-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0036

Package names:     fcron, libtiff 
Summary:           Multiple vulnerabilities
Date:              2006-06-16
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  fcron
  Fcron is a scheduler. It aims at replacing Vixie Cron, so it implements
  most of its functionalities. But contrary to Vixie Cron, fcron does not
  need your system to be up 7 days a week, 24 hours a day : it also works
  well with systems which are not running neither all the time nor 
  regularly (contrary to anacrontab).

  libtiff
  The libtiff package contains a library of functions for manipulating
  TIFF (Tagged Image File Format) image format files.  TIFF is a widely
  used file format for bitmapped images.  TIFF files usually end in the
  .tif extension and they are often quite large.

Problem description:
  fcron < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - Patched to fix buffer overflow due to a bug in make_msg(), Bug #1754.

  libtiff < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: gpe92 has discovered a vulnerability in LibTIFF caused
    due to a boundary error within tiff2pdf when handling a TIFF file with
    a "DocumentName" tag that contains UTF-8 characters. This can be
    exploited to cause a stack-based buffer overflow and may allow
    arbitrary code execution.
  - Stack-based buffer overflow in the tiffsplit command in libtiff might
    allow attackers to execute arbitrary code via a long filename.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2006-2193 and CVE-2006-2656 these issues. 

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0036/>


MD5sums of the packages:
- --------------------------------------------------------------------------
ef9c418538fe7078fd0aef828242e94c  3.0/rpms/fcron-2.9.6-13tr.i586.rpm
8a4ecedfff22da6b1c4760a34aa519dc  3.0/rpms/libtiff-3.7.3-3tr.i586.rpm
9d1e3065f727303f684c075d1d58b582  3.0/rpms/libtiff-devel-3.7.3-3tr.i586.rpm
b1531880559bd9b9416df88f24f51b00  3.0/rpms/libtiff-docs-3.7.3-3tr.i586.rpm

b5432c9e8a0e7dc0f14d5d0ba56fae88  2.2/rpms/fcron-2.9.5.1-5tr.i586.rpm
7203c833a5d80a08ccfd240530c91e17  2.2/rpms/libtiff-3.7.3-3tr.i586.rpm
257f3daa5eb28d0567f741e7570dca6a  2.2/rpms/libtiff-devel-3.7.3-3tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEkqLEi8CEzsK9IksRAk7FAJwJuKPsOcTHMBFr8QsvZlYEm01vAQCdGD1W
/XnBafSycZESp61S8DZz1+k=
=RYEA
-----END PGP SIGNATURE-----