TSLSA-2007-0013 - multi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0013
Package names: clamav, freeradius, freetype
Summary: Multiple vulnerabilities
Date: 2007-04-20
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Secure Linux 3.0.5
- --------------------------------------------------------------------------
Package description:
clamav
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
of this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a command line scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
package, which you can use with your own software. Most importantly,
the virus database is kept up to date.
freeradius
The FreeRADIUS Server Project is a high performance and highly
configurable GPL'd free RADIUS server. The server is similar in some
respects to Livingston's 2.0 server. While FreeRADIUS started as a
variant of the Cistron RADIUS server, they don't share a lot in common
any more. It now has many more features than Cistron or Livingston,
and is much more configurable.
freetype
The FreeType engine is a free and portable TrueType font rendering
engine, developed to provide TrueType support for a variety of
platforms and environments. FreeType is a library which can open
and manages font files as well as efficiently load, hint and render
individual glyphs. FreeType is not a font server or a complete
text-rendering library.
Problem description:
clamav < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- New Upstream.
- SECURITY Fix: A file descriptor leak error in the
"chm_decompress_stream()" [libclamav/chmunpack.c] function, which
could be exploited by attackers to crash an affected system via a
specially crafted CHM file.
- A buffer overflow error in the "cab_unstore()" [libclamav/cab.c]
function when processing a negative value read from a CAB file,
which could be exploited by attackers to crash an affected
application or compromise a vulnerable system via a specially
crafted CAB file.
The Common Vulnerabilities and Exposures project has assigned the
names CVE-2007-1745 and CVE-2007-1997 to these issues.
freeradius < TSL 3.0.5 > < TSL 3.0 >
- New upstream.
- SECURITY Fix: A security issue has been reported in FreeRADIUS,
caused due to a memory leak within the handling of certain
malformed diameter format values inside an EAP-TTLS tunnel. This
can be exploited to exhaust all available memory by sending a
large number of malformed authentication requests to a vulnerable
server.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2007-2028 to this issue.
freetype < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: A vulnerability has been reported in FreeType, caused
due to an integer overflow when parsing BDF fonts. This can be
exploited to cause a heap-based buffer overflow via a specially
crafted BDF font.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1351 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/>
<URI:http://www.trustix.org/errata/trustix-3.0/> and
<URI:http://www.trustix.org/errata/trustix-3.0.5/>
or directly at
<URI:http://www.trustix.org/errata/2007/0013/>
MD5sums of the packages:
- --------------------------------------------------------------------------
363d955717ac1dccab2f36704d7d8b30 3.0.5/rpms/clamav-0.90.2-1tr.i586.rpm
980cad860c1f6512375edc6cec93d108 3.0.5/rpms/clamav-devel-0.90.2-1tr.i586.rpm
d1bd961e80961708351346118fc58e4a 3.0.5/rpms/freeradius-1.1.6-1tr.i586.rpm
daff1cc4dd6e113e40aaf46a7c686123 3.0.5/rpms/freeradius-devel-1.1.6-1tr.i586.rpm
a9247bac22f71b6fecae99a0d3e88d8c 3.0.5/rpms/freeradius-libs-1.1.6-1tr.i586.rpm
08ca9934e8820270d4096f10c9b91bd4 3.0.5/rpms/freeradius-mysql-1.1.6-1tr.i586.rpm
d954323c696e0bdce080573fa9c39d6f
3.0.5/rpms/freeradius-postgresql-1.1.6-1tr.i586.rpm
5fe145ef4aa8bcdf5e66795a5e3c6d24 3.0.5/rpms/freetype-2.2.1-3tr.i586.rpm
722c2ad36610951684f215ed4dd69514 3.0.5/rpms/freetype-devel-2.2.1-3tr.i586.rpm
f94cbd6d3b4e11e876e0b6ec055bfaeb 3.0/rpms/clamav-0.90.2-1tr.i586.rpm
ff07ab09cda1daf2c227203505f93c31 3.0/rpms/clamav-devel-0.90.2-1tr.i586.rpm
7d10b48d37ec11db59d6e69c730273a1 3.0/rpms/freeradius-1.1.6-1tr.i586.rpm
ea7488143685b5e2cb697899939ccb2b 3.0/rpms/freeradius-devel-1.1.6-1tr.i586.rpm
2e4b6fbe915dbf5c2b506d2b5896d025 3.0/rpms/freeradius-libs-1.1.6-1tr.i586.rpm
e8c4e481bd11de4a066e53bf13e6abe7 3.0/rpms/freeradius-mysql-1.1.6-1tr.i586.rpm
01d52910947c479764e667f3ca4bb34a
3.0/rpms/freeradius-postgresql-1.1.6-1tr.i586.rpm
23bbbd55f5c360bb34f476d21c83e450 3.0/rpms/freetype-2.2.1-2tr.i586.rpm
753bd2d95d42faa455521746392a24df 3.0/rpms/freetype-devel-2.2.1-2tr.i586.rpm
7f90f161ac99156d6a515f62f066ac27 2.2/rpms/clamav-0.90.2-1tr.i586.rpm
bedc9ef9bc4ca66095cf91fcc7394af1 2.2/rpms/clamav-devel-0.90.2-1tr.i586.rpm
8f7c962405faaa170de2318287a25e54 2.2/rpms/freetype-2.2.1-2tr.i586.rpm
f9e63c2c865fba85bc3e7ab1841917a7 2.2/rpms/freetype-devel-2.2.1-2tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFGKNhZi8CEzsK9IksRAs2DAJ0Q3vTXMGsZsuyEatmaRqv7xugO7QCfb5Tm
FspWkR7B85FuSFKiu3w6lAY=
=SzHz
-----END PGP SIGNATURE-----