-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2002-0040 Package name: zlib and derived packages Summary: double free() vulerability Date: 2002-03-18 Affected versions: TSL 1.01, 1.1, 1.2, 1.5 - -------------------------------------------------------------------------- Problem description: zlib version 1.1.3 and lower contains a vulnerability which, in a worst case scenario, might allow an attacker to execute arbitary code. This problem is solved by upgrading to the new release of zlib. All programs which are dynamicly linked with this library needs to be restarted after the zlib upgrade. This include, among others: openssh and postgresql. To ensure that these services are in fact restarted, the TSL-team have upgraded them aswell. Users of the swup software update tool will benefit greatly from this. Some programs are staticly linked with this library and have been recomplied using the new release of zlib as part of the build environment. Also some programs have parts of the zlib source code copied into their own source code, and may therefore be vulnerable. These will be updated when analysis tells us that they are in fact vulnerable. Following is a list of the updated packages: - zlib (Upgrade: 1.1.4-1tr) - openssh (Rebuild: 3.1.0p1-2tr) - postgresql (Rebuild: 7.1.2-4tr) - mysql (Rebuild: 3.23.47-2tr) - rpm (Rebuild: 3.0.6-7tr) - rsync (Upgrade: 2.5.4-1tr) - kernel (Patch: 2.2.20-2tr) - sash (Upgrade: 3.5-1tr) - ppp (Ugrade/patch: 2.4.1-1tr) We have also included some of the updates that have been in the public testing directories for a while: 1.5: man and procmail 1.2: apache apache-ssl Action: We recommend that all systems with this package installed are upgraded. Please note that if you do not need the functionality provided by some of these packages, you may want to remove them from your system. Location: All TSL updates are available from <URI:http://www.trustix.net/pub/Trustix/updates/> <URI:ftp://ftp.trustix.net/pub/Trustix/updates/> Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/> Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at <URI:http://www.trustix.net/pub/Trustix/testing/> <URI:ftp://ftp.trustix.net/pub/Trustix/testing/> Questions? Check out our mailing lists: <URI:http://www.trustix.net/support/> Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.net/TSL-GPG-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.net/errata/trustix-1.2/> and <URI:http://www.trustix.net/errata/trustix-1.5/> or directly at <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0040-zlib.asc.txt> MD5sums of the packages: - -------------------------------------------------------------------------- 09ab846b2d48bbc1b8b9c882b2895436 ./1.5/SRPMS/zlib-1.1.4-1tr.src.rpm 536a1ddebd3c89137c8b526c9fa3e0c8 ./1.5/SRPMS/sash-3.5-1tr.src.rpm 929c919c39f893688f9c003a157126f9 ./1.5/SRPMS/rsync-2.5.4-1tr.src.rpm 5c7e27542ccb95e85046af96da1266eb ./1.5/SRPMS/rpm-3.0.6-7tr.src.rpm 3315accbc9e9ea723b14e3c26f95dac6 ./1.5/SRPMS/procmail-3.15.2-1tr.src.rpm 2bd15cfa605e9ac66235289cef9563f3 ./1.5/SRPMS/ppp-2.4.1-1tr.src.rpm e1e568dfe69be4adcf8436fcce115b28 ./1.5/SRPMS/postgresql-7.1.2-5tr.src.rpm 5a4ab384ebf85a4572dc55ffdafdfed7 ./1.5/SRPMS/openssh-3.1.0p1-2tr.src.rpm 48c59a64c87bee6ec9eed1b258c863c9 ./1.5/SRPMS/mysql-3.23.47-2tr.src.rpm cfcd02f940248ca505a7d739721b8721 ./1.5/SRPMS/man-1.5j0-1tr.src.rpm af04a68007564cc15b0a322e629d7072 ./1.5/SRPMS/kernel-2.2.20-2tr.src.rpm 0f1edfcfe174051af9ca5037db979eb3 ./1.5/RPMS/zlib-devel-1.1.4-1tr.i586.rpm 52239eabad2e6b600c836f5ecb478902 ./1.5/RPMS/zlib-1.1.4-1tr.i586.rpm e7a8a4ef66a89d48de20de2758e05a2e ./1.5/RPMS/sash-3.5-1tr.i586.rpm 4d41aad430d0537bbc054fc34d6ed4d9 ./1.5/RPMS/rsync-2.5.4-1tr.i586.rpm d809cf941f1fcb698f5b160a5b9cda8a ./1.5/RPMS/rpm-perl-3.0.6-7tr.i586.rpm e40abdea7bfca487542d90894abc65ed ./1.5/RPMS/rpm-devel-3.0.6-7tr.i586.rpm 65f2d65f60f8532796a54676517d669a ./1.5/RPMS/rpm-3.0.6-7tr.i586.rpm 8215a6af64f8063292d9f0dc10967efa ./1.5/RPMS/procmail-3.15.2-1tr.i586.rpm 03dee5354a3b1f3fda38f243e6c1105c ./1.5/RPMS/ppp-2.4.1-1tr.i586.rpm 8aba921bcf77343146e6f29547d8d365 ./1.5/RPMS/postgresql-test-7.1.2-5tr.i586.rpm eb611d702163a244a0400e6f594eb615 ./1.5/RPMS/postgresql-tcl-7.1.2-5tr.i586.rpm a2521d23855b1c5d189a92ab9390a20a ./1.5/RPMS/postgresql-server-7.1.2-5tr.i586.rpm 8e0d2e63501b9859808a172875d72c71 ./1.5/RPMS/postgresql-python-7.1.2-5tr.i586.rpm b5291f7885d4af217946b7ad61aa9009 ./1.5/RPMS/postgresql-plperl-7.1.2-5tr.i586.rpm 051c494091c2b884bc13fff386ff96f1 ./1.5/RPMS/postgresql-perl-7.1.2-5tr.i586.rpm 527041acb31fd6783776b8dd25f89a6f ./1.5/RPMS/postgresql-odbc-7.1.2-5tr.i586.rpm 4ede8989fd8a44336c31868206fbede0 ./1.5/RPMS/postgresql-libs-7.1.2-5tr.i586.rpm 54959b6506d1c54743cd89f9573cc523 ./1.5/RPMS/postgresql-docs-7.1.2-5tr.i586.rpm 028770d75798a063479c93a23dc196d6 ./1.5/RPMS/postgresql-devel-7.1.2-5tr.i586.rpm a6e133857caa318eb473d2794210ec11 ./1.5/RPMS/postgresql-contrib-7.1.2-5tr.i586.rpm 1b3d988c225707625b773b82f96e1aa4 ./1.5/RPMS/postgresql-7.1.2-5tr.i586.rpm f45d7f2b1806d69f5eaff8fe09266413 ./1.5/RPMS/popt-1.5.1-7tr.i586.rpm 4c2bc8e1f99f6b018d31e3cf086f5356 ./1.5/RPMS/openssh-server-3.1.0p1-2tr.i586.rpm 292d6c0d873182543dfd4a4deea4d49d ./1.5/RPMS/openssh-clients-3.1.0p1-2tr.i586.rpm b6f6693936a117e39349dfd4b86e7e39 ./1.5/RPMS/openssh-3.1.0p1-2tr.i586.rpm 73ad693ca8b31d49d5271cbc93084c12 ./1.5/RPMS/mysql-shared-3.23.47-2tr.i586.rpm d7042d71490664506efbaeef43c8d6a4 ./1.5/RPMS/mysql-devel-3.23.47-2tr.i586.rpm 4f5a9f07de9a73266f229f3553835988 ./1.5/RPMS/mysql-client-3.23.47-2tr.i586.rpm 778fc20a9e91dc3e3359169e7cd11039 ./1.5/RPMS/mysql-bench-3.23.47-2tr.i586.rpm 51620612b82cc9bdb789dcf548f24add ./1.5/RPMS/mysql-3.23.47-2tr.i586.rpm 9c989f2e6ff289b76b5f56055ab9185a ./1.5/RPMS/man-1.5j0-1tr.i586.rpm a9448d3bce6166701b9de1823193fb56 ./1.5/RPMS/kernel-utils-2.2.20-2tr.i586.rpm c3259a3900d9e6e2ff11bac62fb08d8c ./1.5/RPMS/kernel-source-2.2.20-2tr.i586.rpm 46224e85fb5534e01873662745092478 ./1.5/RPMS/kernel-smp-2.2.20-2tr.i586.rpm 41550775b52d5ca7e918d159f01f9cf4 ./1.5/RPMS/kernel-headers-2.2.20-2tr.i586.rpm 1f59ce7491b5d20b522924a3c3ba29a1 ./1.5/RPMS/kernel-doc-2.2.20-2tr.i586.rpm 1cdf9031ac62b0a321dcc2e9622b5357 ./1.5/RPMS/kernel-BOOT-2.2.20-2tr.i586.rpm 277687a36fc3ede1fe11fa55e36cef9c ./1.5/RPMS/kernel-2.2.20-2tr.i586.rpm 09ab846b2d48bbc1b8b9c882b2895436 ./1.2/SRPMS/zlib-1.1.4-1tr.src.rpm b374acb9aa77d9260495e97f45a61250 ./1.2/SRPMS/sash-3.5-1tr.src.rpm 929c919c39f893688f9c003a157126f9 ./1.2/SRPMS/rsync-2.5.4-1tr.src.rpm 0b8d669a74f16d51ee9ea56bcab9181a ./1.2/SRPMS/rpm-3.0.3-48tr.src.rpm c19177c5bbe80398879c006adf15e7d9 ./1.2/SRPMS/postgresql-7.0.2-8tr.src.rpm 5a4ab384ebf85a4572dc55ffdafdfed7 ./1.2/SRPMS/openssh-3.1.0p1-2tr.src.rpm af04a68007564cc15b0a322e629d7072 ./1.2/SRPMS/kernel-2.2.20-2tr.src.rpm b3be9a3d68d8e9c9966be67256fb6190 ./1.2/SRPMS/apache-ssl-1.3.22_1.47-1tr.src.rpm d0089c585364cfd5b5b367e0f41976a4 ./1.2/SRPMS/apache-1.3.23-3tr.src.rpm 8743ec1b3f7b5cf3c91b7ab40596fb88 ./1.2/RPMS/zlib-devel-1.1.4-1tr.i586.rpm 3afe6861bc9e26f984d976dbf2da9802 ./1.2/RPMS/zlib-1.1.4-1tr.i586.rpm a371f2978f0f1774f8de5b88bbbb8083 ./1.2/RPMS/sash-3.5-1tr.i586.rpm c4f10fcc84d00ce6c3d6850f4de5996d ./1.2/RPMS/rsync-2.5.4-1tr.i586.rpm 123dfc21c83cbf9049e14f7195126188 ./1.2/RPMS/rpm-perl-3.0.3-48tr.i586.rpm f8a25856fa60b2f045a5c60d0082ca7e ./1.2/RPMS/rpm-devel-3.0.3-48tr.i586.rpm 1e95128e9a7ee18b7fef815f3196aa21 ./1.2/RPMS/rpm-3.0.3-48tr.i586.rpm 7ccb103aa6a4790b6f226f8892eb73ff ./1.2/RPMS/postgresql-test-7.0.2-8tr.i586.rpm 53c9da88ff9fbd35cf8f7313e0360dca ./1.2/RPMS/postgresql-tcl-7.0.2-8tr.i586.rpm 39563a9e7dcc181702865dc15cc757a5 ./1.2/RPMS/postgresql-server-7.0.2-8tr.i586.rpm adf2b223689cd832bbdf5465c3487e52 ./1.2/RPMS/postgresql-python-7.0.2-8tr.i586.rpm d345eefbafcb9af31754a7a8880aa512 ./1.2/RPMS/postgresql-plperl-7.0.2-8tr.i586.rpm b60800ef5a82b3aecf155304073874c0 ./1.2/RPMS/postgresql-perl-7.0.2-8tr.i586.rpm 42194295d871509ca2a4a9c790cc2437 ./1.2/RPMS/postgresql-odbc-7.0.2-8tr.i586.rpm 973485bcd12892b5429011020f463706 ./1.2/RPMS/postgresql-devel-7.0.2-8tr.i586.rpm 1a9a362ebc15f57254b1baa67dd6e4e4 ./1.2/RPMS/postgresql-7.0.2-8tr.i586.rpm 3664deeae0145176b0cae7f6fb887ad0 ./1.2/RPMS/openssh-server-3.1.0p1-2tr.i586.rpm aef2bbca38b7c853a855a66c782e461c ./1.2/RPMS/openssh-clients-3.1.0p1-2tr.i586.rpm c8541207836377940d15ef1f8d6f1737 ./1.2/RPMS/openssh-3.1.0p1-2tr.i586.rpm bb805f9f5eff5180970eb5d434255538 ./1.2/RPMS/kernel-utils-2.2.20-2tr.i586.rpm 470b306259b107b9ff52d1da8e609bd4 ./1.2/RPMS/kernel-source-2.2.20-2tr.i586.rpm 94c87f79101f14a2f1aa5943d335144d ./1.2/RPMS/kernel-smp-2.2.20-2tr.i586.rpm 6bb236e602ea019a007161983a440093 ./1.2/RPMS/kernel-headers-2.2.20-2tr.i586.rpm d4f32c88128e8774ccf00e2a597fd310 ./1.2/RPMS/kernel-doc-2.2.20-2tr.i586.rpm 0c9d47d5498ce5eb1548cc5ba85aa4b4 ./1.2/RPMS/kernel-BOOT-2.2.20-2tr.i586.rpm deb8dfe42bcc18184dccb132a6523770 ./1.2/RPMS/kernel-2.2.20-2tr.i586.rpm 251b28d23d7aa5b0bbd860839b8f1be1 ./1.2/RPMS/apache-ssl-1.3.22_1.47-1tr.i586.rpm a562cf292988058c6cfd3bf7e2702511 ./1.2/RPMS/apache-devel-1.3.23-3tr.i586.rpm 4629add0dd0a9b9a6a883cc2340d79da ./1.2/RPMS/apache-1.3.23-3tr.i586.rpm 09ab846b2d48bbc1b8b9c882b2895436 ./1.1/SRPMS/zlib-1.1.4-1tr.src.rpm 929c919c39f893688f9c003a157126f9 ./1.1/SRPMS/rsync-2.5.4-1tr.src.rpm 0b8d669a74f16d51ee9ea56bcab9181a ./1.1/SRPMS/rpm-3.0.3-48tr.src.rpm c19177c5bbe80398879c006adf15e7d9 ./1.1/SRPMS/postgresql-7.0.2-8tr.src.rpm 5a4ab384ebf85a4572dc55ffdafdfed7 ./1.1/SRPMS/openssh-3.1.0p1-2tr.src.rpm af04a68007564cc15b0a322e629d7072 ./1.1/SRPMS/kernel-2.2.20-2tr.src.rpm 6ac5b72a89ceb6b79db5c7f671ce5674 ./1.1/RPMS/zlib-devel-1.1.4-1tr.i586.rpm 4ac8220ff13e37d64458a73ca8069ba4 ./1.1/RPMS/zlib-1.1.4-1tr.i586.rpm b54dd4b38829c00b5626bcc663c9f535 ./1.1/RPMS/rsync-2.5.4-1tr.i586.rpm ad8d39a2e68bc8f05f34a807e96b4a59 ./1.1/RPMS/rpm-perl-3.0.3-48tr.i586.rpm 2b82f0df601f0d9ebb37c6e5658c751c ./1.1/RPMS/rpm-devel-3.0.3-48tr.i586.rpm f0d602bfc5b4429b4a7163e1c7d08191 ./1.1/RPMS/rpm-3.0.3-48tr.i586.rpm 4098645a8b7d4026483a2f615df958f5 ./1.1/RPMS/postgresql-test-7.0.2-8tr.i586.rpm aeb67230a22e23071fd46291511bd5b7 ./1.1/RPMS/postgresql-tcl-7.0.2-8tr.i586.rpm 94c626d1ff7d613b84165263525bccd2 ./1.1/RPMS/postgresql-server-7.0.2-8tr.i586.rpm cdc2f6bf6a963de3e4c15b3b0cafa575 ./1.1/RPMS/postgresql-python-7.0.2-8tr.i586.rpm 48bcc2134a81e316be8d345b0f33c5ed ./1.1/RPMS/postgresql-plperl-7.0.2-8tr.i586.rpm c8d8dc1529b1730c889fb5dbf291a97a ./1.1/RPMS/postgresql-perl-7.0.2-8tr.i586.rpm 90d5db25832abf1893abffaf22564f45 ./1.1/RPMS/postgresql-odbc-7.0.2-8tr.i586.rpm 4c9ca9da560753dd9c57a433e1fb5ca6 ./1.1/RPMS/postgresql-devel-7.0.2-8tr.i586.rpm 2a7c43bb3cdb53e731cda1cb2717d57a ./1.1/RPMS/postgresql-7.0.2-8tr.i586.rpm 7d255bd34e9a51bf0a6bc43fc7967d41 ./1.1/RPMS/openssh-server-3.1.0p1-2tr.i586.rpm d8b57824dc5fc119178d5ff5f050e22a ./1.1/RPMS/openssh-clients-3.1.0p1-2tr.i586.rpm 74c5f990fc3337e1d32654bc7887c827 ./1.1/RPMS/openssh-3.1.0p1-2tr.i586.rpm c43b37e4013c1cd144b2282436bc83ec ./1.1/RPMS/kernel-utils-2.2.20-2tr.i586.rpm e9b53e17180eb3af790acdfae60ad9d1 ./1.1/RPMS/kernel-source-2.2.20-2tr.i586.rpm 8d382190405b778b638ac96cb5b7d809 ./1.1/RPMS/kernel-smp-2.2.20-2tr.i586.rpm 97cc38f20f63af9ee8801694e4ef73fa ./1.1/RPMS/kernel-headers-2.2.20-2tr.i586.rpm 9f6af1b6ddae90cb9d312b16f9bb90b4 ./1.1/RPMS/kernel-doc-2.2.20-2tr.i586.rpm 8b491e0d0a17964ff4ef074b8112d054 ./1.1/RPMS/kernel-BOOT-2.2.20-2tr.i586.rpm 1c9628c93e332ec4a0c756f05f42fffb ./1.1/RPMS/kernel-2.2.20-2tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8liqdwRTcg4BxxS0RAux4AJoCH6/3vmfAXaEwlc9zMVpNhZ6X9ACfbX5D XXWDRDnD1a1biLoz8Uwp8tg= =O9xC -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 12:54:07 PST