<<< Date Index >>>     <<< Thread Index >>>

TSLSA-2006-0044 - multi



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0044

Package names:     apache, gnupg, libtiff 
Summary:           Multiple vulnerabilities
Date:              2006-08-04
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2
 
- --------------------------------------------------------------------------
Package description:
  apache
  Apache is a full featured web server that is freely available, and also
  happens to be the most widely used. Built with loadable modules
  (all standard modules enabled). This verion is intended as a
  replacement for a standard apache, the configuration files provided
  with apache and apache-ssl are unchanged.

  gnupg
  GnuPG is a complete and free replacement for PGP. Because it does not
  use IDEA it can be used without any restrictions. GnuPG is in compliance
  with the OpenPGP specification (RFC2440).

  libtiff
  The libtiff package contains a library of functions for manipulating
  TIFF (Tagged Image File Format) image format files.  TIFF is a widely
  used file format for bitmapped images.  TIFF files usually end in the
  .tif extension and they are often quite large.

Problem description:
  apache < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: A vulnerability has been reported in Apache HTTP Server,
    which potentially can be exploited by malicious people to compromise
    a vulnerable system. The vulnerability is caused by a off-by-one error
    in mod_rewrite within the ldap scheme handling and can be exploited
    to cause a one-byte buffer overflow.

    The Common Vulnerabilities and Exposures project has assigned the
    name CVE-2006-3747 to this issue.


  gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Evgeny Legerov has reported a vulnerability in GnuPG,
    caused due to an input validation error in parse_packet.c when
    handling certain message packets. This can be exploited to cause
    GnuPG to consume large amounts of memory or crash via an overly
    long comment length in a message packet. This can further be
    exploited to cause an integer overflow, which leads to possible
    memory corruption and crashes GnuPG.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-3746 to this issue.

  libtiff < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Tavis Ormandy, Google Security Team has reported some
    vulnerabilities in libTIFF, which can be exploited by malicious people
    to cause a DoS or potentially compromise a vulnerable system. The
    vulnerabilities are caused due to various heap and integer overflows
    when processing TIFF images and can be exploited via a specially
    crafted TIFF image.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2006-3459, CVE-2006-3460, CVE-2006-3461,
    CVE-2006-3462, CVE-2006-3463, CVE-2006-3464 and CVE-2006-3465
    these issues.
  
Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0044/>


MD5sums of the packages:
- --------------------------------------------------------------------------
58e10eb0a911f601bccce37461b78a26  3.0/rpms/apache-2.0.55-6tr.i586.rpm
4b6d1ea23783ad3451e3c5b47d37596c  3.0/rpms/apache-dbm-2.0.55-6tr.i586.rpm
56aa4269f86037d48004985b43c75f38  3.0/rpms/apache-devel-2.0.55-6tr.i586.rpm
ac6d0f00e57cbc8a8cf9f5ab4f22dc3d  3.0/rpms/apache-html-2.0.55-6tr.i586.rpm
74b83eb0f04125065de9aef381d779b5  3.0/rpms/apache-manual-2.0.55-6tr.i586.rpm
58976e6d0a3294c599ce4207645b7063  3.0/rpms/apache-suexec-2.0.55-6tr.i586.rpm
60e3feed5588956b6addd456ebb46084  3.0/rpms/gnupg-1.4.5-1tr.i586.rpm
617c538b41eb29a1e7c4d9c4dd3a7eff  3.0/rpms/gnupg-utils-1.4.5-1tr.i586.rpm
593e0428f5e19b7aa5b066435458a995  3.0/rpms/libtiff-3.7.3-4tr.i586.rpm
f64821e5b0e83b07edde3d69ffba6fa5  3.0/rpms/libtiff-devel-3.7.3-4tr.i586.rpm
e3cc03fe87aefbb911f1d7aa341d12f8  3.0/rpms/libtiff-docs-3.7.3-4tr.i586.rpm

c25e4d8ff23456ee2107506b1d317bc6  2.2/rpms/apache-2.0.55-5tr.i586.rpm
dbeb192f9dd39888b82d1988bf90b4ce  2.2/rpms/apache-dbm-2.0.55-5tr.i586.rpm
dd9935efecc4d307397e602b56a84464  2.2/rpms/apache-devel-2.0.55-5tr.i586.rpm
c97b60eab43dc496ad8a07a3f704f06a  2.2/rpms/apache-html-2.0.55-5tr.i586.rpm
41ac31626a1d3c1119abf9235d0cfbce  2.2/rpms/apache-manual-2.0.55-5tr.i586.rpm
78bff5e45937c5681d41f9db5dd36aa6  2.2/rpms/apache-suexec-2.0.55-5tr.i586.rpm
9f4b7cda6d7b07fac29d08d6e78297ec  2.2/rpms/gnupg-1.2.6-4tr.i586.rpm
317c80f0edc6f851916cc0ab6f95cf4f  2.2/rpms/gnupg-utils-1.2.6-4tr.i586.rpm
69645d7b4ef2406eca3c01247ef3aa19  2.2/rpms/libtiff-3.7.3-4tr.i586.rpm
ecd83df2149e912bf906dee0fb10eb0c  2.2/rpms/libtiff-devel-3.7.3-4tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFE004fi8CEzsK9IksRAjQxAKCKKmqGCgUvxEmjWKaRFX7pvaXzzgCeMm5+
pyqriuorNv9SE8gRbx1ZnX0=
=3Eol
-----END PGP SIGNATURE-----