-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2005-0055
Package names: cvs, rsync, uw-imap
Summary: Multiple vulnerabilities
Date: 2005-10-07
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
cvs
CVS (Concurrent Version System) is a version control system that can
record the history of your files (usually, but not always, source
code). CVS only stores the differences between versions, instead of
every version of every file you have ever created. CVS also keeps a log
of who, when, and why changes occurred.
rsync
Rsync uses a quick and reliable algorithm to very quickly bring
remote and host files into sync. Rsync is fast because it just
sends the differences in the files over the network (instead of
sending the complete files). Rsync is often used as a very powerful
mirroring process or just as a more capable replacement for the
rcp command. A technical report which describes the rsync algorithm
is included in this package.
uw-imap
The imap package provides server daemons for both the IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) mail access
protocols. The POP protocol uses a "post office" machine to collect mail
for users and allows users to download their mail to their local machine
for reading. The IMAP protocol provides the functionality of POP, but
allows a user to read mail on a remote machine without downloading it to
their local machine.
Problem description:
cvs < TSL 3.0 > < TSL 2.2 >
- New Upstream
- SECURITY Fix: Two vulnerabilities in CVS, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service) and
compromise a vulnerable system, has been fixed.
The vulnerabilities are caused due to the use of a vulnerable version
of zlib (CAN-2004-0797 and CAN-2005-2096).
rsync < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream
- Minor changes in Output
- SECURITY Fix: - The zlib code was upgraded to version 1.2.3 in order
to make it more secure. While the widely-publicized security problem
in zlib 1.2.2 did not affect rsync, another security problem surfaced
that affects rsync's zlib 1.1.4
uw-imap < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Vulnerability in the University of Washington's IMAP
Server (UW-IMAP) allows attackers to execute arbitrary code. The
vulnerability specifically exists due to insufficient bounds checking
on user-supplied values.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-2933 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2005/0055/>
MD5sums of the packages:
- --------------------------------------------------------------------------
2ec05ad15cf280b287d40a479af30fdc 2.2/rpms/cvs-1.12.13-1tr.i586.rpm
6c00f9b202ba36512cfc742398b545e3 2.2/rpms/cvs-contrib-1.12.13-1tr.i586.rpm
f9df9140be0cb7cd2ba5159a954f3036 2.2/rpms/cvs-pserver-1.12.13-1tr.i586.rpm
97ea8846768d748cd2a662b142561a38 2.2/rpms/libimap-2002e-5tr.i586.rpm
151d535b53131bcb5d530f380a790786 2.2/rpms/rsync-2.6.6-1tr.i586.rpm
50407e1f98813181c1a296bc7ce6d3ca 2.2/rpms/rsync-server-2.6.6-1tr.i586.rpm
c827dd526de65745a68a39396882624f 2.2/rpms/uw-imap-2002e-5tr.i586.rpm
439debbd5a80da9efda6972ead0c4af9 2.2/rpms/uw-imap-devel-2002e-5tr.i586.rpm
573fe2b9f8c175440c4216c6341ff05b 3.0/rpms/cvs-1.12.13-1tr.i586.rpm
7aef92f6aa16b2c2a82bba6adefc1f6b 3.0/rpms/cvs-contrib-1.12.13-1tr.i586.rpm
f86419d3857805606c96a41c084dca4e 3.0/rpms/cvs-pserver-1.12.13-1tr.i586.rpm
4557892b6d5a38313d934a3b5aa80237 3.0/rpms/rsync-2.6.6-1tr.i586.rpm
903ba1b5c2df2a2d9fdef95f60aa3ef2 3.0/rpms/rsync-server-2.6.6-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDXJPTi8CEzsK9IksRArUlAJ9nA2SgX2MqWPSj+zcww+fVLv7s1ACfSmgB
qFhKtgTz5x08KF0wwlnTRT4=
=RIuR
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-announce
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
