Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0314 -- [Win][UNIX/Linux][RedHat] Dia security update 4 May 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Dia Publisher: Red Hat Operating System: Red Hat Enterprise Linux AS/ES/WS 4 Red Hat Enterprise Linux Desktop 4 Red Hat Enterprise Linux AS/ES/WS 2.1 Red Hat Linux Advanced Workstation 2.1 UNIX variants (UNIX, Linux, OSX) Windows Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2006-1550 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2006-0280.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running Dia check for an updated version of the software for their operating system at: http://www.gnome.org/projects/dia/ - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Moderate: dia security update Advisory ID: RHSA-2006:0280-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0280.html Issue date: 2006-05-03 Updated on: 2006-05-03 Product: Red Hat Enterprise Linux CVE Names: CVE-2006-1550 - - --------------------------------------------------------------------- 1. Summary: An updated Dia package that fixes several buffer overflow bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: The Dia drawing program is designed to draw various types of diagrams. infamous41md discovered three buffer overflow bugs in Dia's xfig file format importer. If an attacker is able to trick a Dia user into opening a carefully crafted xfig file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-1550) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 187401 - CVE-2006-1550 Dia multiple buffer overflows 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/dia-0.88.1-3.3.src.rpm a2bcfd1db5b67912d03cc8377d0efa4e dia-0.88.1-3.3.src.rpm i386: 3a1e3f98594ec1039dbcc4055d2d6426 dia-0.88.1-3.3.i386.rpm ia64: f0fc2b254fcabcf6aa4e8e0ea94f02f9 dia-0.88.1-3.3.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/dia-0.88.1-3.3.src.rpm a2bcfd1db5b67912d03cc8377d0efa4e dia-0.88.1-3.3.src.rpm ia64: f0fc2b254fcabcf6aa4e8e0ea94f02f9 dia-0.88.1-3.3.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/dia-0.88.1-3.3.src.rpm a2bcfd1db5b67912d03cc8377d0efa4e dia-0.88.1-3.3.src.rpm i386: 3a1e3f98594ec1039dbcc4055d2d6426 dia-0.88.1-3.3.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/dia-0.88.1-3.3.src.rpm a2bcfd1db5b67912d03cc8377d0efa4e dia-0.88.1-3.3.src.rpm i386: 3a1e3f98594ec1039dbcc4055d2d6426 dia-0.88.1-3.3.i386.rpm Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/dia-0.94-5.4.src.rpm 97d5aaa13d19483c21cbc329dc00001b dia-0.94-5.4.src.rpm i386: 6ee8860a0ba1fb695198f9562f422473 dia-0.94-5.4.i386.rpm 04f3ac7cb40626b4836dfd4a45135276 dia-debuginfo-0.94-5.4.i386.rpm ia64: 03205912eecd5ae3f2d65f91769593a3 dia-0.94-5.4.ia64.rpm e572ed6ba3b0d936cc38c0de14ebae88 dia-debuginfo-0.94-5.4.ia64.rpm ppc: af35c1218f2bede5aa806b8a335b2715 dia-0.94-5.4.ppc.rpm e93f1a08b58a636e8e55a538776d2d52 dia-debuginfo-0.94-5.4.ppc.rpm s390: c59cce80c5e6b5a3f0564abe61098156 dia-0.94-5.4.s390.rpm 03159e17a741914c405d88ae6b5dea43 dia-debuginfo-0.94-5.4.s390.rpm s390x: 25656c7e6ab95af3f159bd25f8002627 dia-0.94-5.4.s390x.rpm 82df44848401aa6fcb162b3a874aff55 dia-debuginfo-0.94-5.4.s390x.rpm x86_64: 3fac8491faa94d85be7b13e9d16ad1fb dia-0.94-5.4.x86_64.rpm 3e41ac343a6fcb2c589863020ecbe139 dia-debuginfo-0.94-5.4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/dia-0.94-5.4.src.rpm 97d5aaa13d19483c21cbc329dc00001b dia-0.94-5.4.src.rpm i386: 6ee8860a0ba1fb695198f9562f422473 dia-0.94-5.4.i386.rpm 04f3ac7cb40626b4836dfd4a45135276 dia-debuginfo-0.94-5.4.i386.rpm x86_64: 3fac8491faa94d85be7b13e9d16ad1fb dia-0.94-5.4.x86_64.rpm 3e41ac343a6fcb2c589863020ecbe139 dia-debuginfo-0.94-5.4.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/dia-0.94-5.4.src.rpm 97d5aaa13d19483c21cbc329dc00001b dia-0.94-5.4.src.rpm i386: 6ee8860a0ba1fb695198f9562f422473 dia-0.94-5.4.i386.rpm 04f3ac7cb40626b4836dfd4a45135276 dia-debuginfo-0.94-5.4.i386.rpm ia64: 03205912eecd5ae3f2d65f91769593a3 dia-0.94-5.4.ia64.rpm e572ed6ba3b0d936cc38c0de14ebae88 dia-debuginfo-0.94-5.4.ia64.rpm x86_64: 3fac8491faa94d85be7b13e9d16ad1fb dia-0.94-5.4.x86_64.rpm 3e41ac343a6fcb2c589863020ecbe139 dia-debuginfo-0.94-5.4.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/dia-0.94-5.4.src.rpm 97d5aaa13d19483c21cbc329dc00001b dia-0.94-5.4.src.rpm i386: 6ee8860a0ba1fb695198f9562f422473 dia-0.94-5.4.i386.rpm 04f3ac7cb40626b4836dfd4a45135276 dia-debuginfo-0.94-5.4.i386.rpm ia64: 03205912eecd5ae3f2d65f91769593a3 dia-0.94-5.4.ia64.rpm e572ed6ba3b0d936cc38c0de14ebae88 dia-debuginfo-0.94-5.4.ia64.rpm x86_64: 3fac8491faa94d85be7b13e9d16ad1fb dia-0.94-5.4.x86_64.rpm 3e41ac343a6fcb2c589863020ecbe139 dia-debuginfo-0.94-5.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1550 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2006 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFEWNUeXlSAg2UNWIIRAq3EAKCwMzbOQUEckglx4TnoL8HBSvlOewCgvUKF s9Jero0HmRGVDAc3Dpb9BAE= =fOgR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRFmItCh9+71yA2DNAQJDZQP7BLR8R28cJP+HJ0new9nFXhp81pdtNygr VJe7ZinJJprCGm+WLPwNnv6qZMhubvt3GssS7UaP0gnzoo/8S7M287MHx2Rbwjxy YslUvTJn096DqwUwGCjQ12oQH7FCK3Ex1/zhY2QpPf8isR6JK+mWg/Hpt7A5QEny nfVwNhYNjcI= =WdmK -----END PGP SIGNATURE-----