exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Trustix Secure Linux Security Advisory 2006.54

Trustix Secure Linux Security Advisory 2006.54
Posted Oct 4, 2006
Authored by Trustix | Site http.trustix.org

Trustix Secure Linux Security Advisory #2006-0054: Multiple vulnerabilities in openssh and openssl.

tags | advisory, vulnerability
systems | linux
SHA-256 | 7d7fccf68d4f98ce4b1d6f727cef7189498e02814248bb5a5085d6f58e0dc3bd

Trustix Secure Linux Security Advisory 2006.54

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0054

Package names: openssh, openssl
Summary: Multiple vulnerabilities
Date: 2006-09-29
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
openssh
Ssh (Secure Shell) is a program for logging into a remote machine and
for executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

openssl
A C library that provides various crytographic algorithms and
protocols, including DES, RC4, RSA, and SSL. Includes shared libraries.

Problem description:
openssh < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Tavis Ormandy of Google Security Team has reported a
vulnerability in OpenSSH, which can be exploited by malicious people
to cause a DoS. If ssh protocol 1 is enabled, this can be exploited
to cause a DoS due to CPU consumption by sending specially crafted
ssh packets.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2006-4924 to this issue.

openssl < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Dr. S. N. Henson has discovered vulnerabilities in
OpenSSL which could be exploited by attackers to cause denial of
service.
- During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory.
- Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack.
- Tavis Ormandy and Will Drewry of the Google Security Team has
discovered the following two vulnerabilities in OpenSSL :
- Fix buffer overflow in SSL_get_shared_ciphers() utility function
which could allow an attacker to send a list of ciphers to an
application that uses it and overrun a buffer.
- A flaw in the SSLv2 client code was discovered. When a client
application used OpenSSL to create an SSLv2 connection to a
malicious server, that server could cause the client to crash.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738
and CVE-2006-4343 to these issues.

Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.


Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.


Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.


Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>


Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>

The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0054/>


MD5sums of the packages:
- --------------------------------------------------------------------------
a5faf9779658846330be8773282dee9a 3.0/rpms/openssh-4.4p1-1tr.i586.rpm
ea107d839fe1fd92a95cc36617f867d1 3.0/rpms/openssh-clients-4.4p1-1tr.i586.rpm
eb6af35b4723fdf43e4a5d503fb81eac 3.0/rpms/openssh-server-4.4p1-1tr.i586.rpm
67b5e440f4084a4b13c7d09616825c28 3.0/rpms/openssh-server-config-4.4p1-1tr.i586.rpm
95b5a4684f0a369b0608fd8cc1498689 3.0/rpms/openssl-0.9.7l-1tr.i586.rpm
4c91ef39f6e6fcf4c5f6a115ed303dc6 3.0/rpms/openssl-devel-0.9.7l-1tr.i586.rpm
4fa743c599b1360261331fbc5ac952fb 3.0/rpms/openssl-support-0.9.7l-1tr.i586.rpm

d015c23204973ef4faf7a2eda3b7cb18 2.2/rpms/openssh-4.4p1-1tr.i586.rpm
99a628780c247c3e41b3935bf00191d8 2.2/rpms/openssh-clients-4.4p1-1tr.i586.rpm
c5edde90178f272bc02eff144e5b09e7 2.2/rpms/openssh-server-4.4p1-1tr.i586.rpm
d3e5fe47d1b5f029759e91b7a546418a 2.2/rpms/openssh-server-config-4.4p1-1tr.i586.rpm
6dae40c79d72bb1ea9cd6070fcb23406 2.2/rpms/openssl-0.9.7e-8tr.i586.rpm
5bf290097a23b03d6722bd0f87ce521f 2.2/rpms/openssl-devel-0.9.7e-8tr.i586.rpm
1c2549f24bad413591c1c641191f4596 2.2/rpms/openssl-python-0.9.7e-8tr.i586.rpm
564b7888352bd078a0cfa6e7705b9b24 2.2/rpms/openssl-support-0.9.7e-8tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFHUSli8CEzsK9IksRAueFAKCvfIGrWzJqdsHdR+oTYN+nhhcX7gCdGpsE
LkKjQ1DQlE/No6E4xt5rFLY=
=hhoM
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close