-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:010
Date: Fri, 12 May 2006 16:00:00 +0000
Cross-References: CVE-2005-1111, CVE-2005-1229, CVE-2005-4268
CVE-2006-1546, CVE-2006-1547, CVE-2006-1548
CVE-2006-1834, CVE-2006-1932, CVE-2006-1933
CVE-2006-1934, CVE-2006-1935, CVE-2006-1936
CVE-2006-1937, CVE-2006-1938, CVE-2006-1939
CVE-2006-1940, CVE-2006-1989, CVE-2006-2069
Content of this advisory:
1) Solved Security Vulnerabilities:
- opera integer overflow in style sheet handling
- pdns remote denial of service attack
- cpio various issues
- ethereal various issues
- clamav freshclam buffer overflow
- Apache struts various problems
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- SUSE Linux 10.1 update problems
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- Opera integer overflow in style sheet handling
An integer signedness error in Opera before 8.54 allows remote
attackers to execute arbitrary code via long values in a style sheet
attribute, which pass a length check.
This affects all SUSE Linux versions and is tracked by the Mitre
CVE ID CVE-2006-1834.
- pdns remote denial of service attack
Remote attackers could crash the PowerDNS (pdns) server by sending
malformed packets.
This only affects SUSE Linux 10.1 and is tracked by the Mitre CVE
ID CVE-2006-2069.
- cpio various issues
CPIO has been updated to fix the following security problems:
- Very large files could cause a buffer overflow on 64bit platforms
(CVE-2005-4268)
- When extracting an archive into a directory that is writable by
other users, a user could trick cpio into changing the permissions
of files outside that directory (CVE-2005-1111).
- Relative paths in cpio archives could be used to write a file into
an arbitrary directory when extracting the archive (CVE-2005-1229).
This problem affects all SUSE Linux based products.
- ethereal various issues
Various security problems were fixed in ethereal, these could have
denial of service attacks or even arbitrary code execution as impact.
The tracking Mitre CVE IDs of the fixed issues are:
CVE-2006-1932, CVE-2006-1933, CVE-2006-1934, CVE-2006-1935,
CVE-2006-1936, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939,
CVE-2006-1940
- clamav freshclam buffer overflow
Clamav was updated to version 0.88.2 fixes among other things the
following security problem:
- A buffer overflow in the freshclam program might allow remote web
servers to execute arbitrary code via long HTTP headers
(CVE-2006-1989).
All SUSE Linux based products containing clamav were affected.
- Apache struts various problems
Three security problems were fixed in Apache Struts:
1.)
Apache Software Foundation (ASF) Struts before 1.2.9 allows
remote attackers to bypass validation via a request with a
'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which
causes the action to be canceled but would not be detected from
applications that do not use the isCancelled check. (CVE-2006-1546)
2.)
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9
with BeanUtils 1.7 allows remote attackers to cause a denial of
service via a multipart/form-data encoded form with a parameter
name that references the public getMultipartRequestHandler
method, which provides further access to elements in the
CommonsMultipartRequestHandler implementation and BeanUtils.
(CVE-2006-1547)
3.)
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction
and possibly (2) DispatchAction and (3) ActionDispatcher in Apache
Software Foundation (ASF) Struts before 1.2.9 allows remote attackers
to inject arbitrary web script or HTML via the parameter name, which
is not filtered in the resulting error message. (CVE-2006-1548)
SUSE Linux 9.3 and 10.0 were affected by these problems.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- SUSE Linux 10.1 update problems
Installation of the opera and pdns updates on SUSE Linux 10.1 might
be problematic. We are aware of 2 problems:
- zen-updater is not able to install the updates.
Workaround: Use YaST Online Update directly, started via YaST2
control center.
- YaST crashes when installing packages directly from the online
update source.
The installer tries to install packages directly from the online
update source instead of your CDs (in case of security updates)
to avoid intermediate steps. This is not fully working yet so
you might experience crashes.
Workaround:
Disable the remote update source during install of this package
and re enable it afterward.
- MySQL various issues
MySQL 5.0.21 was released fixing various security problems, including
information leaks and a remote code execution.
We are currently preparing updates for these problems.
- Next Kernel Update
A kernel update for all products is in preparation and will likely
be released in the next week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team