Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2005 > Four Fedora Update Notifications: 1. FEDORA-2005-270 - krb5 2. FEDORA-2005-273 - xorg-x11 3. FEDORA-2005-147 - libaio 4. FEDORA-2005-264 - sylpheed

March 2005

Four Fedora Update Notifications: 1. FEDORA-2005-270 - krb5 2. FEDORA-2005-273 - xorg-x11 3. FEDORA-2005-147 - libaio 4. FEDORA-2005-264 - sylpheed

ID: 00256
Ref: 235/2005
Date: 30 March 2005:13:57:43
Version: 1
Title: Four Fedora Update Notifications: 1. FEDORA-2005-270 - krb5 2. FEDORA-2005-273 - xorg-x11 3. FEDORA-2005-147 - libaio 4. FEDORA-2005-264 - sylpheed
Abstract:
Vendors affected: Fedora
Operating systems affected: Fedora
Applications affected: Fedora
Title
=====

Four Fedora Update Notifications:

1. FEDORA-2005-270 - krb5

2. FEDORA-2005-273 - xorg-x11

3. FEDORA-2005-147 - libaio

4. FEDORA-2005-264 - sylpheed

Detail
======

1. Two buffer overflow flaws were discovered in the way the telnet
client handles messages from a server. An attacker may be able to
execute arbitrary code on a victim's machine if the victim can be
tricked into connecting to a malicious telnet server. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CAN-2005-0468 and CAN-2005-0469 to these issues.

2. An integer overflow flaw was found in libXpm, which is used by some
applications for loading of XPM images. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a victim
using an application linked to the vulnerable library. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0605 to this issue.

3. The SONAME for libaio was inadvertantly changed from libaio.so.1 to
libaio.so.1.0.0. While applications linked with libaio.so.1 would still
load, they would fail upon looking up a symbol in libaio. This also
introduced an RPM dependency that could not be solved. Application RPMs
which were built against the old package would not install as well.

4. This program is an X based fast email client which has features
like:
o user-friendly and intuitive interface
o integrated NetNews client (partially implemented)
o ability of keyboard-only operation
o Mew/Wanderlust-like key bind
o multipart MIME
o unlimited multiple account handling
o message queueing
o assortment function
o XML-based address book



1.



- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-270
2005-03-29
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name :
Version : 1.3.6
Release : 5
Summary : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

- ---------------------------------------------------------------------
Update Information:

Updated krb5 packages which fix two buffer overflow vulnerabilities
in the included Kerberos-aware telnet client are now available.

Kerberos is a networked authentication system which uses a trusted
third party (a KDC) to authenticate clients and servers to each
other.

The krb5-workstation package includes a Kerberos-aware telnet client.
Two buffer overflow flaws were discovered in the way the telnet
client handles messages from a server. An attacker may be able to
execute arbitrary code on a victim's machine if the victim can be
tricked into connecting to a malicious telnet server. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CAN-2005-0468 and CAN-2005-0469 to these issues.
- ---------------------------------------------------------------------
* Mon Mar 28 2005 Nalin Dahyabhai 1.3.6-5

- - rebuild

* Wed Mar 23 2005 Nalin Dahyabhai 1.3.6-4

- - drop krshd patch

* Thu Mar 17 2005 Nalin Dahyabhai

- - add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469)
- - add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468)
- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

15bad9c44ba4da14de7d5527a02c1a90 SRPMS/krb5-1.3.6-5.src.rpm
41314d054ab13a935cd57466a99bb03e x86_64/krb5-devel-1.3.6-5.x86_64.rpm
c99ffb83d090d156e59a0348e8162b6e x86_64/krb5-libs-1.3.6-5.x86_64.rpm
9ed53c214ae3b20aa8cb3a3f339b46ad x86_64/krb5-server-1.3.6-5.x86_64.rpm
1f03b24107cb22cfca368d59fb9c40ee x86_64/krb5-workstation-1.3.6-5.x86_64.rpm
0c354d4e12fcfe83c2cd6fbfb96abc16 x86_64/debug/krb5-debuginfo-1.3.6-5.x86_64.rpm
f07344531de5e52ff9b5a0d20bdc91be x86_64/krb5-libs-1.3.6-5.i386.rpm
0af73edbe1464ecceaf3a30789c5d400 i386/krb5-devel-1.3.6-5.i386.rpm
f07344531de5e52ff9b5a0d20bdc91be i386/krb5-libs-1.3.6-5.i386.rpm
d737538d9eb42347efc297930f17241c i386/krb5-server-1.3.6-5.i386.rpm
92a3d0a3000bd0a78abcf11da80009ba i386/krb5-workstation-1.3.6-5.i386.rpm
d8b1635e05c1b0bb6d76cb9f7a810d78 i386/debug/krb5-debuginfo-1.3.6-5.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------



2.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-273
2005-03-29
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : xorg-x11
Version : 6.8.2
Release : 1.FC3.13
Summary : The basic fonts, programs and docs for an X workstation.
Description :
X.org X11 is an open source implementation of the X Window System. It
provides the basic low level functionality which full fledged
graphical user interfaces (GUIs) such as GNOME and KDE are designed
upon.

- ---------------------------------------------------------------------
Update Information:

An integer overflow flaw was found in libXpm, which is used by some
applications for loading of XPM images. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a victim
using an application linked to the vulnerable library. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0605 to this issue.

Futhermore, this updates the Fedora Core 3 X.org packages to the 6.8.2
maintenance release, which includes a large number of bug fixes:

http://xorg.freedesktop.org/wiki/X11R682Release
- ---------------------------------------------------------------------
* Thu Mar 24 2005 Kristian Høgsberg 6.8.2-1.FC3.13

- - Rebuild 6.8.2-13 as 6.8.2-1.FC3.13 for Fedora Core 3 release

* Wed Mar 23 2005 Kristian Høgsberg 6.8.2-13

- - Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch (#150040).

- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

94366578adb65612201728ef9ab1bd55 SRPMS/xorg-x11-6.8.2-1.FC3.13.src.rpm
f5206f5e0ef0ba672f25455af5f0d57a x86_64/xorg-x11-6.8.2-1.FC3.13.x86_64.rpm
7ca91351cde46271ced109127e32445c x86_64/xorg-x11-devel-6.8.2-1.FC3.13.x86_64.rpm
3c1a1ff519f0ada181791769f5fa317e x86_64/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.13.x86_64.rpm
92e89e566fc6618245318b7fa4034ee6 x86_64/xorg-x11-font-utils-6.8.2-1.FC3.13.x86_64.rpm
13ff89b32d789d7a3dd3e87d9d4f7991 x86_64/xorg-x11-xfs-6.8.2-1.FC3.13.x86_64.rpm
9e75b9b0e32b1b58e6b235ee33809c41 x86_64/xorg-x11-twm-6.8.2-1.FC3.13.x86_64.rpm
cc264ec7b1c14271e346f72b21fd5a87 x86_64/xorg-x11-xdm-6.8.2-1.FC3.13.x86_64.rpm
d9eec089b430a0cbcd8be6aff2a5de85 x86_64/xorg-x11-libs-6.8.2-1.FC3.13.x86_64.rpm
3af6857ae01305df21c29c2f4fb44d2e x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.13.x86_64.rpm
a67e229ca44e3919a36cbe6fce01775c x86_64/xorg-x11-doc-6.8.2-1.FC3.13.x86_64.rpm
f357a1344a59fea10207b7b49dd6003b x86_64/xorg-x11-Xdmx-6.8.2-1.FC3.13.x86_64.rpm
53e42bac132fb395ebea33994d70e53d x86_64/xorg-x11-Xnest-6.8.2-1.FC3.13.x86_64.rpm
72e0cbfba322f1e240685b361cf2537c x86_64/xorg-x11-tools-6.8.2-1.FC3.13.x86_64.rpm
2ce584c855b0f1cc1ac4db8780b25ae3 x86_64/xorg-x11-xauth-6.8.2-1.FC3.13.x86_64.rpm
546248e8a4c711e534b2c6fe5f5736ad x86_64/xorg-x11-Mesa-libGL-6.8.2-1.FC3.13.x86_64.rpm
07149a3e65259666f7364aa5e6ca36c2 x86_64/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.13.x86_64.rpm
e119760d056fd141c22efb422c33bfd3 x86_64/xorg-x11-Xvfb-6.8.2-1.FC3.13.x86_64.rpm
5aa92c62145317639586854a7529e408 x86_64/xorg-x11-sdk-6.8.2-1.FC3.13.x86_64.rpm
d42f17f76c9ff4171b7003ef2844ff46 x86_64/xorg-x11-devel-6.8.2-1.FC3.13.i386.rpm
a1106b41ab938b60ae31a6030ce2ae69 x86_64/xorg-x11-libs-6.8.2-1.FC3.13.i386.rpm
1befcda39823dc6ff70be791f9ebe8fb x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.13.i386.rpm
85a86b438f512a8f608a03a7d26c7ccb x86_64/xorg-x11-Mesa-libGL-6.8.2-1.FC3.13.i386.rpm
ca913c4a6d5d06d5c3474a3da83b726c x86_64/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.13.i386.rpm
a9589a414fd18a04c436549d622eb064 i386/xorg-x11-6.8.2-1.FC3.13.i386.rpm
d42f17f76c9ff4171b7003ef2844ff46 i386/xorg-x11-devel-6.8.2-1.FC3.13.i386.rpm
9002eb404a7018c70306af2ac821aa30 i386/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.13.i386.rpm
f99acd9ceb6cbfd2d57e2c7b31ce89ef i386/xorg-x11-font-utils-6.8.2-1.FC3.13.i386.rpm
ed74e8cd8d2a360baf8daba04d14d409 i386/xorg-x11-xfs-6.8.2-1.FC3.13.i386.rpm
7f4fbd7f2eea4ebbe1e6e7c42215714c i386/xorg-x11-twm-6.8.2-1.FC3.13.i386.rpm
4582c9a5650832884660187eac3bb136 i386/xorg-x11-xdm-6.8.2-1.FC3.13.i386.rpm
a1106b41ab938b60ae31a6030ce2ae69 i386/xorg-x11-libs-6.8.2-1.FC3.13.i386.rpm
1befcda39823dc6ff70be791f9ebe8fb i386/xorg-x11-deprecated-libs-6.8.2-1.FC3.13.i386.rpm
5169a66fe5a367a60b2635c4be98ab9b i386/xorg-x11-doc-6.8.2-1.FC3.13.i386.rpm
1af9bb7976c506df46967105053e9ef7 i386/xorg-x11-Xdmx-6.8.2-1.FC3.13.i386.rpm
80dca4903e83c67f2666fd8f56aef393 i386/xorg-x11-Xnest-6.8.2-1.FC3.13.i386.rpm
37f9361bd2b9b085375c4b9689b499e2 i386/xorg-x11-tools-6.8.2-1.FC3.13.i386.rpm
831a10dfe3e76c21b48e0a578a0542f4 i386/xorg-x11-xauth-6.8.2-1.FC3.13.i386.rpm
85a86b438f512a8f608a03a7d26c7ccb i386/xorg-x11-Mesa-libGL-6.8.2-1.FC3.13.i386.rpm
ca913c4a6d5d06d5c3474a3da83b726c i386/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.13.i386.rpm
28c10ea5794c39d0d299ad317d0a6749 i386/xorg-x11-Xvfb-6.8.2-1.FC3.13.i386.rpm
e91fd9c112fe3859abf46b336d2dc623 i386/xorg-x11-sdk-6.8.2-1.FC3.13.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------



3.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for the late announcement.

- - ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-147
2005-03-29
- - ---------------------------------------------------------------------

Product : Fedora Core 3
Name : libaio
Version : 0.3.103
Release : 5
Summary : Linux-native asynchronous I/O access library
Description :
The Linux-native asynchronous I/O facility ("async I/O", or "aio") has a
richer API and capability set than the simple POSIX async I/O facility.
This library, libaio, provides the Linux-native API for async I/O.
The POSIX async I/O facility requires this library in order to provide
kernel-accelerated async I/O capabilities, as do applications which
require the Linux-native async I/O API.

- - ---------------------------------------------------------------------
Update Information:

The SONAME for libaio was inadvertantly changed from libaio.so.1 to
libaio.so.1.0.0. While applications linked with libaio.so.1 would still
load, they would fail upon looking up a symbol in libaio. This also
introduced an RPM dependency that could not be solved. Application RPMs
which were built against the old package would not install as well.

The solution for this was to revert the SONAME to its old value, and to
provide a compat library for those packages that were built against the
library with the wrong SONAME.
- - ---------------------------------------------------------------------
* Mon Feb 14 2005 Jeff Moyer - 0.3.103-5

- - - Build the library twice. Once with the old SONAME and once with the new
one. This fixes the wrong SONAME problem by keeping a library around with
the wrong name (libaio.so.1.0.0) and generating a new one (libaio.so.1.0.1).

- - ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

502e9012e7fce64fc6fbbda218d96154 SRPMS/libaio-0.3.103-5.src.rpm
37bfedf308962c5643ee722856e1b535 x86_64/libaio-0.3.103-5.x86_64.rpm
56b059051f2665751f3b19a8aa84a1e2 x86_64/libaio-devel-0.3.103-5.x86_64.rpm
3636705da3d24f5061c9294098c0ac09
x86_64/debug/libaio-debuginfo-0.3.103-5.x86_64.rpm
9b65bc00d61e80fffbd0a95572a5c405 x86_64/libaio-0.3.103-5.i386.rpm
9b65bc00d61e80fffbd0a95572a5c405 i386/libaio-0.3.103-5.i386.rpm
6b123d9266b8ab2836157c7148e9cc49 i386/libaio-devel-0.3.103-5.i386.rpm
ee6ef2f1183e1d957220ca3d62906f93
i386/debug/libaio-debuginfo-0.3.103-5.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- - ---------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8

iD8DBQFCSZNCH/inyh944bQRAhExAKC60ba1iwbK9pmPRXAoUIpfPIku1gCgphGi
xmvVk8FkwV4BWbXDbUrEUe8=
=83Y/
- -----END PGP SIGNATURE-----


4.



- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-264
2005-03-29
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : sylpheed
Version : 1.0.4
Release : 0.fc3
Summary : A GTK+ based, lightweight, and fast email client.
Description :
This program is an X based fast email client which has features
like:
o user-friendly and intuitive interface
o integrated NetNews client (partially implemented)
o ability of keyboard-only operation
o Mew/Wanderlust-like key bind
o multipart MIME
o unlimited multiple account handling
o message queueing
o assortment function
o XML-based address book

See /usr/share/doc/sylpheed*/README for more information.

- ---------------------------------------------------------------------

* Mon Mar 28 2005 Warren Togami - 1.0.4-0.fc3

- - 1.0.4 fixes another buffer overflow


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

079c6ec9358056925208c99c6ebaee22 SRPMS/sylpheed-1.0.4-0.fc3.src.rpm
84f3bbb2cff85b076825cde553fe9dda x86_64/sylpheed-1.0.4-0.fc3.x86_64.rpm
a807a28b7d13d4d8d1491890c00ff480 x86_64/debug/sylpheed-debuginfo-1.0.4-0.fc3.x86_64.rpm
c747a3fee4f6fa0088199118f92e7134 i386/debug/sylpheed-debuginfo-1.0.4-0.fc3.i386.rpm
8d0f9be6fa4d314e5c869fca9dfeabce i386/sylpheed-1.0.4-0.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ------------------------------------------------------
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |