines, and copy
files between machines, using the rsh, rlogin, and rcp commands.
All three of these commands use rhosts-style authentication.

The rcp protocol allows a server to instruct a client to write
to arbitrary files outside of the current directory. This could
potentially cause a security issue if a user uses rcp to copy files
from a malicious server. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0175 to this issue.

These updated packages also address the following bugs:

The rexec command failed with “Invalid Argument”, because the
code used sigaction() as an unsupported signal.

The rlogind server reported “SIGCHLD set to SIG_IGN but calls
wait()” message to the system log because the original BSD code was
ported incorrectly to linux.

The rexecd server did not function on systems where client
hostnames were not in the DNS service, because server code called
gethostbyaddr() for each new connection.

The rcp command incorrectly used the “errno” variable and
produced erroneous error messages.

The rexecd command ignored settings in the /etc/security/limits
file, because the PAM session was incorrectly initialized.

The rexec command prompted for username and password regardless
of the ~/.netrc configuration file contents. This updated package
contains a patch that no longer skips the ~/.netrc file.

All users of rsh should upgrade to these updated packages, which
resolve these issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via Red Hat
Network. Many people find this an easier way to apply updates. To
use Red Hat Network, launch the Red Hat Update Agent with the
following command:

up2date

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the up2date
client with an updated certificate. The latest version of up2date
is available from the Red Hat FTP site and may also be downloaded
directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/rsh-0.17-17.6.src.rpm

9db33654428c9f2a68ae4fc3d3538b45 rsh-0.17-17.6.src.rpm

i386:
d3c9d0998a481654e6aa70bae6d81284 rsh-0.17-17.6.i386.rpm
458e22f5bbb542402ff7f1d5b31d8efc rsh-server-0.17-17.6.i386.rpm

ia64:
0ef714b4988d67746492c7fcc94c6505 rsh-0.17-17.6.ia64.rpm
c5ffc16936049d313396840c1340b190 rsh-server-0.17-17.6.ia64.rpm

ppc:
b95b84629007515d08ebdb9dbfc3ef2f rsh-0.17-17.6.ppc.rpm
fb95ecdabcdf4a94d3438d86c66fa10c rsh-server-0.17-17.6.ppc.rpm

s390:
3aeade4296a8fbef841988fa0931a627 rsh-0.17-17.6.s390.rpm
b974c6cfe31f0baa9863d543d4fbbc6c rsh-server-0.17-17.6.s390.rpm

s390x:
40007c9ed95ad284c2d6863bff54a69c rsh-0.17-17.6.s390x.rpm
63df1e561f4ccd2d0a088e3c419e1647 rsh-server-0.17-17.6.s390x.rpm

x86_64:
d5a8b840af161bf40970e8d51b5be791 rsh-0.17-17.6.x86_64.rpm
bc656e79fc3002249f5eb17d4993f67b
rsh-server-0.17-17.6.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/rsh-0.17-17.6.src.rpm

9db33654428c9f2a68ae4fc3d3538b45 rsh-0.17-17.6.src.rpm

i386:
d3c9d0998a481654e6aa70bae6d81284 rsh-0.17-17.6.i386.rpm
458e22f5bbb542402ff7f1d5b31d8efc rsh-server-0.17-17.6.i386.rpm

x86_64:
d5a8b840af161bf40970e8d51b5be791 rsh-0.17-17.6.x86_64.rpm
bc656e79fc3002249f5eb17d4993f67b
rsh-server-0.17-17.6.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/rsh-0.17-17.6.src.rpm

9db33654428c9f2a68ae4fc3d3538b45 rsh-0.17-17.6.src.rpm

i386:
d3c9d0998a481654e6aa70bae6d81284 rsh-0.17-17.6.i386.rpm
458e22f5bbb542402ff7f1d5b31d8efc rsh-server-0.17-17.6.i386.rpm

ia64:
0ef714b4988d67746492c7fcc94c6505 rsh-0.17-17.6.ia64.rpm
c5ffc16936049d313396840c1340b190 rsh-server-0.17-17.6.ia64.rpm

x86_64:
d5a8b840af161bf40970e8d51b5be791 rsh-0.17-17.6.x86_64.rpm
bc656e79fc3002249f5eb17d4993f67b
rsh-server-0.17-17.6.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/rsh-0.17-17.6.src.rpm

9db33654428c9f2a68ae4fc3d3538b45 rsh-0.17-17.6.src.rpm

i386:
d3c9d0998a481654e6aa70bae6d81284 rsh-0.17-17.6.i386.rpm
458e22f5bbb542402ff7f1d5b31d8efc rsh-server-0.17-17.6.i386.rpm

ia64:
0ef714b4988d67746492c7fcc94c6505 rsh-0.17-17.6.ia64.rpm
c5ffc16936049d313396840c1340b190 rsh-server-0.17-17.6.ia64.rpm

x86_64:
d5a8b840af161bf40970e8d51b5be791 rsh-0.17-17.6.x86_64.rpm
bc656e79fc3002249f5eb17d4993f67b
rsh-server-0.17-17.6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

6. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More
contact details at https://www.redhat.com/security/team/contact/

Red Hat Security Advisory

Synopsis: Low: openssh security update
Advisory ID: RHSA-2005:106-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-106.html

Issue date: 2005-05-18
Updated on: 2005-05-18
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0175

1. Summary:

Updated openssh packages that fix a potential security
vulnerability and various other bugs are now available for Red Hat
Enterprise Linux 3.

This update has been rated as having low security impact by the
Red Hat Security Response Team.

2. Relevant releases/architectures:

3. Problem description:

OpenSSH is OpenBSD’s SSH (Secure SHell) protocol implementation.
SSH replaces rlogin and rsh, and provides secure encrypted
communications between two untrusted hosts over an insecure
network. X11 connections and arbitrary TCP/IP ports can also be
forwarded over a secure channel. Public key authentication can be
used for “passwordless” access to servers.

The scp protocol allows a server to instruct a client to write
to arbitrary files outside of the current directory. This could
potentially cause a security issue if a user uses scp to copy files
from a malicious server. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0175 to this issue.

These updated packages also correct the following bugs:

On systems where direct ssh access for the root user was
disabled by configuration (setting “PermitRootLogin no”), attempts
to guess the root password could be judged as sucessful or
unsucessful by observing a delay.

On systems where the privilege separation feature was turned on,
the user resource limits were not correctly set if the
configuration specified to raise them above the defaults. It was
also not possible to change an expired password.

Users of openssh should upgrade to these updated packages, which
contain backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

up2date

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/openssh-3.6.1p2-33.30.4.src.rpm

7b60311a6205015c1424255894ca4543
openssh-3.6.1p2-33.30.4.src.rpm

i386:
0632bc50698ebced00b31dbbfc077e76
openssh-3.6.1p2-33.30.4.i386.rpm
c4bee6055d508780f44a928f707a2942
openssh-askpass-3.6.1p2-33.30.4.i386.rpm
5f5a04f9ca345ac8a5344754eddd02c6
openssh-askpass-gnome-3.6.1p2-33.30.4.i386.rpm
eac41215547b25b22bc3d9a04544e39b
openssh-clients-3.6.1p2-33.30.4.i386.rpm
c2f2365016bfb9edf13a2480c6d15c34
openssh-server-3.6.1p2-33.30.4.i386.rpm

ia64:
cc138291b474a67970caa97bfad1c9b4
openssh-3.6.1p2-33.30.4.ia64.rpm
dbad4a3430f94fa2be8563feec3f1ff3
openssh-askpass-3.6.1p2-33.30.4.ia64.rpm
cfbb0ef73bf3a47f54a99511748bd907
openssh-askpass-gnome-3.6.1p2-33.30.4.ia64.rpm
f4a09d1562bec81d463a5067dc61d9f1
openssh-clients-3.6.1p2-33.30.4.ia64.rpm
1e333c07f46051095636411a3bb590db
openssh-server-3.6.1p2-33.30.4.ia64.rpm

ppc:
cc038b17c27936940e3819b17bf11956
openssh-3.6.1p2-33.30.4.ppc.rpm
79bef55a16572ac51b81cdb39b14a01e
openssh-askpass-3.6.1p2-33.30.4.ppc.rpm
96505d5f6b55d00f17dd2c4b053bed8e
openssh-askpass-gnome-3.6.1p2-33.30.4.ppc.rpm
935fafdfab1cf6a2b7479c4f0d8c6275
openssh-clients-3.6.1p2-33.30.4.ppc.rpm
1e61209b257a8463aff9b5a58ce69bf5
openssh-server-3.6.1p2-33.30.4.ppc.rpm

s390:
e083bf6bdb36b498b49813b39da29cda
openssh-3.6.1p2-33.30.4.s390.rpm
ee6c07b7c35db92766b9988d89c29822
openssh-askpass-3.6.1p2-33.30.4.s390.rpm
b32f9f334ed9f3f6060ebfa5ea85ac2c
openssh-askpass-gnome-3.6.1p2-33.30.4.s390.rpm
c6b895eb572e105ff777536f4c476079
openssh-clients-3.6.1p2-33.30.4.s390.rpm
4d0442b0e84c30d69046543d214e41df
openssh-server-3.6.1p2-33.30.4.s390.rpm

s390x:
e27813586fe755d41cfe7ac09ca7e645
openssh-3.6.1p2-33.30.4.s390x.rpm
8f3087efbde89ed9512c44a335686da0
openssh-askpass-3.6.1p2-33.30.4.s390x.rpm
f14783534ab464aa5086548846b9a19c
openssh-askpass-gnome-3.6.1p2-33.30.4.s390x.rpm
f044e71865f218b35558163fe81b3791
openssh-clients-3.6.1p2-33.30.4.s390x.rpm
975d8accdeae65a76420ac99d44b5644
openssh-server-3.6.1p2-33.30.4.s390x.rpm

x86_64:
82a0cd578d39f1063764c4552e2a20a0
openssh-3.6.1p2-33.30.4.x86_64.rpm
6ca6fdf9cbd4dcfda939b0034fd173c5
openssh-askpass-3.6.1p2-33.30.4.x86_64.rpm
22e7c2186dba1af27e4c593f5c78df3b
openssh-askpass-gnome-3.6.1p2-33.30.4.x86_64.rpm
e7ddaf24841bcdfae67e01d7be62bfcd
openssh-clients-3.6.1p2-33.30.4.x86_64.rpm
cb07647a04a3c4e1727f302da26102be
openssh-server-3.6.1p2-33.30.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/openssh-3.6.1p2-33.30.4.src.rpm

7b60311a6205015c1424255894ca4543
openssh-3.6.1p2-33.30.4.src.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/openssh-3.6.1p2-33.30.4.src.rpm

7b60311a6

Advisories: May 18, 2005

Debian GNU/Linux

Fedora Legacy

Red Hat Linux

Get the Free Newsletter!

Must Read

FreeDOS 1.4 Now Available — A Major Update for the Beloved DOS Revival

Linux Mint Debian Edition Is Getting Support for OEM Installations with LMDE 7

How to Fix Ubuntu Freezes, Crashes or System Hangs

How to Install PuTTY on Linux

A personal journey: From Windows to Linux to Windows to Linux to…

Our Brands