-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-
------------------------------------------------------------
--------------
Trustix Secure Linux Security Advisory #2006-0070
Package names: gnupg, proftpd
Summary: Multiple vulnerabilities
Date: 2006-12-08
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise
Server 2
-
------------------------------------------------------------
--------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because
it does not
use IDEA it can be used without any restrictions. GnuPG is
in
compliance with the OpenPGP specification (RFC2440).
proftpd
ProFTPd is an enhanced FTP server with a focus toward
simplicity,
security, and ease of configuration. It features a very
Apache-like
configuration syntax, and a highly customizable server
infrastructure,
including support for multiple 'virtual' FTP servers,
anonymous FTP,
and permission-based directory visibility.
Problem description:
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2
>
- New Upstream.
- SECURITY Fix: Tavis Ormandy has reported a vulnerability
in GnuPG,
caused due to an error within the decryption of
malformed OpenPGP
messages. This can be exploited to corrupt memory when
decrypting
a specially crafted OpenPGP message.
The Common Vulnerabilities and Exposures project
(cve.mitre.org)
has assigned the name CVE-2006-6235 to this issue.
proftpd < TSL 3.0 > < TSL 2.2 > < TSEL 2
>
- New upstream.
- SECURITY Fix: Stack-based buffer overflow in the
sreplace function
allows remote attackers to cause a denial of service, as
demonstrated by vd_proftpd.pm, a "ProFTPD remote
exploit."
The Common Vulnerabilities and Exposures project
(cve.mitre.org)
has assigned the name CVE-2006-5815 to this issue.
- NOTE: In November 2006, the role of CommandBufferSize
was originally
associated with CVE-2006-5815, but this was an error
stemming from
an initial vague disclosure. Correct CVE: CVE-2006-6171.
Action:
We recommend that all systems with this package installed
be upgraded.
Please note that if you do not need the functionality
provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http
://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for
servers. With focus
on security and stability, the system is painlessly kept
safe and up to
date from day one using swup, the automated software
updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates
automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trusti
x.org/support/>
Verification:
This advisory along with all Trustix packages are signed
with the
TSL sign key.
This key is available from:
<URI:http://www.tr
ustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http:/
/www.trustix.org/errata/trustix-2.2/> and
<URI:http:/
/www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://w
ww.trustix.org/errata/2006/0070/>
MD5sums of the packages:
-
------------------------------------------------------------
--------------
ee2eef6713179355672262613d3403da
3.0/rpms/gnupg-1.4.6-1tr.i586.rpm
23d7fab414ea6fa3845a64769d4d2a32
3.0/rpms/gnupg-utils-1.4.6-1tr.i586.rpm
9df93256a549caaea20d633f94e58b7a
3.0/rpms/proftpd-1.3.0a-1tr.i586.rpm
502a38c702fc23c6276881cc94e58c25
2.2/rpms/gnupg-1.2.6-6tr.i586.rpm
889af38ab3db8e0108c7182741dad2ef
2.2/rpms/gnupg-utils-1.2.6-6tr.i586.rpm
05d9558463b738c5afb827d33e349b22
2.2/rpms/proftpd-1.2.10-12tr.i586.rpm
-
------------------------------------------------------------
--------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFeXq1i8CEzsK9IksRAlNhAJ9+j0vDrpnku25AS/i6rCLZBUskLACe
Pw1w
2eUgqths9PwMtBbNzcFYrpo=
=lhTY
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
tsl-announce lists.trustix.org
http://lists.trustix.org/mailman/listinfo/tsl-announce
|