-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2005-0074
Package names: apache, libc-client
Summary: Multiple vulnerabilities
Date: 2005年12月23日
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
apache
Apache is a full featured web server that is freely available, and also
happens to be the most widely used.
libc-client
Runtime file for programs using the IMAP c-client library
Problem description:
apache < TSL 3.0> < TSL 2.2> < TSEL 2>
- SECURITY Fix: Cross-site scripting (XSS) vulnerability in the mod_imap
module which allows remote attackers to inject arbitrary web script or
HTML via the Referer when using image maps.
- mod_ssl: Fix a possible crash during access control checks if a non-SSL
request is processed for an SSL vhost.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2005-3352 and CVE-2005-3357 to these issues.
libc-client < TSL 3.0>
- New Upstream.
- SECURITY Fix: infamous41md has reported a vulnerability caused due to a
boundary error in the "mail_valid_net_parse_work()" function when copying
the user supplied mailbox name to a stack buffer. This can be exploited to
cause a stack-based buffer overflow via a specially crafted mailbox name
that contains an single opening double-quote character, without the
corresponding closing double-quote.
The Common Vulnerabilities and Exposures project has assigned the
name CAN-2005-2933 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
The advisory itself is available from the errata pages at
and
or directly at
MD5sums of the packages:
- --------------------------------------------------------------------------
6b12b99cd36dad9fb5b078a6c1210b13 2.2/rpms/apache-2.0.55-3tr.i586.rpm
e380a4f431186ca2b40cf9ad513a19a7 2.2/rpms/apache-dbm-2.0.55-3tr.i586.rpm
b94f134bded1fd7aee3cd2ff94e4af16 2.2/rpms/apache-devel-2.0.55-3tr.i586.rpm
d0ebfc0e0ac0620efa5fcf35d8a96d2e 2.2/rpms/apache-html-2.0.55-3tr.i586.rpm
5a08307daefef53de70cf255e73fa5a3 2.2/rpms/apache-manual-2.0.55-3tr.i586.rpm
59314f05776533be306220b1e2ac7a9a 2.2/rpms/apache-suexec-2.0.55-3tr.i586.rpm
54009fe88cad9a9ccdf9c88ff7a81a18 3.0/rpms/apache-2.0.55-5tr.i586.rpm
4909dd9cd08a6da7667cee167acd46f0 3.0/rpms/apache-dbm-2.0.55-5tr.i586.rpm
ff6f33418c76684012d0fa1026ad91de 3.0/rpms/apache-devel-2.0.55-5tr.i586.rpm
2733021799b9a821f963328d8d98c562 3.0/rpms/apache-html-2.0.55-5tr.i586.rpm
ed54c047db9ad31e8380d5051f1572a1 3.0/rpms/apache-manual-2.0.55-5tr.i586.rpm
8c226f8e0418499028817ceaf5113aa2 3.0/rpms/apache-suexec-2.0.55-5tr.i586.rpm
95e0a44b5ffbcef84f1aa945cdbeb6f9 3.0/rpms/libc-client-0.0.2004.g-1tr.i586.rpm
add6f0734ec0cd2582af6ad6bd493245 3.0/rpms/libc-client-devel-0.0.2004.g-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDvQ2/i8CEzsK9IksRAqE/AKCmZ91w4JzdPE90eis+IYRJxXWeGACfY9a1
t6EVFGTJX7QpXrYKMP8CxDM=
=oZl4
-----END PGP SIGNATURE-----