-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:129 http://www.mandriva.com/security/ _______________________________________________________________________ Package : busybox Date : August 10, 2012 Affected: 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities was found and corrected in busybox: The decompress function in ncompress allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow (CVE-2006-1168). A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients. This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters. Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted (CVE-2011-2716). Additionally for Mandriva Enterprise Server 5 various problems in the ka-deploy and uClibc packages was discovered and fixed with this advisory. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 7eda839ab0451b3069b4c7b462c3c7e6 2011/i586/busybox-1.18.4-3.1-mdv2011.0.i586.rpm afc5b858baba240a8daf311281982fa2 2011/i586/busybox-static-1.18.4-3.1-mdv2011.0.i586.rpm 71526f79bfe8499fea0d77dfe0a252fd 2011/SRPMS/busybox-1.18.4-3.1.src.rpm Mandriva Linux 2011/X86_64: ffe0b7192163d7c57ae0ebf639472610 2011/x86_64/busybox-1.18.4-3.1-mdv2011.0.x86_64.rpm 9a80e96e5b018373f8cc7313718993ff 2011/x86_64/busybox-static-1.18.4-3.1-mdv2011.0.x86_64.rpm 71526f79bfe8499fea0d77dfe0a252fd 2011/SRPMS/busybox-1.18.4-3.1.src.rpm Mandriva Enterprise Server 5: b934b1ea4a3507d5792fc2b98ece457b mes5/i586/busybox-1.6.1-5.1mdvmes5.2.i586.rpm b2cafe1f5d4736d8f756fed5b860954d mes5/i586/ka-deploy-server-0.94.4-0.2mdvmes5.2.i586.rpm 4cdee19ce25eff46f32867b0987808e5 mes5/i586/ka-deploy-source-node-0.94.4-0.2mdvmes5.2.i586.rpm 090681e425343f32afdcfc45ccfc38ed mes5/i586/uClibc-0.9.28.1-5.1mdvmes5.2.i586.rpm 28e514241585b879386fbca310b47b9e mes5/i586/uClibc-devel-0.9.28.1-5.1mdvmes5.2.i586.rpm b38a4038cc558b690834eb3523dcdf7e mes5/i586/uClibc-static-devel-0.9.28.1-5.1mdvmes5.2.i586.rpm d9426a5f52e3e0cc44fc020b057e26e1 mes5/SRPMS/busybox-1.6.1-5.1mdvmes5.2.src.rpm 572e853960052b860bb871e57252ad6f mes5/SRPMS/ka-deploy-0.94.4-0.2mdvmes5.2.src.rpm fa74d4032e7f3cc87ca7d75f18e11a61 mes5/SRPMS/uClibc-0.9.28.1-5.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: f941396521694b20340da46dfc711212 mes5/x86_64/busybox-1.6.1-5.1mdvmes5.2.x86_64.rpm 08686bc10a646f07778b4ae9b64431b8 mes5/x86_64/ka-deploy-server-0.94.4-0.2mdvmes5.2.x86_64.rpm 321dc65777647855b61afb01f24b9478 mes5/x86_64/ka-deploy-source-node-0.94.4-0.2mdvmes5.2.x86_64.rpm 000bb5e649837c746584092d7990b2ad mes5/x86_64/uClibc-0.9.28.1-5.1mdvmes5.2.x86_64.rpm 90ff537b9b6f9403fa1e75d5c2accbde mes5/x86_64/uClibc-devel-0.9.28.1-5.1mdvmes5.2.x86_64.rpm 3fcfb13393f23c67083f2406ae6ad8c5 mes5/x86_64/uClibc-static-devel-0.9.28.1-5.1mdvmes5.2.x86_64.rpm d9426a5f52e3e0cc44fc020b057e26e1 mes5/SRPMS/busybox-1.6.1-5.1mdvmes5.2.src.rpm 572e853960052b860bb871e57252ad6f mes5/SRPMS/ka-deploy-0.94.4-0.2mdvmes5.2.src.rpm fa74d4032e7f3cc87ca7d75f18e11a61 mes5/SRPMS/uClibc-0.9.28.1-5.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQJSHEmqjQ0CJFipgRAiGSAJ98naeq+Y0bXviIIvDhKdipDqSQ4wCdHMBA 09ereRjH0OzNcue9Hiq8sqg= =FpbS -----END PGP SIGNATURE-----