[opensuse-security] Re: [security-announce] SUSE-SU-2013:0609-1: important: Security update for rubygem-json_pure
Sehr geehrte Damen und Herren, wegen eines Auslandsaufenthaltes kann ich die Nachricht vermutlich bis zum 4.4. nicht lesen. In dringenden Fällen stehe ich Ihnen unter +49 177 7902970 telefonisch zur Verfügung. Mit freundlichen Grüßen W. Lisiewicz ------------- Szanowni Państwo, z powodu pobytu za granicą nie będę prawdopodobnie mógł przeczytać Państwa wiadomości do dnia 4.4. W pilnych przypadkach jestem dostępny pod numerem telefonu +49 177 7902970. Pozdrawiam serdecznie W. Lisiewicz Am 03.04.2013 um 20:08 schrieb opensuse-security@opensuse.org:
SUSE Security Update: Security update for rubygem-json_pure ______________________________________________________________________________
Announcement ID: SUSE-SU-2013:0609-1 Rating: important References: #803342 Cross-References: CVE-2013-0269 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Extension for System z 1.2 ______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
The json_pure Ruby Gem has been updated to fix a Denial of Service and Unsafe Object Creation vulnerability in JSON (CVE-2013-0269)
Additional fixes:
* Entity expansion DoS vulnerability in REXML (XML bomb)
Security Issue reference:
* CVE-2013-0269 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269
Patch Instructions:
To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- WebYaST 1.2:
zypper in -t patch slewyst12-rubygem-json_pure-7486
- SUSE Studio Standard Edition 1.2:
zypper in -t patch sleslms12-rubygem-json_pure-7486
- SUSE Studio Extension for System z 1.2:
zypper in -t patch slestso12-rubygem-json_pure-7486
To bring your system up-to-date, use "zypper patch".
Package List:
- WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64):
rubygem-json_pure-1.2.0-0.4.1
- SUSE Studio Standard Edition 1.2 (x86_64):
rubygem-json_pure-1.2.0-0.4.1
- SUSE Studio Extension for System z 1.2 (s390x):
rubygem-json_pure-1.2.0-0.4.1
References:
http://support.novell.com/security/cve/CVE-2013-0269.html https://bugzilla.novell.com/803342 http://download.novell.com/patch/finder/?keywords=231bb11d5d47466d339ecd1ec5...
-- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
* Wojciech Lisiewicz
Sehr geehrte Damen und Herren,
Please, English is spoken/written here. -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Apr 03, 2013 at 02:19:37PM -0400, Patrick Shanahan wrote:
* Wojciech Lisiewicz
[04-03-13 14:12]: Sehr geehrte Damen und Herren,
Please, English is spoken/written here.
ANother autoreply I am afraid. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
* Marcus Meissner
On Wed, Apr 03, 2013 at 02:19:37PM -0400, Patrick Shanahan wrote:
* Wojciech Lisiewicz
[04-03-13 14:12]: Sehr geehrte Damen und Herren,
Please, English is spoken/written here.
ANother autoreply I am afraid.
tks, another sub that should be in the bit-bucket. Some people have *no* consideration! -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-04-03 at 16:09 -0400, Patrick Shanahan wrote:
* Marcus Meissner <> [04-03-13 15:10]:
ANother autoreply I am afraid.
tks, another sub that should be in the bit-bucket. Some people have *no* consideration!
Indeed. But I wonder if it is also not a software bug: the autoresponder should not send to bulk mail, ie, mail lists. Are our mail list posts detectable as such? Lets look at the headers of his post: Precedence: bulk Mailing-List: contact opensuse-security+help@opensuse.org; run by mlmmj X-Mailer: Apple Mail (2.1503) So it is detectable as "bulk" mail, and the culprit is "Apple Mail". Has he been reported to the list owner yet? All lists, please. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFcx/EACgkQtTMYHG2NR9W5bwCfduEHqIPF5MexqrSmPZfi/swy 52gAmwZigmEDBP6XGHTytMbipnwZ9PAK =nVNR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
* Carlos E. R.
So it is detectable as "bulk" mail, and the culprit is "Apple Mail".
Has he been reported to the list owner yet? All lists, please.
Most certainly, opensuse-security+owner@opensuse.org -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-04-03 at 21:00 -0400, Patrick Shanahan wrote:
* Carlos E. R. <> [04-03-13 20:26]: [...]
So it is detectable as "bulk" mail, and the culprit is "Apple Mail".
Has he been reported to the list owner yet? All lists, please.
Most certainly, opensuse-security+owner@opensuse.org
They are still coming... :-( - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFe9BwACgkQtTMYHG2NR9UzJgCfRgSKBRYB8+XSw/DebVmAj1Ti cnwAnA/T9UY9L709iOr7Jm8HhXeT4o8V =hqep -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hello, Am Freitag, 5. April 2013 schrieb Carlos E. R.:
On Wednesday, 2013-04-03 at 21:00 -0400, Patrick Shanahan wrote:
* Carlos E. R. <> [04-03-13 20:26]: [...]
So it is detectable as "bulk" mail, and the culprit is "Apple Mail".
Oh well. Software from the company that couldn't afford the whole fruit for their logo. What do you expect? ;-)
Has he been reported to the list owner yet? All lists, please.
Most certainly, opensuse-security+owner@opensuse.org
No, most probably opensuse-security-announce because it uses opensuse-security@ in the From:. The reason for this From: is to direct discussions about the security announcements to this mailinglist, but we all know that it has the bad side effect of "inviting" broken autoresponders. See also https://bugzilla.novell.com/show_bug.cgi?id=758595 - Marcus, any news about this?
They are still coming... :-(
Just wondering - what would happen if someone sends a mail claiming to be From: opensuse-security-announce+unsubscribe@ to the spamming^W autoreply-sending mail address...? *eg* (That's of course just a theoretical question - please never do such evil stuff!) Regards, Christian Boltz -- Es könnte zum Beispiel sein, daß Du inzwischen besser bist als 95% der anderen Teilnehmer hier. Das ist für mindestens 45% der Leute, die das von sich glauben jedoch nicht der Fall. :-) [Kristian Koehntopp in suse-linux] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2013-04-06 at 01:35 +0200, Christian Boltz wrote:
Am Freitag, 5. April 2013 schrieb Carlos E. R.:
Oh well. Software from the company that couldn't afford the whole fruit for their logo. What do you expect? ;-)
Not much :-) But in fairness, that software is not the only one that sends bounces. At least, there are some that only bounce once to each address.
See also https://bugzilla.novell.com/show_bug.cgi?id=758595 - Marcus, any news about this?
There is no activity on that one. Maybe the component should not be security, but infraestructure :-?
They are still coming... :-(
Just wondering - what would happen if someone sends a mail claiming to be From: opensuse-security-announce+unsubscribe@ to the spamming^W autoreply-sending mail address...? *eg* (That's of course just a theoretical question - please never do such evil stuff!)
Interesting... >:-) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFgTC8ACgkQtTMYHG2NR9XW9QCdH8dzC/DLfIs5J+xUz6DsLZvG VpUAoJisO7xBYmiNYkRl3zGfOtxabvHK =VrS0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (5)
-
Carlos E. R.
-
Christian Boltz
-
Marcus Meissner
-
Patrick Shanahan
-
Wojciech Lisiewicz