TSLSA-2006-0008 - multi

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: TSLSA-2006-0008 - multi
From: Trustix Security Advisor <tsl@xxxxxxxxxxx>
Date: Fri, 24 Feb 2006 14:58:54 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4.2.1i
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0008

Package names:     gnupg, gnutls, libtasn1, postgresql  
Summary:           Multiple vulnerabilities
Date:              2006-02-17
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gnupg
  GnuPG is a complete and free replacement for PGP. Because it does not
  use IDEA it can be used without any restrictions. GnuPG is in compliance
  with the OpenPGP specification (RFC2440).

  gnutls
  GnuTLS is a project that aims to develop a library which provides a secure
  layer, over a reliable transport layer. Currently the GnuTLS library
  implements the proposed standards by the IETF's TLS working group.

  libtasn1
  This is the ASN.1 library used in GNUTLS.

  postgresql
  PostgreSQL is an advanced Object-Relational database management system
  (DBMS) that supports almost all SQL constructs (including
  transactions, subselects and user-defined types and functions). The
  postgresql package includes the client programs and libraries that
  you'll need to access a PostgreSQL DBMS server.  These PostgreSQL
  client programs are programs that directly manipulate the internal
  structure of PostgreSQL databases on a PostgreSQL server. These client
  programs can be located on the same machine with the PostgreSQL
  server, or may be on a remote machine which accesses a PostgreSQL
  server over a network connection. This package contains the docs
  in HTML for the whole package, as well as command-line utilities for
  managing PostgreSQL databases on a PostgreSQL server.

Problem description:
  gnupg < TSL 3.0 >
  - New Upstream.
  - SECURITY Fix: Taviso has reported a verification weakness in gpgv where
    some input could lead to gpgv exiting with 0 even if the detached
    signature file did not carry any signature.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-0455 to this issue.

  gnutls < TSL 3.0 >
  - SECURITY Fix: Evgeny Legerov has reported some vulnerabilities in
    GnuTLS libtasn1, which potentially can be exploited by malicious
    people to cause a DoS. The vulnerabilities are caused due to errors
    within the DER decoder in libtasn1. This can be exploited to crash an
    application that uses the library via specially-crafted input.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-0645 to this issue.  

  libtasn1 < TSL 3.0 >
  - SECURITY Fix: Evgeny Legerov has reported some vulnerabilities in
    libtasn1, which potentially can be exploited by malicious
    people to cause a DoS. The vulnerabilities are caused due to errors
    within the DER decoder in libtasn1. This can be exploited to crash an
    application that uses the library via specially-crafted input.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-0645 to this issue.

  postgresql < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - SECURITY Fix: Akio Ishida has reported an error in "SET SESSION
    AUTHORIZATION" command which can be exploited to crash the server
    process, if it has been compiled with Asserts enabled.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-0678 to this issue.
  
Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0008/>


MD5sums of the packages:
- --------------------------------------------------------------------------
c2544a9acc143e0333f1b3bdb5a76ce4  3.0/rpms/gnupg-1.4.2.1-1tr.i586.rpm
d243248ff7d5e96240a6e1000154e83e  3.0/rpms/gnupg-utils-1.4.2.1-1tr.i586.rpm
1aa00bf1bae6186f8364ab7d1285dcaf  3.0/rpms/gnutls-1.2.4-3tr.i586.rpm
fe8caa913f619f9a2e86fbf54b561841  3.0/rpms/gnutls-devel-1.2.4-3tr.i586.rpm
d23ea95c83f3222e29186394beb8ed83  3.0/rpms/libtasn1-0.2.13-5tr.i586.rpm
d8eaf0821570da1102419f4bb8cba82f  3.0/rpms/libtasn1-devel-0.2.13-5tr.i586.rpm
9d4571ffc0f2b5970e56ec7523d6a13f  3.0/rpms/postgresql-8.0.7-1tr.i586.rpm
a7258c3db7f510c7b0fd15aed483fcd7  3.0/rpms/postgresql-contrib-8.0.7-1tr.i586.rpm
fc66f2ba43c175b60d2fbd59051a4150  3.0/rpms/postgresql-devel-8.0.7-1tr.i586.rpm
23e7845018a5ff32c125e87d1429e1c5  3.0/rpms/postgresql-docs-8.0.7-1tr.i586.rpm
14d22a419e0342edf5d5222e6a78d582  3.0/rpms/postgresql-libs-8.0.7-1tr.i586.rpm
17140854e4db6467c8bc1f4d39e675ca  3.0/rpms/postgresql-plperl-8.0.7-1tr.i586.rpm
6085d12cdfc3fba877c5cf2b84d71350  3.0/rpms/postgresql-python-8.0.7-1tr.i586.rpm
231340c0e67bb18ef0888293f4bce31c  3.0/rpms/postgresql-server-8.0.7-1tr.i586.rpm
d2e15d6c13a8c98e31763122bfcdb408  3.0/rpms/postgresql-test-8.0.7-1tr.i586.rpm

e35b5e75c4de1b7bf92d599084d3c27e  2.2/rpms/postgresql-8.0.7-1tr.i586.rpm
e5c4eb03a4ca62b94b398afbbc8dc8a1  2.2/rpms/postgresql-contrib-8.0.7-1tr.i586.rpm
39322b731069634b7fbfc6276f48e149  2.2/rpms/postgresql-devel-8.0.7-1tr.i586.rpm
de0cc43f820b5cc1f0a1a8bb1209af37  2.2/rpms/postgresql-docs-8.0.7-1tr.i586.rpm
695d42913801c7bbeb1e2e36dc500921  2.2/rpms/postgresql-libs-8.0.7-1tr.i586.rpm
eb85225b176e9fdbb125bead116d9e4a  2.2/rpms/postgresql-plperl-8.0.7-1tr.i586.rpm
bedb35855a8a4d8fca66600d569829d1  2.2/rpms/postgresql-python-8.0.7-1tr.i586.rpm
609d4b7fba380f2d6eaed566144ea315  2.2/rpms/postgresql-server-8.0.7-1tr.i586.rpm
16d5848a36b5b6c9a97fafca4749084f  2.2/rpms/postgresql-test-8.0.7-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD/wXLi8CEzsK9IksRAsHqAJ96jzuJyZbWAsCdAuykdKAe5V58RQCfWthE
/8FQp2zDKMclU4u50oQ22v0=
=bpro
-----END PGP SIGNATURE-----
Prev by Date: The Domain Name Service as an IDS
Next by Date: TSLSA-2006-0010 - multi
Previous by thread: The Domain Name Service as an IDS
Next by thread: TSLSA-2006-0010 - multi
Index(es):
- Date
- Thread