-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2008:001
Date: Wed, 09 Jan 2008 18:00:00 +0000
Cross-References: CVE-2007-4974, CVE-2007-5906, CVE-2007-5907
CVE-2007-5935, CVE-2007-5936, CVE-2007-5937
CVE-2007-6199, CVE-2007-6200, CVE-2007-6239
CVE-2007-6335, CVE-2007-6336, CVE-2007-6337
CVE-2007-6351, CVE-2007-6352, CVE-2007-6353
Content of this advisory:
1) Solved Security Vulnerabilities:
- libexiv2 integer overflow problem
- dvips buffer overflows / insecure tempfiles
- libsndfile possible buffer overflow
- squid denial of service problem
- rsync directory traversal problems
- clamav 0.92 security update
- Xen denial of service problems
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- libexif vulnerabilities
- wireshark 0.99.7 security problems
- various MySQL security issues
- krb5 small security issues
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- libexiv2 integer overflow problem
Meder Kydyraliev of Google found out that specially crafted
files could trigger an integer overflow in the libexiv2 library,
potentially causing code execution (CVE-2007-6353).
This problem affected openSUSE 10.2 and 10.3, updated packages were
released on December 21st.
- dvips buffer overflows / insecure tempfiles
Buffer overflows in dvips and dviljk could be triggered by specially
crafted dvi files (CVE-2007-5935, CVE-2007-5937).
dvips additionally created temporary files in an insecure manner
(CVE-2007-5936).
Update TeX packages have been released for all affected distributions
except openSUSE 10.3. openSUSE 10.3 texlive packages are still pending
due to unrelated problems.
- libsndfile possible buffer overflow
A possible buffer overflow that occurs while reading decoded PCM
data from the FLAC library was fixed in libsndfile. (CVE-2007-4974)
Updates have been released for all affected distributions containing
libsndfile on January 3rd.
- squid denial of service problem
The web browser squid was updated to fix a denial-of-service bug
during cache update reply processing. (CVE-2007-6239)
Squid has been updated on all SUSE Linux based products on
December 30.
- rsync directory traversal problems
A bug in rsync was fixed that allowed remote attackers to access
restricted files outside a module's hierarchy if no chroot setup
was used. (CVE-2007-6199)
Please also read http://rsync.samba.org/security.html entry
from November 28th, 2007 to get more information about a secure
configuration of rsync that also covers the bug tracked with
CVE-2007-6200.
This rsync update also fixes some crashes that only affect rsync-2.6.8
on SLES10.
The update was released on December 22nd.
- clamav 0.92 security update
The virus scan engine clamav was upgrade to 0.92 to fix numerous flaws including
some security problems (CVE-2007-6335, CVE-2007-6336, CVE-2007-6337).
Please note that the version number of the clamav library has
changed. Programs linked against libclamav therefore need to be
updated as well. We released klamav, claws and sylpheed-claws packages to
adjust this.
This update was released on December 20.
- Xen denial of service problems
Various Xen issues have been fixed, two of them security related:
- CVE-2007-5906: Xen allowed virtual guest system users to cause
a denial of service (hypervisor crash) by using a debug register
(DR7) to set certain breakpoints.
- CVE-2007-5907: Xen 3.1.1 does not prevent modification of the CR4
TSC from applications, which allows pv guests to cause a denial
of service (crash).
Updates have been released for SUSE Linux 10.1, openSUSE 10.3 and SUSE
Linux Enterprise Server 10. openSUSE 10.2 updates are still pending.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- libexif vulnerabilities
A Google security audit also found problems in libexif. We are preparing
updates for these issues. (CVE-2007-6351/CVE-2007-6352)
- wireshark 0.99.7 security problems
Multiple bugs were fixed in wireshark 0.99.7, updated packages for these
problems are currently in QA.
- various MySQL security issues
We are currently testing a MySQL update to fix various security issues
discovered.
- krb5 small security issues
We are currently testing fixes for the reported krb5 security issues.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team