From secure@conectiva.com.br Wed Feb 11 02:13:09 2004 From: Conectiva Updates To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org Date: Tue, 10 Feb 2004 19:04:25 -0200 Subject: [CLA-2004:813] Conectiva Security Announcement - gaim -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : gaim SUMMARY : Several remote vulnerabilities DATE : 2004-02-10 19:03:00 ID : CLA-2004:813 RELEVANT RELEASES : 8, 9 - ------------------------------------------------------------------------- DESCRIPTION Gaim is a multi-protocol, multi-platform instant messaging client. Stefan Esser found[1] several remote vulnerabilities in Gaim. A remote attacker can use specially crafted network packets to exploit at least one of these vulnerabilities and execute arbitrary code in the context of the user running the program or cause a denial of service condition. This update includes updated packages for Conectiva Linux 8 (Gaim 0.58.8) and Conectiva Linux 9 (Gaim 0.75). The vulnerabilities vary accordingly to the version used, but both are susceptible to remote attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0005, CAN-2004-0006, CAN-2004-0007 and CAN-2004-0008 to the issues discovered[2,3,4,5]. SOLUTION All gaim users should upgrade. REFERENCES 1.http://security.e-matters.de/advisories/012004.html 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0005 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0006 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0007 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0008 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/8/RPMS/gaim-0.59.8-1U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/gaim-0.59.8-1U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/gaim-0.75-27683U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/gaim-0.75-27683U90_1cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAKUdY42jd0JmAcZARAnIEAJ9eg454Hgf7csNapnUh2w4SxBrRUwCgzeZO TR8BxUS2KYXfdgwffUc29dU= =I9Hh -----END PGP SIGNATURE-----