TSLSA-2007-0009 - multi

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: TSLSA-2007-0009 - multi
From: Trustix Security Advisor <tsl@xxxxxxxxxxx>
Date: Fri, 9 Mar 2007 15:32:26 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4.2.1i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0009

Package names:     gnupg, php4
Summary:           Multiple vulnerabilities
Date:              2007-03-09
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Secure Linux 3.0.5
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gnupg
  GnuPG is a complete and free replacement for PGP. Because it does not
  use IDEA it can be used without any restrictions. GnuPG is in compliance
  with the OpenPGP specification (RFC2440).

  php4
  PHP is an HTML-embedded scripting language. PHP attempts to make
  it easy for developers to write dynamically generated web pages.
  PHP also offers built-in database integration for several commercial
  and non-commercial database management systems, so writing a
  database-enabled web page with PHP is fairly simple. The most
  common use of PHP coding is probably as a replacement for CGI
  scripts. The mod_php module enables the Apache web server to
  understand and process the embedded PHP language in web pages.

Problem description:
  gnupg < TSL 3.0.5 >  < TSL 3.0 >
  - New Upstream.
  - SECURITY Fix: GnuPG 1.4.6 and earlier, when run from the command
    line, does not visually distinguish signed and unsigned portions
    of OpenPGP messages with multiple components, which might allow
    remote attackers to forge the contents of a message without
    detection.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2007-1263 to this issue.

  php4 < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - Fixes crash problem with the session extension when register_globals
    is turned on.
  - SECURITY Fix: Several vulnerabilities have been reported in PHP,
    which can be exploited by malicious people to disclose potentially
    sensitive information, cause a DoS and potentially compromise a
    vulnerable system. (SA24089)
  
Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/>
  <URI:http://www.trustix.org/errata/trustix-3.0/> and
  <URI:http://www.trustix.org/errata/trustix-3.0.5/>
  or directly at
  <URI:http://www.trustix.org/errata/2007/0009/>


MD5sums of the packages:
- --------------------------------------------------------------------------
bafa34d79da94e06cbced9fb6be856bc  3.0.5/rpms/gnupg-1.4.7-1tr.i586.rpm
a4eec3de278ba9cf3d281079bc25ca48  3.0.5/rpms/gnupg-utils-1.4.7-1tr.i586.rpm

bf409ef7bd3f2ccb039063968d3f39d2  3.0/rpms/gnupg-1.4.7-1tr.i586.rpm
2a66ba2cc799d8acb648072e49d46227  3.0/rpms/gnupg-utils-1.4.7-1tr.i586.rpm

639bde6894ecc53c8cf198a57d86abfa  2.2/rpms/php4-4.4.6-1tr.i586.rpm
87de267da760309c46a7ef2b682fff2b  2.2/rpms/php4-cli-4.4.6-1tr.i586.rpm
180ba74efc954cb4d63d8e613eb9cda8  2.2/rpms/php4-curl-4.4.6-1tr.i586.rpm
3a100aacfd5fdc5a8c79246abfe436cf  2.2/rpms/php4-devel-4.4.6-1tr.i586.rpm
3c9c2b6d34e91997ca9e3c9e1e2bd69d  2.2/rpms/php4-domxml-4.4.6-1tr.i586.rpm
4f6e0cc934aad6fd0d367e6e3f1f083b  2.2/rpms/php4-exif-4.4.6-1tr.i586.rpm
4bb5a6780ce263b7f963c74c0a7c68a4  2.2/rpms/php4-fcgi-4.4.6-1tr.i586.rpm
7b5c1a560fb13ede6508864f929ed2fd  2.2/rpms/php4-gd-4.4.6-1tr.i586.rpm
743a1f4180b61820e202e1a7adc2fbbb  2.2/rpms/php4-imap-4.4.6-1tr.i586.rpm
9dd9d2ab1537a0218467df98d7cc32e7  2.2/rpms/php4-ldap-4.4.6-1tr.i586.rpm
79bfff33013dc930ece67d8411ac5b56  2.2/rpms/php4-mhash-4.4.6-1tr.i586.rpm
adaa356574ff08c2e54db4084950a10d  2.2/rpms/php4-mysql-4.4.6-1tr.i586.rpm
59ba6c4c1d985f17a5a6b49532ff1157  2.2/rpms/php4-pgsql-4.4.6-1tr.i586.rpm
22b3e87e3b97c4b7bf4b7dd5c04c98bf  2.2/rpms/php4-test-4.4.6-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFF8XgFi8CEzsK9IksRAs17AJ4rmCUrBzXNbJSUxOgb6+pR2z6CAQCgrQhG
ZYIlB63QwyMVVKxvFA3LfCA=
=0Sj4
-----END PGP SIGNATURE-----

Prev by Date: [USN-434-1] Ekiga vulnerability
Next by Date: MS07-016 FTP Response DOS PoC
Previous by thread: [USN-434-1] Ekiga vulnerability
Next by thread: MS07-016 FTP Response DOS PoC
Index(es):
- Date
- Thread