Koozali.org: home of the SME Server

SME 6 Maintenance Updates 31st March 2006

Offline wellsi

  • *
  • 475
  • +0/-0
    • http://www.wellsi.com
SME 6 Maintenance Updates 31st March 2006
« on: March 31, 2006, 11:45:59 PM »
The maintenance team would like to announce that the following packages are
available from the updates repositories for SME 6.0, 6.0.1 & 6.5RC1.


These update notifications will be sent to the updatesannounce@contribs.org list and posted in the 6.x forum.
You can subscribe to the updatesannounce list from http://lists.contribs.org/mailman/listinfo/updatesannounce

To update your server see
http://no.longer.valid/phpwiki/index.php/How%20to%20update%20SME%20Server
To help this process see
http://no.longer.valid/phpwiki/index.php/Maintenance%20Process

You can also help speed up the releasing of updates by joining the
updatesteam http://lists.contribs.org/mailman/listinfo/updatesteam


Follow the steps below to update using yum. These need to be entered from
the command line.

    yum update
    /sbin/e-smith/signal-event post-upgrade
    /sbin/e-smith/signal-event reboot

==============
Common Updates
==============

apache-1.3.27-9.legacy.i386.rpm

   For all 6.x
   
   FL Note: http://www.fedoralegacy.org/updates/RH7.3/2006-02-18-FLSA-2006_175406__Updated_Apache_httpd_packages_fix_security_issues.html
   FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406

   A memory leak in the worker MPM could allow remote attackers to cause a
   denial of service (memory consumption) via aborted connections, which
   prevents the memory for the transaction pool from being reused for other
   connections. The Common Vulnerabilities and Exposures project assigned
   the name CVE-2005-2970 to this issue. This vulnerability only affects
   users who are using the non-default worker MPM.

   A flaw in mod_imap when using the Referer directive with image maps was
   discovered. With certain site configurations, a remote attacker could
   perform a cross-site scripting attack if a victim can be forced to visit
   a malicious URL using certain web browsers. (CVE-2005-3352)

   A NULL pointer dereference flaw in mod_ssl was discovered affecting
   server configurations where an SSL virtual host is configured with
   access control and a custom 400 error document. A remote attacker could
   send a carefully crafted request to trigger this issue which would lead
   to a crash. This crash would only be a denial of service if using the
   non-default worker MPM. (CVE-2005-3357)

perl-5.6.1-38.0.7.3.3.legacy.i386.rpm
perl-CPAN-1.59_54-38.0.7.3.3.legacy.i386.rpm
perl-DB_File-1.75-38.0.7.3.3.legacy.i386.rpm
perl-NDBM_File-1.75-38.0.7.3.3.legacy.i386.rpm
perl-suidperl-5.6.1-38.0.7.3.3.legacy.i386.rpm

   For all 6.x
   
   FL Note: http://www.fedoralegacy.org/updates/RH7.3/2006-01-24-FLSA-2006_152845__Updated_perl_packages_fix_security_issues.html
   FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845

   Updated perl packages that fix several security flaws are now available.

   An unsafe file permission bug was discovered in the rmtree() function in
   the File::Path module.  The rmtree() function removes files and
   directories in an insecure manner, which could allow a local user to
   read or delete arbitrary files.  The Common Vulnerabilities and
   Exposures project has assigned the name CVE-2004-0452 to this issue.

   Solar Designer discovered several temporary file bugs in various Perl
   modules.  A local attacker could overwrite or create files as the user
   running a Perl script that uses a vulnerable module.  The Common Vulner-
   abilities and Exposures project has assigned the name CVE-2004-0976 to
   this issue.

   Kevin Finisterre discovered a stack based buffer overflow flaw in sperl,
   the Perl setuid wrapper. A local user could create a sperl executable
   script with a carefully created path name, overflowing the buffer and
   leading to root privilege escalation.  The Common Vulnerabilities and
   Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to
   this issue.

   Kevin Finisterre discovered a flaw in sperl which can cause debugging
   information to be logged to arbitrary files.  By setting an environment
   variable, a local user could cause sperl to create, as root, files with
   arbitrary filenames, or append the debugging information to existing
   files.  The Common Vulnerabilities and Exposures project has assigned
   the name CVE-2005-0155 to this issue.

   Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module
   removed directory trees.  If a local user has write permissions to a
   subdirectory within the tree being removed by File::Path::rmtree, it is
   possible for them to create setuid binary files.  The Common Vulner-
   abilities and Exposures project has assigned the name CVE-2005-0448 to
   this issue.  (This issue updates CVE-2004-0452).


squid-2.4.STABLE7-0.73.3.legacy.i386.rpm

   For all 6.x
   
   FL Note: http://www.fedoralegacy.org/updates/RH7.3/2006-02-18-FLSA-2006_152809__Updated_squid_package_fixes_security_issues.html
   FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152809

   An updated Squid package that fixes several security issues is now
   available. Please read the FL Note for details.

   Squid is a full-featured Web proxy cache.


sudo-1.6.5p2-2.3.legacy.i386.rpm

   For all 6.x
   
   FL Note: http://www.fedoralegacy.org/updates/RH7.3/2006-02-23-FLSA-2006_162750__Updated_sudo_packages_fix_security_issue.html
   FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162750

   A race condition bug was found in the way sudo handles pathnames. It is
   possible that a local user with limited sudo access could create
   a race condition that would allow the execution of arbitrary commands as
   the root user. The Common Vulnerabilities and Exposures project
   (cve.mitre.org) has assigned the name CVE-2005-1993 to this issue.

   The sudo (superuser do) utility allows system administrators to give
   certain users the ability to run commands as root with logging.
............