[tinysofa-announce] TSSA-2004-001 - multiple packages

tinysofa Security Team security at tinysofa.org
Sun May 2 19:24:19 UTC 2004 

- --------------------------------------------------------------------------
tinysofa Security Advisory #2004-001

Package name:      initscripts libpcap libpng rsync proftpd
Summary:           Potential security holes, Bug fixes
Advisory ID:       TSSA-2004-001
Date:              2004-05-03
Affected versions: tinysofa enterprise server 1.0

- --------------------------------------------------------------------------
Package description:

  initscripts:
  The initscripts package contains the basic system scripts used to boot
  your tinysofa, change runlevels, and shut the system down
  cleanly.  Initscripts also contains the scripts that activate and
  deactivate most network interfaces.

  libpcap:
  A system-independent interface for user-level packet capture.

  libpng:
  A library of functions for creating and manipulating PNG
  (Portable Network Graphics) image format files.

  rsync:
  A program for synchronizing files over a network.

  proftpd:
  An enhanced FTP server with a focus toward simplicity, security,
  and ease of configuration.  It features a very Apache-like configuration
  syntax, and a highly customizable server infrastructure, including
  support for multiple 'virtual' FTP servers, anonymous FTP, and
  permission-based directory visibility.

Problem description:

  initscripts:
  A problem in the ifup script caused the dhclient program to lose its
  lease information. This update fixes Bug #2 
  <URI:http://www.tinysofa.org/bugs/show_bug.cgi?id=2>


  libpcap:
  A shared library of libpcap is now included in this package.  

  libpng:
  Steve Grubb discovered that libpng would access memory that is out of
  bounds when creating an error message. The impact of this bug is not
  clear, but it could lead to a core dump in a program using libpng, or
  could result in a DoS (Denial of Service) condition in a daemon that
  uses libpng to process PNG images.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0421 to this issue.

  rsync:
  A bugfix release that mainly fixes a bug with the --relative option (-R)
  in 2.6.1 that could cause files to be transferred incorrectly.

  proftpd:
  A portability workaround was applied in version 1.2.9 of the FTP
  server ProFTPD. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN)
  ACL entries in "Allow" and "Deny" directives act like a "AllowAll"
  directive and so FTP clients are granted access to files and
  directories although the server configuration explicitly deny this
  access.


Action:
  We recommend that all systems with these packages installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All tinysofa updates are available from
  <URI:http://http.tinysofa.org/pub/tinysofa/updates/>
  <URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.tinysofa.org/support/>


Verification:
  This advisory is signed with the tinysofa security sign key.
  This key is available from:
  <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAEDCBB4B>

  Aall tinysofa packages are signed with the tinysofa stable sign key.
  This key is available from:
  <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0F1240A2>

  The advisory is available from the tinysofa errata database at
  <URI:http://www.tinysofa.org/support/errata/>
  or directly at
  <URI:http://www.tinysofa.org/support/errata/2004/001.html>


MD5sums of the packages:
- --------------------------------------------------------------------------
ec326f225c104593723af0dd5be890f7  initscripts-7.14-19ts.i586.rpm
193cd1ea696a206a0411dd4f5b498a4b  libpcap-0.8.3-2ts.i586.rpm
bfff58f6b90001f9b2059137f30fa349  libpng-1.2.5-10ts.i586.rpm
11869d580cf897c739ad9851c6f81d4c  libpng-devel-1.2.5-10ts.i586.rpm
273a87d6889488b77ee566cf81f7d945  libpng-tools-1.2.5-10ts.i586.rpm
ec3806a077d7b721886fd8f0a9677c74  proftpd-1.2.9-8ts.i586.rpm
6abbb4ed7a7688a981f6706675fa1337  rsync-2.6.2-1ts.i586.rpm
0e1690d270b88fc90a2ebadd65fdd9d0  rsync-server-2.6.2-1ts.i586.rpm
- --------------------------------------------------------------------------


tinysofa Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.tinysofa.org/pipermail/tinysofa-announce/attachments/20040503/edc40062/attachment.bin

More information about the Tinysofa-announce mailing list