Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Trustix :: c07-2223.htm

Trustix Secure Linux - multiple vulns



TSLSA-2007-0005 - multi
TSLSA-2007-0005 - multi



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0005

Package names:	   bind, ed, elinks
Summary:           Multiple vulnerabilities
Date:              2007-02-05
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  bind
  BIND (Berkeley Internet Name Domain) is an implementation of the DNS
  (Domain Name System) protocols. BIND includes a DNS server (named),
  which resolves host names to IP addresses, and a resolver library
  (routines for applications to use when interfacing with DNS).  A DNS
  server allows clients to name resources or objects and share the
  information with other network machines.  The named DNS server can be
  used on workstations as a caching name server, but is generally only
  needed on one machine for an entire network.

  ed
  Ed is a line-oriented text editor, used to create, display, and modify
  text files (both interactively and via shell scripts). For most
  purposes, ed has been replaced in normal usage by full-screen editors
  (emacs and vi, for example).

  elinks
  ELinks is a program for browsing the web in text mode. It provide a
  feature-rich text mode browser with an open patches/features inclusion
  policy and active development. One of these features is that ELinks
  includes Links-Lua which adds scripting capabilities to ELinks.

Problem description:
  bind < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - SECURITY Fix: Some vulnerabilities have been reported in ISC BIND,
    which can be exploited by malicious people to cause a DoS. An
    unspecified error may cause the named daemon to dereference a
    freed fetch context.
  - Another vulnerability in ISC BIND allows remote attackers to cause
    a denial of service (exit) via a type * (ANY) DNS query response
    that contains multiple RRsets, which triggers an assertion error,
    aka the "DNSSEC Validation" vulnerability.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2007-0493 and CVE-2007-0494 to these issues.

  ed < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New upstream.
  - SECURITY FIX: A vulnerability has been identified in the 
    "open_sbuf()" [buf.c] function that handles temporary files in an
    insecure manner, which could allow malicious users to conduct
    symlink attacks and create or overwrite arbitrary files with the
    privileges of the user invoking the vulnerable application.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2006-6939 to this issue.

  elinks < TSL 3.0 >
  - New upstream.
  - SECURITY Fix: Teemu Salmela has discovered a vulnerability, which
    is caused due to an error in the validation of "smb://" URLs when
    Links runs smbclient commands. This can be exploited to download
    and overwrite local files or upload local files to an SMB share
    by injecting smbclient commands in the "smb://" URL.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2006-5925 to this issue.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
 
 


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
 


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
 

  The advisory itself is available from the errata pages at
 and 
 
  or directly at
 


MD5sums of the packages:
- --------------------------------------------------------------------------
3112dfc593ecb6394aeb7fb4867e4e30  3.0/rpms/bind-9.3.4-1tr.i586.rpm
8cc8c0d73f9b1457cda994fd82a52b87  3.0/rpms/bind-devel-9.3.4-1tr.i586.rpm
75c261426a6d4e77b45c98eacfacddfb  3.0/rpms/bind-libs-9.3.4-1tr.i586.rpm
87e5993a7e5b045958b9a78e104c736f  3.0/rpms/bind-light-9.3.4-1tr.i586.rpm
f0fc46061ecd0740470b4503d0c7a065  3.0/rpms/bind-light-devel-9.3.4-1tr.i586.rpm
a61e7ad79cd98d3bb31d91a6d455dff1  3.0/rpms/bind-utils-9.3.4-1tr.i586.rpm
d0eafdde540e1328041ac0e89efad7e7  3.0/rpms/ed-0.4-1tr.i586.rpm
8f4d1769a53918324b04534f67e3b5d7  3.0/rpms/elinks-0.11.2-1tr.i586.rpm

0fc22c7b4599c72184e3bd9e0a0aaa8c  2.2/rpms/bind-9.3.4-1tr.i586.rpm
cf5e701cffa3feb11f12c0f274d67d6c  2.2/rpms/bind-devel-9.3.4-1tr.i586.rpm
2d6d1c3b345a593a23266effdd613076  2.2/rpms/bind-libs-9.3.4-1tr.i586.rpm
8d549fba3a2aa68d555e45edb7bdf102  2.2/rpms/bind-light-9.3.4-1tr.i586.rpm
bbf737edf58f73089f5dc00a37f823f9  2.2/rpms/bind-light-devel-9.3.4-1tr.i586.rpm
89f3cd943fd8f183bcc0adedace27451  2.2/rpms/bind-utils-9.3.4-1tr.i586.rpm
18b1ada8a24e8670cb40ac282e531c4a  2.2/rpms/ed-0.4-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFxuZni8CEzsK9IksRAu8EAJ4+0Nrd7rnGh5XhMAPrHcEcWuFhAACfeyb/
TaacJQ18NUY1H10niVwO1jw=F39l
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH