<<< Date Index >>>     <<< Thread Index >>>

TSLSA-2006-0006 - multi



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0006

Package names:     fcron, kernel, unzip  
Summary:           Multiple vulnerabilities
Date:              2006-02-10
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  fcron
  Fcron is a scheduler. It aims at replacing Vixie Cron, so it implements most
  of its functionalities.

  kernel
  The kernel package contains the Linux kernel (vmlinuz), the core of your
  Trustix Secure Linux operating system.  The kernel handles the basic
  functions of the operating system:  memory allocation, process allocation,
  device input and output, etc.

  unzip
  The unzip utility is used to list, test, or extract files from a zip
  archive.  Zip archives are commonly found on MS-DOS systems.  The zip
  utility, included in the zip package, creates zip archives.  Zip and
  unzip are both compatible with archives created by PKWARE(R)'s PKZIP
  for MS-DOS, but the programs' options and default behaviors do differ
  in some respects.

Problem description:
  fcron < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Adam Zabrocki and Karol Wiesek has reported vulnerabilities
    in fcron, which can be exploited by malicious, local users to gain
    escalated privileges. The issue exits in convert-fcrontab when handling
    an overly long username supplied via the command line and due to missing
    validation of username. (SA18719)

  kernel < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Linux kernel before 2.6.15.3 down to 2.6.12, while
    constructing an ICMP response, does not properly handle when the
    ip_options_echo function in icmp.c fails, which allows remote attackers
    to cause a denial of service (crash) via vectors such as (1) record-route
    and (2) timestamp IP options with the needaddr bit set and a truncated
    value.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-0454 to this issue.

  - SECURITY Fix: Linus Torvalds: Fix outstanding gzip/zlib security issues.
  - SECURITY Fix: Disallows local users to write to privileged IO ports
    via OUTS instruction isofs driver ignore parameters.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2005-0204 to this issue.
  
  unzip < TSL 3.0 > < TSL 2.2 >
  - SECURITY Fix: Fixes Buffer overflow vulnerability which allows local
    users to execute arbitrary code via a long filename command line argument.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2005-4667 to this issue.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0006/>


MD5sums of the packages:
- --------------------------------------------------------------------------
9416c0e0a7200756316fa352595cd3cf  3.0/rpms/fcron-2.9.6-12tr.i586.rpm
dea45d7b11bbda865dca4db01e237eb5  3.0/rpms/unzip-5.52-5tr.i586.rpm
e08674bf01458204ab539f66f53d75ad  3.0/rpms/kernel-2.6.15.3-1tr.i586.rpm
67185aaad47417bfee8c663e4dcb1053  3.0/rpms/kernel-doc-2.6.15.3-1tr.i586.rpm
74ad2cfbadac3cafbb4cb5d9bb8fa1c7  3.0/rpms/kernel-headers-2.6.15.3-1tr.i586.rpm
8eb35f0a3bab09ce3a65144133ef56ac  3.0/rpms/kernel-smp-2.6.15.3-1tr.i586.rpm
2a864b44f53ecb75a8cad7336df742fb  
3.0/rpms/kernel-smp-headers-2.6.15.3-1tr.i586.rpm
4ada201690cd6846b7718a8fa1bf6369  3.0/rpms/kernel-source-2.6.15.3-1tr.i586.rpm
fe043a8184faf291b710373b79edc129  3.0/rpms/kernel-utils-2.6.15.3-1tr.i586.rpm

bb2137e71f0f7d4dd23518e11191d9cd  2.2/rpms/fcron-2.9.5.1-4tr.i586.rpm
1add23f21ee82df7d3473f50f08372c7  2.2/rpms/unzip-5.51-3tr.i586.rpm
367716e7f9dc6ce54eda75325a490821  2.2/rpms/kernel-2.4.32-1tr.i586.rpm
bce7a66fbfb03d8478b64465a94b7d82  2.2/rpms/kernel-BOOT-2.4.32-1tr.i586.rpm
b3db858a945228cd29c9779061f4a34c  2.2/rpms/kernel-doc-2.4.32-1tr.i586.rpm
1a717277e2473be23c73be9c9451dc10  2.2/rpms/kernel-smp-2.4.32-1tr.i586.rpm
9feb263b5e228b189017132067caa588  2.2/rpms/kernel-source-2.4.32-1tr.i586.rpm
3f4a0be241ff8721b4454942128412c2  2.2/rpms/kernel-utils-2.4.32-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD7Huni8CEzsK9IksRAnPAAKColQgz1eK/HDtjEJU2D3CJh4YA1wCfV+ZN
bvSl/P3HJQpg+IW43MzLWpg=
=U5/6
-----END PGP SIGNATURE-----