TSLSA-2006-0032 - multi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0032
Package names: kernel, postgresql
Summary: Multiple vulnerabilities
Date: 2006-06-05
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
kernel
The kernel package contains the Linux kernel (vmlinuz), the core of your
Trustix Secure Linux operating system. The kernel handles the basic
functions of the operating system: memory allocation, process allocation,
device input and output, etc.
postgresql
PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs (including transactions,
subselects and user-defined types and functions). The postgresql package
includes the client programs and libraries that you'll need to access a
PostgreSQL DBMS server. These PostgreSQL client programs are programs
that directly manipulate the internal structure of PostgreSQL databases
on a PostgreSQL server. These client programs can be located on the same
machine with the PostgreSQL server, or may be on a remote machine which
accesses a PostgreSQL server over a network connection. This package
contains the docs in HTML for the whole package, as well as command-line
utilities for managing PostgreSQL databases on a PostgreSQL server.
Problem description:
kernel < TSL 3.0 >
- New Upstream.
- SECURITY Fix: Pavel Kankovsky discovered that the getsockopt()
function, when called with an SO_ORIGINAL_DST argument, does not
properly clear the returned structure, so that a random piece of
kernel memory is exposed to the user. This could potentially
reveal sensitive data like passwords or encryption keys.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2006-1343 to this issue.
postgresql < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Akio Ishida and Yasuo Ohgaki have reported vulnerabilities
in PostgreSQL, which potentially can be exploited by malicious people
to conduct SQL injection attacks.
- The first issue is due to an input validation error when handling a
parameter containing invalidly-encoded multibyte characters, which
could be exploited by malicious people to bypass standard string-escaping
methods and conduct SQL injection attacks via a supposedly secure script.
- The second issue is due to an error when escaping ASCII single quote "'"
characters (by turning them into "\'") and operating in multibyte
encodings that allow using the "0x5c" ASCII code (backslash) as the
trailing byte of a multibyte character, which could be exploited by
attackers to inject arbitrary SQL queries.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2006-2313 and CVE-2006-2314 to these issues.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0032/>
MD5sums of the packages:
- --------------------------------------------------------------------------
121d183196f68f2cf0103f3633bb20c6 3.0/rpms/kernel-2.6.16.19-1tr.i586.rpm
9ed54909e98391d7b186a82faf51bd60 3.0/rpms/kernel-doc-2.6.16.19-1tr.i586.rpm
9d4639a8e76244bbe32418e09a714173 3.0/rpms/kernel-headers-2.6.16.19-1tr.i586.rpm
fc5fbb21717f9aae313837d25f30a1e2 3.0/rpms/kernel-smp-2.6.16.19-1tr.i586.rpm
7b05468af17a0f85c0f00491acba4b29
3.0/rpms/kernel-smp-headers-2.6.16.19-1tr.i586.rpm
91ee589decd8b3a59ed3d2bcdb92679e 3.0/rpms/kernel-source-2.6.16.19-1tr.i586.rpm
c4cb02088d94c56a1b651f35a282af38 3.0/rpms/kernel-utils-2.6.16.19-1tr.i586.rpm
e17cebe683877da8bf30eb623dc253b9 3.0/rpms/postgresql-8.0.8-1tr.i586.rpm
950f2cb976a8ff0dd2c6d70256133d9c 3.0/rpms/postgresql-contrib-8.0.8-1tr.i586.rpm
a50d9d2df08b4e7ac72c6478a2a43618 3.0/rpms/postgresql-devel-8.0.8-1tr.i586.rpm
7d2cc5c1426db73d740e87dd93b4e760 3.0/rpms/postgresql-docs-8.0.8-1tr.i586.rpm
227dade49aeb6e0abe404ef576a4f583 3.0/rpms/postgresql-libs-8.0.8-1tr.i586.rpm
b4036f0a5450324187ed2f60523a40ee 3.0/rpms/postgresql-plperl-8.0.8-1tr.i586.rpm
dba05d0337f9e58669fd32fbf649cc0d 3.0/rpms/postgresql-python-8.0.8-1tr.i586.rpm
137ddd05f7dab3132621a8692dc7972d 3.0/rpms/postgresql-server-8.0.8-1tr.i586.rpm
b26364b4ce735d71a8270546abe120f3 3.0/rpms/postgresql-test-8.0.8-1tr.i586.rpm
0b1e0479135bed99d63897eacd2a78f0 2.2/rpms/postgresql-8.0.8-1tr.i586.rpm
843397887082044cde3a5854a65f392e 2.2/rpms/postgresql-contrib-8.0.8-1tr.i586.rpm
74e6e516a27734fa9547abe30d78b26c 2.2/rpms/postgresql-devel-8.0.8-1tr.i586.rpm
6b63e60bdc3617150a3f579dd660d20e 2.2/rpms/postgresql-docs-8.0.8-1tr.i586.rpm
2abc3b93aea9a0f83484e44b5cb0b50e 2.2/rpms/postgresql-libs-8.0.8-1tr.i586.rpm
49d10191fca0468cf1c05125e5b9b9fb 2.2/rpms/postgresql-plperl-8.0.8-1tr.i586.rpm
efe2ca04380d377e4c5a5b76e6e469ad 2.2/rpms/postgresql-python-8.0.8-1tr.i586.rpm
a9a537c752b145d160859ba950666562 2.2/rpms/postgresql-server-8.0.8-1tr.i586.rpm
7a434f65a08759a9d834cd28e86e14ca 2.2/rpms/postgresql-test-8.0.8-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEg8QEi8CEzsK9IksRAl/rAKCRzNCw8qN8d68AtCoME7IZvyL5XwCfci9t
npimE11TaUGrBkojgxjSv0Y=
=GZFm
-----END PGP SIGNATURE-----