The maintenance team would like to announce that the following packages are
available from the updates repositories for SME 6.0, 6.0.1 & 6.5RC1.
These update notifications will be sent to the updatesannounce@contribs.org list and posted in the 6.x forum.
You can subscribe to the updatesannounce list from
http://lists.contribs.org/mailman/listinfo/updatesannounceTo update your server see
http://no.longer.valid/phpwiki/index.php/How%20to%20update%20SME%20ServerTo help this process see
http://no.longer.valid/phpwiki/index.php/Maintenance%20ProcessYou can also help speed up the releasing of updates by joining the
updatesteam
http://lists.contribs.org/mailman/listinfo/updatesteamFollow the steps below to update using yum. These need to be entered from
the command line.
yum update
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot
==============
Common Updates
==============
apache-1.3.27-9.legacy.i386.rpm
For all 6.x
FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-02-18-FLSA-2006_175406__Updated_Apache_httpd_packages_fix_security_issues.html FL Bug :
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-2970 to this issue. This vulnerability only affects
users who are using the non-default worker MPM.
A flaw in mod_imap when using the Referer directive with image maps was
discovered. With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit
a malicious URL using certain web browsers. (CVE-2005-3352)
A NULL pointer dereference flaw in mod_ssl was discovered affecting
server configurations where an SSL virtual host is configured with
access control and a custom 400 error document. A remote attacker could
send a carefully crafted request to trigger this issue which would lead
to a crash. This crash would only be a denial of service if using the
non-default worker MPM. (CVE-2005-3357)
perl-5.6.1-38.0.7.3.3.legacy.i386.rpm
perl-CPAN-1.59_54-38.0.7.3.3.legacy.i386.rpm
perl-DB_File-1.75-38.0.7.3.3.legacy.i386.rpm
perl-NDBM_File-1.75-38.0.7.3.3.legacy.i386.rpm
perl-suidperl-5.6.1-38.0.7.3.3.legacy.i386.rpm
For all 6.x
FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-01-24-FLSA-2006_152845__Updated_perl_packages_fix_security_issues.html FL Bug :
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845 Updated perl packages that fix several security flaws are now available.
An unsafe file permission bug was discovered in the rmtree() function in
the File::Path module. The rmtree() function removes files and
directories in an insecure manner, which could allow a local user to
read or delete arbitrary files. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2004-0452 to this issue.
Solar Designer discovered several temporary file bugs in various Perl
modules. A local attacker could overwrite or create files as the user
running a Perl script that uses a vulnerable module. The Common Vulner-
abilities and Exposures project has assigned the name CVE-2004-0976 to
this issue.
Kevin Finisterre discovered a stack based buffer overflow flaw in sperl,
the Perl setuid wrapper. A local user could create a sperl executable
script with a carefully created path name, overflowing the buffer and
leading to root privilege escalation. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to
this issue.
Kevin Finisterre discovered a flaw in sperl which can cause debugging
information to be logged to arbitrary files. By setting an environment
variable, a local user could cause sperl to create, as root, files with
arbitrary filenames, or append the debugging information to existing
files. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-0155 to this issue.
Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module
removed directory trees. If a local user has write permissions to a
subdirectory within the tree being removed by File::Path::rmtree, it is
possible for them to create setuid binary files. The Common Vulner-
abilities and Exposures project has assigned the name CVE-2005-0448 to
this issue. (This issue updates CVE-2004-0452).
squid-2.4.STABLE7-0.73.3.legacy.i386.rpm
For all 6.x
FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-02-18-FLSA-2006_152809__Updated_squid_package_fixes_security_issues.html FL Bug :
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152809 An updated Squid package that fixes several security issues is now
available. Please read the FL Note for details.
Squid is a full-featured Web proxy cache.
sudo-1.6.5p2-2.3.legacy.i386.rpm
For all 6.x
FL Note:
http://www.fedoralegacy.org/updates/RH7.3/2006-02-23-FLSA-2006_162750__Updated_sudo_packages_fix_security_issue.html FL Bug :
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162750 A race condition bug was found in the way sudo handles pathnames. It is
possible that a local user with limited sudo access could create
a race condition that would allow the execution of arbitrary commands as
the root user. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-1993 to this issue.
The sudo (superuser do) utility allows system administrators to give
certain users the ability to run commands as root with logging.