From tsl@trustix.org Fri Jul 1 15:55:09 2005 From: Trustix Security Advisor To: bugtraq@securityfocus.com Date: Fri, 1 Jul 2005 17:54:18 +0200 Subject: TSLSA-2005-0031 - multi -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Advisory #2005-0031 Package name: clamav, cpplus, dev, imagemagick, kerberos5, kernel, openldap, pam_ldap, perl-net-server, php, php4, sqlgrey, swup Summary: Multiple bug- and security fixes Date: 2005-07-01 Affected versions: Trustix Secure Linux 2.1 Trustix Secure Linux 2.2 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Note on end of life for Trustix Secure Linux 1.5 and 2.1: Trustix Secure Linux versions 1.5 and 2.1 reached their planned end of life on June 30th 2005. This is the last batch of updates for those versions of the distribution. Users of TSL 1.5 and 2.1 are encouraged to upgrade to the current stable version 2.2 as soon as possible. Package description: clamav: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with package, which you can use with your own software. Most importantly, the virus database is kept up to date . cpplus: CP+ is a web-based tool for remote administration of dedicated servers. It can be used to perform basic administrative tasks and create/manage domains through a graphical interface, which makes system administration easy and comfortable. Users don't need to remember a long list of console commands with complex syntax and valid parameter values. All major system management tasks are now presented as icons providing a single entry point from which to perform a task. dev: The Trustix operating system uses file system entries to represent devices (CD-ROMs, floppy drives, etc.) attached to the machine. All of these entries are in the /dev tree (although they don't have to be). This package contains the most commonly used /dev entries. imagemagick: ImageMagick is a robust collection of tools and libraries to read, write, and manipulate an image in any of the more popular image formats including GIF, JPEG, PNG, PDF, and Photo CD. kerberos5: (MIT) Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well. kernel: The kernel package contains the Linux kernel (vmlinuz), the core of your Trustix Secure Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. openldap: LDAP servers and clients, as well as interfaces to other protocols. Note that this does not include the slapd interface to X.500 and therefore does not require the ISODE package. pam_ldap: This package includes a LDAP access clients: pam_ldap. Pam_ldap is a module for Linux-PAM that supports password changes, V2/V3 clients, Netscapes SSL/OpenSSL, ypldapd, Netscape Directory Server password policies, access authorization, crypted hashes, etc. perl-net-server: perl-net-server module from CPAN for perl. php,php4: PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled web page with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache web server to understand and process the embedded PHP language in web pages. sqlgrey: SQLgrey is a Postfix grey-listing policy service with auto-white-listing written in Perl with SQL database as storage backend. Greylisting stops 50 to 90 % junk mails (spam and virus) before they reach your Postfix server (saves BW, user time and CPU time). swup: SWUP - SoftWare UPdater is an extension for existing software packaging systems to facilitate automatic and secure update and install. SWUP handles dependencies between software packages, and is able to fetch additional required software when installing or upgrading. Problem description: clamav: - Edited freshclam.sh so that freshclam can be started when $LOGFILE is empty. Bug #976. cpplus: - New upstream 2.5.2. dev: - Added drbd* entries to /dev. Fix Bug #815. imagemagick: - Fixed an obscure heap-overflow vulnerability in the PNM reader reported by Damian Put. - Fixed memory overflow computation. kerberos5: - Security Fix: Fix for CAN-2004-0175 to krb5 rcp based on Markus Friedl's fix for OpenSSH scp. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. kernel: - Add IPX Protocol support, Bug #983 openldap: - Fix, openldap when connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which causes a password to be sent in cleartext and allows remote attackers to sniff the password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2069 to this issue. pam_ldap: - Fix, pam_ldap when connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which causes a password to be sent in cleartext and allows remote attackers to sniff the password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2069 to this issue. perl-net-server: - New upstream. php: - Security Fix: PHP XML RPC's remote code execution vulnerability. - GulfTech Security recently discovered a vulnerability in the PHP XML RPC that leads to remote code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. sqlgrey: - Multiple Bug Fixes - rebuilt on perl-net-server 0.88 to fix lockups. swup: - New Upstream Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: The advisory itself is available from the errata pages at and or directly at MD5sums of the packages: - -------------------------------------------------------------------------- e90a1caad686759c5907e2625ae56106 2.2/rpms/clamav-0.86.1-2tr.i586.rpm 3530142ef7267bce60dfd09b91c4664a 2.2/rpms/clamav-devel-0.86.1-2tr.i586.rpm 6fd49b1defa520429c89f910d0eb91f4 2.2/rpms/cpplus-2.5.2-1tr.i586.rpm 586f2230cb2a89ea70b997b9493086f6 2.2/rpms/dev-2.7.19-5tr.i586.rpm 3c996bc9c1457ddeee37c66130fdd0bf 2.2/rpms/imagemagick-6.2.3-1tr.i586.rpm b2e9f3263c988f57d71d8f1ab1463320 2.2/rpms/imagemagick-devel-6.2.3-1tr.i586.rpm b1a3e9838c51ca365d59d5adf906cc95 2.2/rpms/kerberos5-1.3.6-4tr.i586.rpm c7c011edfc739c997ebadb7179165063 2.2/rpms/kerberos5-devel-1.3.6-4tr.i586.rpm 44bb902366e7afbc588ad279ca3ce5f9 2.2/rpms/kerberos5-libs-1.3.6-4tr.i586.rpm d2da6d2ae9ceefd770ca3222affff1d3 2.2/rpms/kernel-2.4.31-2tr.i586.rpm e24ea5ebb81cdeae7ec9b11d1d469544 2.2/rpms/kernel-BOOT-2.4.31-2tr.i586.rpm e112a4362b23abdd4d36b43d053d09ab 2.2/rpms/kernel-doc-2.4.31-2tr.i586.rpm c50a54043ad6989d0e976aa5fcf21e50 2.2/rpms/kernel-smp-2.4.31-2tr.i586.rpm b2a2d46f77c91860a33c6b41d30ff4bc 2.2/rpms/kernel-source-2.4.31-2tr.i586.rpm b5c5a6d7dbcff9f9d0c96719bcf852e7 2.2/rpms/kernel-utils-2.4.31-2tr.i586.rpm 491747326ed22372e2345d2eec576b9a 2.2/rpms/ldapclients-common-175-2tr.i586.rpm f6f202894ba1573566f0db35b1fffb7f 2.2/rpms/openldap-2.1.30-5tr.i586.rpm ab71e6bd27d8824c93b3cca3548a99d4 2.2/rpms/openldap-devel-2.1.30-5tr.i586.rpm 9cafbafd0d2f225a4fb5c6d7b2abfcdc 2.2/rpms/openldap-libs-2.1.30-5tr.i586.rpm a2f6f10d49726ebb7e66fd38f1af5eb1 2.2/rpms/openldap-servers-2.1.30-5tr.i586.rpm 41c57e368a7f925c236e499852785e32 2.2/rpms/openldap-utils-2.1.30-5tr.i586.rpm 44471e628f2bbc5bcaa62fe86cced188 2.2/rpms/pam_ldap-175-2tr.i586.rpm ec02f260498414e6b5bac58fb5005641 2.2/rpms/perl-image-magick-6.2.3-1tr.i586.rpm fb83d1cf0bcfdf917bb3e3707a403195 2.2/rpms/perl-net-server-0.88-1tr.i586.rpm 42f38ef86104c344515904e30a3431cc 2.2/rpms/php-5.0.4-6tr.i586.rpm 3240fb568015221123c963697b6aa2c1 2.2/rpms/php-cli-5.0.4-6tr.i586.rpm c1e74610a791a25648bd0af030620c5f 2.2/rpms/php-devel-5.0.4-6tr.i586.rpm e320cf23d8d08ad9e4dd596ac362983a 2.2/rpms/php-exif-5.0.4-6tr.i586.rpm f7748285857a5feff255e7959c5974b3 2.2/rpms/php-gd-5.0.4-6tr.i586.rpm ae86b131fe7ec0551dad3858c1d8a141 2.2/rpms/php-imap-5.0.4-6tr.i586.rpm cbffe35fabd3e367c17b8bb82fe2e051 2.2/rpms/php-ldap-5.0.4-6tr.i586.rpm b442034d7ed3262f8a5b558edda0edc1 2.2/rpms/php-mhash-5.0.4-6tr.i586.rpm f5deeddcf183d23874c9d4fcb22a0df2 2.2/rpms/php-mysql-5.0.4-6tr.i586.rpm e519d3fd25551a09006d1385266bcf90 2.2/rpms/php-mysqli-5.0.4-6tr.i586.rpm 1188c7201aab95ead31da28c9ac8eebf 2.2/rpms/php-pgsql-5.0.4-6tr.i586.rpm e5c11a414c995a90e973391d9953bbb2 2.2/rpms/php-zlib-5.0.4-6tr.i586.rpm 50192f5ac2f0ebc8d1443f9090649504 2.2/rpms/php4-4.3.11-4tr.i586.rpm f316caec24aaa8d46a86d1c42b1a9c05 2.2/rpms/php4-cli-4.3.11-4tr.i586.rpm dc9705afbcde0be97c4c242f2fc12c44 2.2/rpms/php4-devel-4.3.11-4tr.i586.rpm d82cf7499652d65a86a4d9f16cdff77d 2.2/rpms/php4-domxml-4.3.11-4tr.i586.rpm a05f2784fbd0b9d879ac0b510aeae6b7 2.2/rpms/php4-exif-4.3.11-4tr.i586.rpm def4455afbcba56436fb6fe6fb7329a7 2.2/rpms/php4-gd-4.3.11-4tr.i586.rpm ae49762583a1f45c1ac227a903769cc1 2.2/rpms/php4-imap-4.3.11-4tr.i586.rpm c94e4a0bd423fbd18f2dd1127ee2268e 2.2/rpms/php4-ldap-4.3.11-4tr.i586.rpm 84adadd7ff3923a2cf75aaef4a6a150c 2.2/rpms/php4-mhash-4.3.11-4tr.i586.rpm 342e010d1f69fe29765f89ac34c4dbca 2.2/rpms/php4-mysql-4.3.11-4tr.i586.rpm f836085b1518a19565b7cebd6f8681d4 2.2/rpms/php4-pgsql-4.3.11-4tr.i586.rpm 32dea890cd61fcc26fd71eea62e19d6e 2.2/rpms/php4-test-4.3.11-4tr.i586.rpm 785b3e966e9b9d4c0db78f1368420860 2.2/rpms/sqlgrey-1.6.1-1tr.i586.rpm cdc640a4893850b61ddf6e5619a91cb4 2.2/rpms/swup-2.7.9-2tr.i586.rpm 221c91b5c422212c8726241f80aca256 2.2/rpms/swup-conf-2.7.9-2tr.i586.rpm eca49fe2288124655ed5eb258913fac6 2.2/rpms/swup-cron-2.7.9-2tr.i586.rpm 411d69f85f62a357416909b66103f2f8 2.2/rpms/swup-libs-2.7.9-2tr.i586.rpm d56181e17baf50cf3572158e73703818 2.2/rpms/swup-rdfgen-2.7.9-2tr.i586.rpm e71a4e72b1c49b83c562544c38af6fbe 2.1/rpms/kerberos5-1.3.6-3tr.i586.rpm 5d2a5eba232fd658316a605b42ff7873 2.1/rpms/kerberos5-devel-1.3.6-3tr.i586.rpm 3fd1955813175809c797fe0bdd144539 2.1/rpms/kerberos5-libs-1.3.6-3tr.i586.rpm 75db0c190689264ded94d52ca770e72c 2.1/rpms/ldapclients-common-166-4tr.i586.rpm 60938132c14dd006d034e9d8b726ed01 2.1/rpms/mod_php4-4.3.11-3tr.i586.rpm 4760d5121027e0e10b0ce579e8425e2b 2.1/rpms/mod_php4-cli-4.3.11-3tr.i586.rpm 4125fe08e31c7ab0f7e365890e91d3f3 2.1/rpms/mod_php4-devel-4.3.11-3tr.i586.rpm 10abcc190f4ca0444f09fdee5037255f 2.1/rpms/mod_php4-domxml-4.3.11-3tr.i586.rpm da9409b6eaf038fed1edd0dbe28fc655 2.1/rpms/mod_php4-exif-4.3.11-3tr.i586.rpm fbab3256a5323aaf29e97effbfd21d9d 2.1/rpms/mod_php4-gd-4.3.11-3tr.i586.rpm 0fcbd3d73a6e2bb46a71360b682a1827 2.1/rpms/mod_php4-imap-4.3.11-3tr.i586.rpm 617d7fd7a8fe64c584108739b9409e7e 2.1/rpms/mod_php4-ldap-4.3.11-3tr.i586.rpm b98e532b851e974c334f9938dea0a5f1 2.1/rpms/mod_php4-mysql-4.3.11-3tr.i586.rpm ad8c8d10b734459ca0389eb7deba6f17 2.1/rpms/mod_php4-pgsql-4.3.11-3tr.i586.rpm 8507c56adf91f11971da192b7094a840 2.1/rpms/mod_php4-test-4.3.11-3tr.i586.rpm 15551bdc5c0cf3c992c5c2025920cc9c 2.1/rpms/openldap-2.1.25-5tr.i586.rpm 879db0ee1ca749fa2322b569d1a8b3bf 2.1/rpms/openldap-devel-2.1.25-5tr.i586.rpm 61f40521902fc0996cb8327eb77bc617 2.1/rpms/openldap-libs-2.1.25-5tr.i586.rpm b7e5968c08e1dabf0a262af4259b228f 2.1/rpms/openldap-servers-2.1.25-5tr.i586.rpm 196273ac00a0630880e783a1acff976b 2.1/rpms/openldap-utils-2.1.25-5tr.i586.rpm d710db7f90da97c236a2963a8a18bd75 2.1/rpms/pam_ldap-166-4tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCxV3Bi8CEzsK9IksRArffAJ9nnbLcm1bGSAbWedtWjhU+kFex7wCglbun adc5AntWFmA9yD0LfrVts2w= =wqaO -----END PGP SIGNATURE-----