ID: 00217
Ref: 217
Date: 20 March 2006:13:06:57
Version: 1
Title: Eight Fedora Legacy Update Advisories
Abstract: Various updates for kernel, gdk-pixbuf, libungif, xpdf, and kdelibs. Advisory IDs: FLSA:157459-1, FLSA:157459-2, FLSA:157459-3, FLSA:157459-4, FLSA:173274, FLSA:174479, FLSA:175404, FLSA:178606
Vendors affected: Red Hat
Operating systems affected: Red Hat
Applications affected: Red Hat
1.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated kernel packages fix security issues
Advisory ID: FLSA:157459-1
Issue date: 2006-03-16
Product: Red Hat Linux
Keywords: Bugfix
CVE Names: CVE-2002-2185 CVE-2004-0791 CVE-2005-0124
CVE-2005-1263 CVE-2005-2458 CVE-2005-2490
CVE-2005-2708 CVE-2005-2709 CVE-2005-2973
CVE-2005-3180 CVE-2005-3273 CVE-2005-3275
CVE-2005-3276 CVE-2005-3806 CVE-2005-3857
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated kernel packages that fix several security issues are now
available.
The Linux kernel handles the basic functions of the operating system.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
These new kernel packages contain fixes for the security issues
described below:
- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)
- a recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts. A patch to ignore these messages is
included. (CVE-2004-0791)
- flaws in the coda module that allowed denial-of-service attacks
(crashes) or local privilege escalations (CVE-2005-0124)
- a flaw between execve() syscall handling and core dumping of
ELF-format executables allowed local unprivileged users to cause a
denial of service (system crash) or possibly gain privileges
(CVE-2005-1263)
- a flaw in gzip/zlib handling internal to the kernel that may allow a
local user to cause a denial of service (crash) (CVE-2005-2458)
- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CVE-2005-2490)
- a flaw in exec() handling on some 64-bit architectures that allowed
a local user to cause a denial of service (crash) (CVE-2005-2708)
- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)
- a flaw in IPv6 network UDP port hash table lookups that allowed a
local user to cause a denial of service (hang) (CVE-2005-2973)
- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)
- a flaw in the packet radio ROSE protocol that allowed a user to
trigger out-of-bounds errors. (CVE-2005-3273)
- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)
- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)
- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)
- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)
All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To install kernel packages manually, use "rpm -ivh
" and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kernel-2.4.20-46.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-BOOT-2.4.20-46.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-doc-2.4.20-46.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-source-2.4.20-46.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.i586.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-46.7.legacy.i586.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-bigmem-2.4.20-46.7.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-46.7.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.athlon.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-46.7.legacy.athlon.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kernel-2.4.20-46.9.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-46.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-46.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-46.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.i586.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-46.9.legacy.i586.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-bigmem-2.4.20-46.9.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-46.9.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.athlon.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-46.9.legacy.athlon.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
13d96ec3b350e2fe08a0b2daea0fbc903b55dba6
redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.athlon.rpm
dd2a0de51955f130914b97e54002999398594e78
redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.i386.rpm
c2a33858f1863b5aa8fc61812620bd538416eec1
redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.i586.rpm
82f9abe5137fe60c379e54ed4c30102e77a3d7ce
redhat/7.3/updates/i386/kernel-2.4.20-46.7.legacy.i686.rpm
2b7d00492c0bdd1c42f8e1fd60c69aa06d2af5b2
redhat/7.3/updates/i386/kernel-bigmem-2.4.20-46.7.legacy.i686.rpm
18b774d3bbe7bc2c3b1326b31cf653fc4ec3dd02
redhat/7.3/updates/i386/kernel-BOOT-2.4.20-46.7.legacy.i386.rpm
53e150d66bcd19881e6d3375b3921cbdcc19f9da
redhat/7.3/updates/i386/kernel-doc-2.4.20-46.7.legacy.i386.rpm
8451d90ea0f882cc95635eac07ad794fe3a80b73
redhat/7.3/updates/i386/kernel-smp-2.4.20-46.7.legacy.athlon.rpm
70cbb1233156b94cb7adf05a9a60932bdebd01a7
redhat/7.3/updates/i386/kernel-smp-2.4.20-46.7.legacy.i586.rpm
df9078043ff5fb7a46de6c664c6009d1a17591d3
redhat/7.3/updates/i386/kernel-smp-2.4.20-46.7.legacy.i686.rpm
d41ae5e41700ea15838560c1ab4cff28b405ebc6
redhat/7.3/updates/i386/kernel-source-2.4.20-46.7.legacy.i386.rpm
21f35ccaf8e57e440c3019b34feb9d9505400b35
redhat/7.3/updates/SRPMS/kernel-2.4.20-46.7.legacy.src.rpm
109e959e391c02665c2683714476641b512b1d2a
redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.athlon.rpm
bf329aff38c0cc9c6976994ba8b4fecf23f9a842
redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.i386.rpm
c805fe8f45b96104ad70e1886bd46de107dee452
redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.i586.rpm
8bd381c660a26da151afbd1e3fc732b83c2becc4
redhat/9/updates/i386/kernel-2.4.20-46.9.legacy.i686.rpm
70e9a8644eee9902c0d19ebf6b73b382909f178b
redhat/9/updates/i386/kernel-bigmem-2.4.20-46.9.legacy.i686.rpm
d6f9e20636ac96af35f9c001b51b0be121aed44f
redhat/9/updates/i386/kernel-BOOT-2.4.20-46.9.legacy.i386.rpm
f6c3109670d2cea5c47f78f1852ad28764ac5f4f
redhat/9/updates/i386/kernel-doc-2.4.20-46.9.legacy.i386.rpm
4c6803f8075e975ce898fabd55cc1534db98e0e8
redhat/9/updates/i386/kernel-smp-2.4.20-46.9.legacy.athlon.rpm
79c7bda4bfe36807fdd4144146e728ffe20e1a9a
redhat/9/updates/i386/kernel-smp-2.4.20-46.9.legacy.i586.rpm
833c41272f7836354359194344de076e566c7eb4
redhat/9/updates/i386/kernel-smp-2.4.20-46.9.legacy.i686.rpm
f56721c762dcf68d1021213cae598765d53b710f
redhat/9/updates/i386/kernel-source-2.4.20-46.9.legacy.i386.rpm
665d140e5dacf04a703408634be6619e6878112a
redhat/9/updates/SRPMS/kernel-2.4.20-46.9.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3857
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
2.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated kernel packages fix security issues
Advisory ID: FLSA:157459-2
Issue date: 2006-03-16
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2002-2185 CVE-2004-0791 CVE-2005-0756
CVE-2005-1762 CVE-2005-2553 CVE-2005-1263
CVE-2005-2458 CVE-2005-2490 CVE-2005-2708
CVE-2005-2709 CVE-2005-2973 CVE-2005-3044
CVE-2005-3180 CVE-2005-3275 CVE-2005-3276
CVE-2005-3806 CVE-2005-3857
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated kernel packages that fix several security issues are now
available.
The Linux kernel handles the basic functions of the operating system.
2. Relevant releases/architectures:
Fedora Core 1 - i386
3. Problem description:
These new kernel packages contain fixes for the security issues
described below:
- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)
- a recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts. A patch to ignore these messages is
included. (CVE-2004-0791)
- flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems
that allowed a local user to cause a denial of service (crash)
(CVE-2005-0756, CVE-2005-1762, CVE-2005-2553)
- a flaw between execve() syscall handling and core dumping of
ELF-format executables allowed local unprivileged users to cause a
denial of service (system crash) or possibly gain privileges
(CVE-2005-1263)
- a flaw in gzip/zlib handling internal to the kernel that may allow a
local user to cause a denial of service (crash) (CVE-2005-2458)
- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CVE-2005-2490)
- a flaw in exec() handling on some 64-bit architectures that allowed
a local user to cause a denial of service (crash) (CVE-2005-2708)
- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)
- a flaw in IPv6 network UDP port hash table lookups that allowed a
local user to cause a denial of service (hang) (CVE-2005-2973)
- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)
- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)
- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)
- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)
- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)
- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)
All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To install kernel packages manually, use "rpm -ivh " and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
6. RPMs required:
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kernel-2.4.22-1.2199.8.legacy.nptl.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-BOOT-2.4.22-1.2199.8.legacy.nptl.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-doc-2.4.22-1.2199.8.legacy.nptl.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-source-2.4.22-1.2199.8.legacy.nptl.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-2.4.22-1.2199.8.legacy.nptl.i586.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.8.legacy.nptl.i586.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-2.4.22-1.2199.8.legacy.nptl.i686.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.8.legacy.nptl.i686.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-2.4.22-1.2199.8.legacy.nptl.athlon.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.8.legacy.nptl.athlon.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
5ec641496db89906ce3e587bda826b38f0e2b2b4
fedora/1/updates/i386/kernel-2.4.22-1.2199.8.legacy.nptl.athlon.rpm
70e345e1ff5427a4aa41fb4b72155e6ba73fcc38
fedora/1/updates/i386/kernel-2.4.22-1.2199.8.legacy.nptl.i586.rpm
a8b7fe13256306a237f7bbbcbabd9f20223d4ed9
fedora/1/updates/i386/kernel-2.4.22-1.2199.8.legacy.nptl.i686.rpm
3917adb45e830432e875092aca7c7447eb2c8363
fedora/1/updates/i386/kernel-BOOT-2.4.22-1.2199.8.legacy.nptl.i386.rpm
337feb3c89f824fe1191cdf9332497e84effe122
fedora/1/updates/i386/kernel-doc-2.4.22-1.2199.8.legacy.nptl.i386.rpm
e015d687b7cb7ce56396d0199686e9ea182adb1e
fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.8.legacy.nptl.athlon.rpm
157b2e6c26d187f9706d201e60ee1ea025cbec1c
fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.8.legacy.nptl.i586.rpm
987d9826216bdeadfdc364aaa1a8272a11a5c478
fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.8.legacy.nptl.i686.rpm
4d4b7eae72326f73abb03a6833b767ab1170e3e9
fedora/1/updates/i386/kernel-source-2.4.22-1.2199.8.legacy.nptl.i386.rpm
973e0e5c1916951e9fac3dcf02999969e6da102d
fedora/1/updates/SRPMS/kernel-2.4.22-1.2199.8.legacy.nptl.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3857
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
3.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated kernel packages fix security issues
Advisory ID: FLSA:157459-3
Issue date: 2006-03-16
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2002-2185 CVE-2005-0756 CVE-2005-1761
CVE-2005-1762 CVE-2005-1763 CVE-2005-0839
CVE-2005-0867 CVE-2005-0937 CVE-2005-0977
CVE-2005-1041 CVE-2005-1263 CVE-2005-1264
CVE-2005-1265 CVE-2005-1368 CVE-2005-1369
CVE-2005-2098 CVE-2005-2099 CVE-2005-2456
CVE-2005-2555 CVE-2005-2458 CVE-2005-2490
CVE-2005-2492 CVE-2005-2709 CVE-2005-2800
CVE-2005-2801 CVE-2005-2872 CVE-2005-2973
CVE-2005-3044 CVE-2005-3053 CVE-2005-3106
CVE-2005-3109 CVE-2005-3110 CVE-2005-3180
CVE-2005-3181 CVE-2005-3274 CVE-2005-3275
CVE-2005-3276 CVE-2005-3356 CVE-2005-3358
CVE-2005-3784 CVE-2005-3805 CVE-2005-3806
CVE-2005-3807 CVE-2005-3848 CVE-2005-3857
CVE-2005-3858 CVE-2005-4605 CVE-2006-0095
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated kernel packages that fix several security issues are now
available.
The Linux kernel handles the basic functions of the operating system.
2. Relevant releases/architectures:
Fedora Core 2 - i386
3. Problem description:
These new kernel packages contain fixes for the security issues
described below:
- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)
- flaws in ptrace() syscall handling on 64-bit systems that allowed a
local user to cause a denial of service (crash) (CVE-2005-0756,
CVE-2005-1761, CVE-2005-1762, CVE-2005-1763)
- a flaw when setting the line discipline on a serial tty that allowed a
local user to inject mouse movements or keystrokes when another user is
logged in. (CVE-2005-0839)
- an integer overflow flaw when writing to a sysfs file that allowed a
local user to overwrite kernel memory, causing a denial of service
(system crash) or arbitrary code execution. (CVE-2005-0867)
- a flaw in the futex functions that allowed a local user to cause a
denial of service (system crash). (CVE-2005-0937)
- a flaw in the tmpfs file system that allowed a local user to cause a
denial of service (system crash). (CVE-2005-0977)
- a flaw in the fib_seq_start function that allowed a local user to
cause a denial of service (system crash) via /proc/net/route.
(CVE-2005-1041)
- a flaw between execve() syscall handling and core dumping of
ELF-format executables allowed local unprivileged users to cause a
denial of service (system crash) or possibly gain privileges
(CVE-2005-1263)
- a flaw in the servicing of a raw device ioctl that allowed a local
user who has access to raw devices to write to kernel memory and cause a
denial of service or potentially gain privileges (CVE-2005-1264)
- a flaw that prevented the topdown allocator from allocating mmap areas
all the way down to address zero (CVE-2005-1265)
- a flaw in the key_user_lookup function in security/keys/key.c that
allowed a user to cause a denial of service (crash) (CVE-2005-1368)
- a flaw in the it87 and via686a drivers in I2C that allowed a locl user
to cause a denial of service (crash) (CVE-2005-1369)
- flaws dealing with keyrings that could cause a local denial of service
(CVE-2005-2098, CVE-2005-2099)
- flaws in IPSEC network handling that allowed a local user to cause a
denial of service or potentially gain privileges (CVE-2005-2456,
CVE-2005-2555)
- a flaw in gzip/zlib handling internal to the kernel that may allow a
local user to cause a denial of service (crash) (CVE-2005-2458)
- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CVE-2005-2490)
- a flaw in sendmsg() syscall handling that allowed a local user to
cause a denial of service by altering hardware state (CVE-2005-2492)
- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)
- a flaw in the SCSI procfs interface that allowed a local user to cause
a denial of service (crash) (CVE-2005-2800)
- a xattr sharing bug in the ext2 and ext3 file systems that could cause
default ACLs to disappear (CVE-2005-2801)
- a flaw in the ipt_recent module on 64-bit architectures which could
allow a remote denial of service (CVE-2005-2872)
- a flaw in IPv6 network UDP port hash table lookups that allowed a
local user to cause a denial of service (hang) (CVE-2005-2973)
- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)
- a flaw in the set_mempolicy system call that allowed a local user to
cause a denial of service (system panic). (CVE-2005-3053)
- a race condition when threads share memory mapping that allowed local
users to cause a denial of service (deadlock) (CVE-2005-3106)
- a flaw when trying to mount a non-hfsplus filesystem using hfsplus
that allowed local users to cause a denial of service (crash)
(CVE-2005-3109)
- a race condition in the ebtables netfilter module that may allow
remote attackers to cause a denial of service (crash) on a SMP system
that is operating under a heavy load (CVE-2005-3110)
- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)
- a memory leak was found in the audit system that allowed an
unprivileged local user to cause a denial of service. (CVE-2005-3181)
- a race condition in ip_vs_conn_flush that allowed a local user to
cause a denial of service (CVE-2005-3274)
- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)
- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)
- a flaw in mq_open system call that allowed a local user to cause a
denial of service (crash) (CVE-2005-3356)
- a flaw in set_mempolicy that allowed a local user on some 64-bit
architectures to cause a denial of service (crash) (CVE-2005-3358)
- a flaw in the auto-reap of child processes that allowed a local user
to cause a denial of service (crash) (CVE-2005-3784)
- a flaw in the POSIX timer cleanup handling that allowed a local user
to cause a denial of service (crash) (CVE-2005-3805)
- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)
- a memory leak in the VFS file lease handling that allowed a local user
to cause a denial of service (CVE-2005-3807)
- a flaw in network ICMP processing that allowed a local user to cause
a denial of service (memory exhaustion) (CVE-2005-3848)
- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)
- a flaw in network IPv6 xfrm handling that allowed a local user to
cause a denial of service (memory exhaustion) (CVE-2005-3858)
- a flaw in procfs handling that allowed a local user to read kernel
memory (CVE-2005-4605)
- a memory disclosure flaw in dm-crypt that allowed a local user to
obtain sensitive information about a cryptographic key (CVE-2006-0095)
All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To install kernel packages manually, use "rpm -ivh " and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
6. RPMs required:
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/kernel-2.6.10-2.3.legacy_FC2.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/kernel-doc-2.6.10-2.3.legacy_FC2.noarch.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kernel-sourcecode-2.6.10-2.3.legacy_FC2.noarch.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kernel-2.6.10-2.3.legacy_FC2.i586.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kernel-smp-2.6.10-2.3.legacy_FC2.i586.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kernel-2.6.10-2.3.legacy_FC2.i686.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kernel-smp-2.6.10-2.3.legacy_FC2.i686.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
68999cdecf0bb3c6cda09edbe2cedd57fff709ad
fedora/2/updates/i386/kernel-2.6.10-2.3.legacy_FC2.i586.rpm
85de0ac6c22acb127c7bfae0c8b6e8067fd60442
fedora/2/updates/i386/kernel-2.6.10-2.3.legacy_FC2.i686.rpm
631a71b16611758af3db18da17205422deb41c30
fedora/2/updates/i386/kernel-doc-2.6.10-2.3.legacy_FC2.noarch.rpm
6f5010188ca24a79d5fb6323a687c5cdc9611d24
fedora/2/updates/i386/kernel-smp-2.6.10-2.3.legacy_FC2.i586.rpm
4beec907750088ff917855a7e5ec8a31bb752358
fedora/2/updates/i386/kernel-smp-2.6.10-2.3.legacy_FC2.i686.rpm
1a33e38fa69b09fb80e6a5d334aad72e963820eb
fedora/2/updates/i386/kernel-sourcecode-2.6.10-2.3.legacy_FC2.noarch.rpm
85eee44769a3a0ca55221b93d9386563798961a7
fedora/2/updates/SRPMS/kernel-2.6.10-2.3.legacy_FC2.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0095
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
4.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated kernel packages fix security issues
Advisory ID: FLSA:157459-4
Issue date: 2006-03-16
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2002-2185 CVE-2005-2709 CVE-2005-3044
CVE-2005-3274 CVE-2005-3356 CVE-2005-3358
CVE-2005-3527 CVE-2005-3784 CVE-2005-3805
CVE-2005-3806 CVE-2005-3807 CVE-2005-3857
CVE-2005-4605 CVE-2006-0095 CVE-2006-0454
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated kernel packages that fix several security issues are now
available.
The Linux kernel handles the basic functions of the operating system.
2. Relevant releases/architectures:
Fedora Core 3 - i386, x86_64
3. Problem description:
These new kernel packages contain fixes for the security issues
described below:
- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)
- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)
- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)
- a race condition in ip_vs_conn_flush that allowed a local user to
cause a denial of service (CVE-2005-3274)
- a flaw in mq_open system call that allowed a local user to cause a
denial of service (crash) (CVE-2005-3356)
- a flaw in set_mempolicy that allowed a local user on some 64-bit
architectures to cause a denial of service (crash) (CVE-2005-3358)
- a race condition in do_coredump in signal.c that allowed a local user
to cause a denial of service (crash) (CVE-2005-3527)
- a flaw in the auto-reap of child processes that allowed a local user
to cause a denial of service (crash) (CVE-2005-3784)
- a flaw in the POSIX timer cleanup handling that allowed a local user
to cause a denial of service (crash) (CVE-2005-3805)
- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)
- a memory leak in the VFS file lease handling that allowed a local user
to cause a denial of service (CVE-2005-3807)
- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)
- a flaw in procfs handling that allowed a local user to read kernel
memory (CVE-2005-4605)
- a memory disclosure flaw in dm-crypt that allowed a local user to
obtain sensitive information about a cryptographic key (CVE-2006-0095)
- a flaw while constructing an ICMP response that allowed remote users
to cause a denial of service (crash) (CVE-2006-0454)
All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To install kernel packages manually, use "rpm -ivh " and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
6. RPMs required:
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/kernel-2.6.12-2.3.legacy_FC3.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kernel-2.6.12-2.3.legacy_FC3.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
b9e37d94319ce74e98aa053d9da798437b979a5e
fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm
e8698e932795b5a8c9ecc97e95fab42f55d71ac9
fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
d09fb6f194558505d8d52fb22a60420cd35a06f1
fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm
640077c447f1ac5edf5e21000c916bb750006f84
fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm
3341ee0cc5e61d464a9982a5f96ec802d9121965
fedora/3/updates/x86_64/kernel-2.6.12-2.3.legacy_FC3.x86_64.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates/x86_64/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
ab4a29a3ec0bceda378319476b6ce46613805f90
fedora/3/updates/x86_64/kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm
725204fe5e8fb35b54083be1a6757cc8be43cf9d
fedora/3/updates/SRPMS/kernel-2.6.12-2.3.legacy_FC3.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0454
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
5.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated gdk-pixbuf packages fix security issues
Advisory ID: FLSA:173274
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2975 CVE-2005-2976 CVE-2005-3186
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated gdk-pixbuf packages that fix several security issues are now
available.
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
3. Problem description:
A bug was found in the way gdk-pixbuf processes XPM images. An attacker
could create a carefully crafted XPM file in such a way that it could
cause an application linked with gdk-pixbuf to execute arbitrary code
when the file was opened by a victim. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2005-3186 to this issue.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened
by a victim. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-2976 to this issue.
Ludwig Nussel also discovered an infinite-loop denial of service bug in
the way gdk-pixbuf processes XPM images. An attacker could create a
carefully crafted XPM file in such a way that it could cause an
application linked with gdk-pixbuf to stop responding when the file was
opened by a victim. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-2975 to this issue.
Users of gdk-pixbuf are advised to upgrade to these updated packages,
which contain backported patches and are not vulnerable to these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173274
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-devel-0.22.0-7.73.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-gnome-0.22.0-7.73.4.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-0.22.0-7.90.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-devel-0.22.0-7.90.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-gnome-0.22.0-7.90.4.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-0.22.0-11.3.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-devel-0.22.0-11.3.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-gnome-0.22.0-11.3.4.2.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-0.22.0-12.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-devel-0.22.0-12.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-gnome-0.22.0-12.fc2.1.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
68920e1aa48821ef2712597cfbb738a308fed989
redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.4.legacy.i386.rpm
bed67c95aeba203d572601c03f61f4a87738577e
redhat/7.3/updates/i386/gdk-pixbuf-devel-0.22.0-7.73.4.legacy.i386.rpm
83b2d6fa22c90b3335c80e8516bbf7c013f3e0ce
redhat/7.3/updates/i386/gdk-pixbuf-gnome-0.22.0-7.73.4.legacy.i386.rpm
72d3a78c075cbd1108551c0f003d1d546474f345
redhat/7.3/updates/SRPMS/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
d2f5f242b378c44caa4b05ff2d157732b4f50896
redhat/9/updates/i386/gdk-pixbuf-0.22.0-7.90.4.legacy.i386.rpm
5a4b0b7566fb195e3ae9ac9df3a1d0d85f86d53d
redhat/9/updates/i386/gdk-pixbuf-devel-0.22.0-7.90.4.legacy.i386.rpm
99deb34f608c31c177acc48aae2a5a22dbef5e27
redhat/9/updates/i386/gdk-pixbuf-gnome-0.22.0-7.90.4.legacy.i386.rpm
34b8e79dfcfabfbd375636077a606f4c7193aabb
redhat/9/updates/SRPMS/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
0c08e3ec62a3ffc2cf4bf020f56dbce6c6abe55e
fedora/1/updates/i386/gdk-pixbuf-0.22.0-11.3.4.2.legacy.i386.rpm
b51c2c8928ef71b22375ef359262f5ab0467ede1
fedora/1/updates/i386/gdk-pixbuf-devel-0.22.0-11.3.4.2.legacy.i386.rpm
c36d9f5d78ddb75cfade93741fac76b692159fc0
fedora/1/updates/i386/gdk-pixbuf-gnome-0.22.0-11.3.4.2.legacy.i386.rpm
a33a275c1c2ff62a4256cd360aa2377989db4fd9
fedora/1/updates/SRPMS/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
6b55923c343d97bd131685a02cb36aba60be94a2
fedora/2/updates/i386/gdk-pixbuf-0.22.0-12.fc2.1.legacy.i386.rpm
a391b3b8ee9c42bf0f4fed872bfa5aea61cd34a7
fedora/2/updates/i386/gdk-pixbuf-devel-0.22.0-12.fc2.1.legacy.i386.rpm
a76c91bbdb0ff8fc1a30bf7c46a7392fbecf412b
fedora/2/updates/i386/gdk-pixbuf-gnome-0.22.0-12.fc2.1.legacy.i386.rpm
1ee0fd9996c89480305d4831e77406696030ec3f
fedora/2/updates/SRPMS/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
6.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated libungif packages fix security issues
Advisory ID: FLSA:174479
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2974 CVE-2005-3350
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated libungif packages that fix two security issues are now
available.
The libungif package contains a shared library of functions for loading
and saving GIF format image files.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
3. Problem description:
Several bugs in the way libungif decodes GIF images were discovered. An
attacker could create a carefully crafted GIF image file in such a way
that it could cause an application linked with libungif to crash or
execute arbitrary code when the file is opened by a victim. The Common
Vulnerabilities and Exposures project has assigned the names
CVE-2005-2974 and CVE-2005-3350 to these issues.
All users of libungif are advised to upgrade to these updated packages,
which contain backported patches that resolve these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174479
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-4.1.0-10.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-4.1.0-15.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-4.1.0-16.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-4.1.0-17.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
540bf946dff308b065de73d7ce6ab9eb8d8c504a
redhat/7.3/updates/i386/libungif-4.1.0-10.2.legacy.i386.rpm
840791ef661042f779275b7c835760ab521a8d80
redhat/7.3/updates/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm
81f2ed8f2bae2785ec2820234875b870f583c7ce
redhat/7.3/updates/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm
8e039159be2bf479bf2bdb84ebadc2a364b3bd06
redhat/7.3/updates/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm
c78cfe7b9a7e46d45865fcebad0956efb8962970
redhat/9/updates/i386/libungif-4.1.0-15.2.legacy.i386.rpm
1b8a2ff811fca4b56850adfc5fc602bd140876d8
redhat/9/updates/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm
35f6365684cec0da676b5c5fea9bdf2e9863d1ff
redhat/9/updates/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm
cb023ca008db9d81ad6d730cb714cb1f51ea97f3
redhat/9/updates/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm
351c84419dfff38690db6f343fa91a41e6b2af1e
fedora/1/updates/i386/libungif-4.1.0-16.2.legacy.i386.rpm
72af8bc46a9deb31ede1fc773866e67f20f0da0b
fedora/1/updates/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm
3d36816c8ec4479647419402be97568fade3088e
fedora/1/updates/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm
92a4859d10e58f5abc85e7e22c89e4cf4911fbf0
fedora/1/updates/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm
3a87b57220b6b788150d240977774dc54f6732fe
fedora/2/updates/i386/libungif-4.1.0-17.3.legacy.i386.rpm
c2d7e51e31ecb48546712d0c6f9998601af6daec
fedora/2/updates/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm
fbde1aceba27f12aacb41c8acbe2cf58a59cc121
fedora/2/updates/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm
609e3081132c7dca0da32f631e5ec4117df51265
fedora/2/updates/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3350
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
7.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated xpdf package fixes security issues
Advisory ID: FLSA:175404
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192
CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
CVE-2006-0301
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
An updated xpdf package that fixes several security issues is now
available.
The xpdf package is an X Window System-based viewer for Portable
Document Format (PDF) files.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64
3. Problem description:
A flaw was discovered in Xpdf in that an attacker could construct a
carefully crafted PDF file that would cause Xpdf to consume all
available disk space in /tmp when opened. The Common Vulnerabilities
and Exposures project assigned the name CVE-2005-2097 to this issue.
Several flaws were discovered in Xpdf. An attacker could construct a
carefully crafted PDF file that could cause Xpdf to crash or possibly
execute arbitrary code when opened. The Common Vulnerabilities and
Exposures project assigned the names CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627 and CVE-2005-3628 to these issues.
A heap based buffer overflow bug was discovered in Xpdf. An attacker
could construct a carefully crafted PDF file that could cause Xpdf to
crash or possibly execute arbitrary code when opened. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0301
to this issue.
Users of Xpdf should upgrade to this updated package, which contains
backported patches to resolve these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xpdf-3.01-0.FC3.5.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
6096aa2b487e635ae3003cf246ec66d53dc81d41
redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm
e670899dd04a31d466d0ba2cc213763157a3b101
redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm
c636a2b79eb22afe35993466675e9fdd086a84f2
redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm
9a2bfe9e373cd20422a862f48d3d6ad787b7f0f1
redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm
bc47f11dea342606e74aff1a55cf74bd52783b60
redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm
ace7a51b625269d9f5bd3355b07a842f0e1426f4
redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm
4fe0714cdf2194cf0426e15210cbe509d77b2788
redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm
c54fad904f475d693c781632dbadfae9434e4c87
redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm
1b6f0cf3f309515fd60b88576a1168f9d9bc7fe0
redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm
accef6df9ed9b1cee0e05fffa7e7dde085ae3f35
redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm
69a7ae59cb1ddb5b422eccdec53711f459939c3f
redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm
090ddacf36dc0180c16cef8526aedc9bb9c5225c
redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm
0349626a79f659adc0590938b99a6097f6898f10
fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm
8612ba60a89cfb0ef195450d1c927487b868deec
fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm
f60fc20854386ef91f6769aabd29f3a77e29084d
fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm
64139c039afc0af67eadcc8c87e03aed6c6254d0
fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm
268cba4fb5fd62699595cdeed78375f324c874f6
fedora/3/updates/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm
021ec4bb4d86192a519261b3073a3d348e4fa14a
fedora/3/updates/x86_64/xpdf-3.01-0.FC3.5.legacy.x86_64.rpm
3e139055107af9057062154add60191331765e43
fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
8.
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated kdelibs packages fix security issues
Advisory ID: FLSA:178606
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0237 CVE-2005-0396 CVE-2005-1046
CVE-2005-1920 CVE-2006-0019
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated kdelibs packages that fix several security issues are now
available.
The kdelibs package provides libraries for the K Desktop Environment.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64
3. Problem description:
The International Domain Name (IDN) support in the Konqueror browser
allowed remote attackers to spoof domain names using punycode encoded
domain names. Such domain names are decoded in URLs and SSL certificates
in a way that uses homograph characters from other character sets, which
facilitates phishing attacks. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2005-0237 to this
issue.
Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop
Communication Protocol (DCOP) daemon. A local user could use this flaw
to stall the DCOP authentication process, affecting any local desktop
users and causing a reduction in their desktop functionality. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0396 to this issue.
A buffer overflow was found in the kimgio library for KDE 3.4.0. An
attacker could create a carefully crafted PCX image in such a way that
it would cause kimgio to execute arbitrary code when processing the
image. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1046 to this issue.
A flaw was discovered affecting Kate, the KDE advanced text editor, and
Kwrite. Depending on system settings, it may be possible for a local
user to read the backup files created by Kate or Kwrite. The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to
this issue.
A heap overflow flaw was discovered affecting kjs, the JavaScript
interpreter engine used by Konqueror and other parts of KDE. An attacker
could create a malicious web site containing carefully crafted
JavaScript code that would trigger this flaw and possibly lead to
arbitrary code execution. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0019 to this issue.
Users of KDE should upgrade to these erratum packages, which contain
backported patches to correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
2f2d25474d7f6c68b77e376684f3835cd61123e4
redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
c153c581d132fc5ae882167d3319f103652043dd
redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm
7ad24efea3cd775ad8bc649128d64875eec1554e
redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm
f527dda13ccda9cd86542014e749587548b82a32
redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm
6e22f76a8310051d285d60817066659f4429b633
redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm
7d8b9b30352004864252d7f2a72a877f062adf0f
redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm
3de25dd41842099dca0cf142adef2c4fe35bcfce
fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
5d48525f08c39c3f73ca1d547be6aa0335c02a02
fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm
14c5cab3afedd32f05324ced28cd9abda3349ff1
fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm
944bbc21e569bc63544f540783eedf4ecf430d2f
fedora/2/updates/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm
6d15fbaa66fbadf6fa19ce3feb04e4c71ef18dfe
fedora/2/updates/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm
1b2a47dcae3e180dc2b0ccecdff5dca12b914393
fedora/2/updates/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm
4d217b3e16c4624ff14b9615ab7720efbaaff7e8
fedora/3/updates/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
c861158a8f3734f0ae633fc46cd8705c6d5fc0ad
fedora/3/updates/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm
4d217b3e16c4624ff14b9615ab7720efbaaff7e8
fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
8d37c651ebe27beb56c34383972128a18e8e3c4d
fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm
10cabc626d4c0570999ccd70aa8e248f31b49f8f
fedora/3/updates/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm
bb0dc7875106e2b71d30a5a8f2df6737aee4a80a
fedora/3/updates/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1920
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019
9. Contact:
The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------