Topic: SME 6 Maintenance Updates 6th July 2006

[wellsi]

The maintenance team would like to announce that the following packages are
available from the updates repositories for SME 6.0, 6.0.1 & 6.5RC1.

Please Note: "As V7.0 has been released, all previous releases should be
considered 'legacy' releases and all users are encouraged to upgrade to the
new version."

To update your server see
http://no.longer.valid/phpwiki/index.php/How%20to%20update%20SME%20Server
To help this process see
http://no.longer.valid/phpwiki/index.php/Maintenance%20Process
You can also help speed up the releasing of updates by joining the
updatesteam http://lists.contribs.org/mailman/listinfo/updatesteam

Follow the steps below to update using yum. These need to be entered from
the command line.

yum update
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

==============
Common Updates
==============

glibc-2.2.5-44.legacy.8.i386.rpm
glibc-2.2.5-44.legacy.8.i686.rpm
glibc-common-2.2.5-44.legacy.8.i386.rpm

For all 6.x

FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091

Updated glibc packages that add daylight savings rule enhancements for
various countries are now available.

The GNU libc packages (known as glibc) contain the standard C libraries
used by applications.

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.



pcre-3.9-2.1.legacy.i386.rpm

For all 6.x

FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-03-07-FLSA-2006_168516__Updated_pcre_packages_fix_a_security_issue.html
FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516

Updated pcre packages are now available to correct a security issue.

PCRE is a Perl-compatible regular expression library.

An integer overflow flaw was found in PCRE, triggered by a maliciously
crafted regular expression. On systems that accept arbitrary regular
expressions from untrusted users, this could be exploited to execute
arbitrary code with the privileges of the application using the library.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-2491 to this issue.



perl-DBI-1.21-1.1.legacy.i386.rpm

For all 6.x

FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-03-01-FLSA-2006_178989__Updated_perl-DBI_package_fixes_security_issue.html
FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989

An updated perl-DBI package that fixes a temporary file flaw in
DBI::ProxyServer is now available.

DBI is a database access Application Programming Interface (API) for
the Perl programming language.

The Debian Security Audit Project discovered that the DBI library
creates a temporary PID file in an insecure manner. A local user could
overwrite or create files as a different user who happens to run an
application which uses DBI::ProxyServer. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to
this issue.



tar-1.13.25-4.7.2.legacy.i386.rpm

For all 6.x

FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-04-04-FLSA-2006_183571-1__Updated_tar_package_fixes_security_issue.html
FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183571

An updated tar package that fixes a path traversal flaw is now
available. The GNU tar program saves many files together in one archive
and can restore individual files (or all of the files) from that archive.

In 2002, a path traversal flaw was found in the way GNU tar extracted
archives. A malicious user could create a tar archive that could write
to arbitrary files to which the user running GNU tar has write access
(CVE-2002-0399). A security advisory was released containing a
backported patch.

It was discovered that the backported security patch contained an
incorrect optimization and therefore was not sufficient to completely
correct this vulnerability. The Common Vulnerabilities and Exposures
project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue.



unzip-5.50-31.1.legacy.i386.rpm

For all 6.x

FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-04-04-FLSA-2006_180159__Updated_unzip_package_fixes_security_issue.html
FL Bug : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180159

An updated unzip package that fixes a buffer overflow vulnerability is
now available. The unzip utility is used to list, test, or extract files
from a zip archive.

A buffer overflow bug has been discovered in unzip when handling long
file names. An attacker could create a specially crafted path which
could cause unzip to crash or execute arbitrary instructions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-4667 to this issue.