Mailinglist Archive: opensuse-security (605 mails)
| < Previous | Next > |
RE: [suse-security] SuSE Security Announcement: kernel (SuSE-SA:2001:036)
- From: "Alexey N. Solofnenko" <alexeys@xxxxxxxxxxxxx>
- Date: Fri, 26 Oct 2001 19:01:18 -0700
- Message-id: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA61S/5QbQ0hGDsgCAX/0qoIKGAAAQAAAAeLb+WEOOA0idSNCg4/vj5gEAAAAA@xxxxxxxxxxxxx>
I use SuSE 7.0 (not 7.1 as yast offers by default) distribution to
update eMail Server II. It works so far.
- Alexey.
_____
< http://members.home.com/asolofnenko/ > Alexey N. Solofnenko
< http://www.inventigo.com/ Inventigo LLC
Pleasant Hill, CA (GMT-8 usually)
-----Original Message-----
From: herman@xxxxxxxxx [mailto:herman@xxxxxxxxx]
Sent: Friday, October 26, 2001 5:48 PM
To: suse-security@xxxxxxx
Subject: Re: [suse-security] SuSE Security Announcement: kernel
(SuSE-SA:2001:036)
Are we to assume that we should use the kernel for the 7.0 distro tp
update the eMail Server II
product? Or will there be a separate update posted for it?
- Herman
Roman Drahtmueller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
________________________________________________________________________
______
>
> SuSE Security Announcement
>
> Package: kernel
> Announcement-ID: SuSE-SA:2001:036
> Date: Friday, Oct 26th 2001 18:00 MEST
> Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
> Vulnerability Type: local privilege escalation
> Severity (1-10): 8
> SuSE default package: yes
> Other affected systems: all Linux systems, all kernel versions
>
> Content of this advisory:
> 1) security vulnerability resolved: kernel
> problem description, discussion, solution and upgrade
information
> 2) pending vulnerabilities, solutions, workarounds
> 3) standard appendix (further information)
>
>
________________________________________________________________________
______
>
> 1) The Problem, Workaround, Recommended solution, Instructions,
Notes,
> Verification
>
> The Problem:
>
> The SuSE Linux kernel is a standard kernel, enhanced with a set of
> additional drivers and other improvements, to suit the end-user's
> demand for a great variety of drivers for all kind of hardware.
>
> Two security related problems have been found in both the 2.2 and
> 2.4 series kernels:
>
> 1) A recursive symlink structure can cause the kernel to consume
excessive
> CPU time, causing the machine to halt for an arbitrary amount of
time.
> 2) ptrace(2), the system call used to trace processes as done by
the
> strace(1) command, must not be given permissions to trace setuid
or
> setgid programs (processes with a different effective uid or gid
than
> the caller's uid/gid). A race condition in the ptrace() kernel
code
> was the reason for the kernel update in May 2001. The flaw fixed
with
> this kernel update is based on the assumption that the calling
process
> is allowed to trace a running process. The fix consists of
disallowing
> a ptrace() system call for all setuid/setgid binaries,
regardless
> of the capabilities of the calling process.
>
> Bug 1) can lead to a local DoS.
> Bug 2) can allow a local attacker to gain root privileges.
>
> Workarounds:
>
> It is possible to work around bug 2) by removing the setuid bit
from the
> programs newgrp, su, su1, sudo and possibly more programs in the
system
> that will start another program with different pivileges.
> In order to completely solve the security problems, it is
recommended to
> update the kernel to a newer version as described below.
>
> Recommended solution:
>
> We have provided update kernels for our supported distributions
> 6.3, 6.4, 7.0, 7.1, 7.2 and the freshly released 7.3. Currently,
> only kernel update packages for the Intel i386 distributions are
> available. The update should be performed with special care in
order
> to make sure that the system will properly boot after the package
> update.
>
> Step-By-Step Installation Instructions:
>
> The kernel of a Linux system is the most critical component with
respect
> to stability, reliability and security. By consequence, an update
of that
> component requires some care and full attention to succeed.
> The following paragraphs will guide you through the installation
> process in a step-by-step fashion. The character sequence "****"
> marks the beginning of a new paragraph. In some cases, you decide
> if the paragraph is needed for you or not. Please read through all
> of the steps down to the end. All of the commands that need to be
> executed are required to be run as the superuser (root). Each step
> relies on the steps before to complete successfully.
>
> **** Step 1: Determine the needed kernel version
>
> SuSE-6.3, 6.4 and 7.0 are built for kernels of version 2.2, 7.1
and
> up are also ready for a 2.4 kernel. You should use the same major
kernel
> version for the update as you are using already.
>
> Determine the kernel version that is running on your system with
the
> command
> uname -r
>
> If your running kernel is version 2.2.x, you should use a 2.2.19
kernel
> to update, if you use a 2.4 series kernel, use a 2.4 kernel to
update
> SuSE-7.3 users: See Step 3!).
> Cross-version updates _may_ work in your installation but are dis-
> recommended in order to preserve a properly running system.
>
> **** Step 2: Determine the needed kernel type
>
> After you have determined which version to install, you must
select the
> type of kernel rpm package to install. There are four types
offered:
>
> k_i386 a kernel that runs on i386 processors.
> k_smp the kernel for computers with more than one CPU
> k_psmp for dual Pentium-I processor computers
> k_deflt the default kernel for most systems, includes
support
> for APM (laptops).
>
> You can use the command
> rpm -qf `awk -F= '/image/{print $2}' < /etc/lilo.conf`
> to find the name of the kernel RPM package that is installed on
> your system. In the case of inconclusive results, pick one from
the
> four choices above: k_deflt works on most systems, k_smp is for
> multi processor computers.
>
> Step 1 and 2 will lead you to one of these possiblities:
>
> 2.2-default 2.2-smp 2.2-psmp 2.2-i386
> 2.4-default 2.4-smp 2.4-psmp 2.4-i386
>
> **** Step 3: SuSE-7.3 special: Download
>
> If you have a SuSE-7.3 system, continue to read this paragraph,
> otherwise jump to Step 4.
> SuSE Linux 7.3 comes with a kernel version 2.4.10. We have made
> a set of patched kernels of this particular version to seamlessly
> fit into a 7.3 installation. SuSE Linux releases before 7.3 should
> receive a 2.4.7 kernel update - we provide both versions for the
update.
> It should be possible though to run both 2.4 kernels on all 2.4
based
> systems.
>
> Please download your kernel rpm from the location
>
ftp://ftp.suse.com/pub/suse/i386/update/7.3/kernel/2.4.10-20011026/
> After downloading the rpm package, you might want to verify the
> authenticity of the rpm package according to Section 3 of this and
every
> SuSE Security announcement.
> Then go to Step 5, omitting Step 4.
>
> **** Step 4: Download your kernel rpm
>
> Your kernel rpm package is available for download from
>
> ftp://ftp.suse.com/pub/suse/i386/update/<dist>/kernel/
>
> where <dist> is the release version of your distribution.
> If you need to download a 2.4 series kernel, enter the directory
> called 2.4.7-20011026/ and download the kernel rpm type that you
> have selected in Step 2.
> If you need to download a 2.2 series kernel, enter the directory
> called 2.2.19-20011026/ and download the kernel rpm type that you
> have selected in Step 2.
>
> An example: For a SuSE-7.2 distribution installed on an SMP system
> that is running a 2.4 series kernel, you should download the
file
>
ftp://ftp.suse.com/pub/suse/i386/update/7.2/kernel/2.4.7-20011026/k_smp-
2.4.7-22.i386.rpm
>
> After downloading the rpm package, you might want to verify the
> authenticity of the rpm package according to Section 3 of this
> SuSE Security announcement at the bottom of this message.
>
> **** Step 5: SuSE-6.3 special: Installing your kernel rpm package
>
> If you have a SuSE-6.3 system, continue to read this paragraph,
> otherwise jump to Step 6.
> In SuSE Linux version 6.3, the kernel and the kernel modules are
> packaged in two different packages. This will change with the
success
> of this update: Both kernel images and kernel modules will be
contained
> in the same package. For the update to succeed, you will have to
either
> remove the existing kernel package from your system using the
command
> rpm -e `rpm -qf /boot/vmlinuz`
> or two kernel rpm packages will be installed on your system.
>
> **** Step 6: Installing your kernel rpm package
>
> Install the rpm package that you have downloaded in Steps 3 or 4
with
> the command
> rpm -Uhv --nodeps --force <K_FILE.RPM>
> where <K_FILE.RPM> is the name of the rpm package that you
downloaded.
>
> Notice: After performing this step, your system will likely not be
> able to boot if the following steps have not been fully
applied.
>
> **** Step 7: aic7xxx
>
> If you use an Adaptec aic7xxx SCSI host adapter, continue to read
> this paragraph, otherwise jump to Step 8.
> The new kernel comes with two versions for the Adaptec aic7xxx
driver.
> If you have such a card, you should see the driver listed in the
> output from the command
> lsmod
> or you should see the adapter in the output of the command
> lspci
> The new driver is known to work reliably. However, if you
encounter
> any problems with CDROM drives or other removeable devices (CD-RW
> drives, tapes, etc) after this kernel upgrade, then you should try
to
> use the old driver which is called aic7xxx_old instead of aic7xxx.
> If you decide to make this change, then the steps 10 and 11 are
> mandatory for the update to succeed, regardless if you get back to
> this paragraph after your first reboot or not.
> To use the old driver, please use your favourite editor to edit
> the file /etc/rc.config. Change aic7xxx into aic7xxx_old at the
line
> that starts with INITRD_MODULES. You should find it near the top
of the
> file. Do not forget to save your changes. Then go to Steps 10 and
11.
>
> If you want to use the new driver, then do not change anything.
>
> **** Step 8: LVM
>
> If you use LVM, then continue to read this paragraph,
> otherwise jump to Step 9.
> If you use LVM (Logical Volume Manager) in your installation of
SuSE
> Linux before and including SuSE-7.1, then you need the updated lvm
> package from the
> /pub/suse/i386/update/<dist>/kernel/2.2.19-20011026/
> directory for your distribution as well. The package contains the
> userspace utilities to manage the Logical Volume Manager driver.
> An update package is needed because the LVM data format/structure
on
> disk has changed with the new version of the LVM kernel driver.
> Install the package as usual using the command
> rpm -Uhv lvm-0.9.1_beta4-12.i386.rpm
> Be sure you have downloaded the package for the explicit version
> of your SuSE Linux Installation. The package names are identical
> for all distribution versions.
>
> With this kernel upgrade, the lvm driver is configured as a
module,
> it is _not_ compiled into the kernel image any more. Therefore,
you
> should use your favourite editor and edit /etc/rc.config. In this
> file, the variable INITRD_MODULES must contain the word "lvm-mod".
> Example: you have an NCR scsi hostadapter and use lvm and
reiserfs.
> The line in /etc/rc.config should look like
> INITRD_MODULES="sym53c8xx lvm-mod"
> Be careful about the double quotes!
>
> WARNING: After the first boot with the new kernel you will not be
able
> to downgrade to older versions of LVM any more.
>
> **** Step 9: reiserfs
>
> If you use reiserfs, then continue to read this paragraph,
> otherwise jump to Step 10.
>
> If you use reiserfs (find out via "grep reiserfs /proc/mounts"),
then
> make sure that the variable INITRD_MODULES from /etc/rc.config
contains
> the word "reiserfs", like in the example in Step 8.
>
> **** Step 10: configuring and creating the initrd
>
> Upon kernel boot (after lilo runs), the kernel needs to use the
> drivers for the device (disk/raid) where the root filesystem
> is located in order to access it for mounting. If this driver is
> not compiled into the kernel, it is supplied as a kernel module
> that must be loaded _before_ the root filesystem is mounted. This
> is done using a ramdisk that is loaded along with the kernel by
lilo
> (which is subject to the next Step).
>
> The modules that will be packed into this initial ramdisk (initrd)
> must be listed in the variable INITRD_MODULES in the file
> /etc/rc.config . This ramdisk, called "initrd", must be generated
> using the command
> mk_initrd
> If the driver for the device containing your root device is not
> compiled directly into the kernel, then your system will most
likely
> not boot any more. If you have followed the above steps, you
should be
> safe. Special care should be taken with scsi hostadapters, logical
volume
> manager (lvm) and reiserfs.
>
> **** Step 11: lilo
>
> lilo is responsible for loading the kernel image and the initrd
> ramdisk image into the system and for transferring control of the
> system to the kernel. Therefore, a proper installation of the
> bootloader (by calling the program lilo) is essential for the
> system to boot (!).
> Manually changed settings in /etc/lilo.conf require the admin to
make
> sure that /boot/vmlinuz is listed in the first "image" line in
that
> file. Verify that the line starting with initrd= is set to
> initrd=/boot/initrd
> Execute
> lilo
> and you should see your label(s) in an output like
> Added linux *
> Every other output should be considered an error and requires
> attention. If your system managed to reboot before the upgrade,
you
> should not see any additional output from lilo at this stage.
>
> **** Step 12: SuSE-7.0 special
>
> If you have a SuSE Linux 7.0 distribution, then continue to read
this
> paragraph, otherwise jump to Step 13.
> If you have performed the kernel upgrade as described in the last
kernel
> SuSE Security announcement SuSE-SA:2001:18 and if you have
performed
> the upgrade of the glibc as described in Step 8 of
SuSE-SA:2001:18, then
> you are done and you should go to Step 13. Otherwise, please read
> SuSE-SA:2001:18 (from
> http://www.suse.de/de/support/security/2001_018_kernel_txt.txt)
and
> return to the Step 13 in this announcement.
>
> **** Step 13: reboot
>
> If all of the steps above have been successfully applied to your
> system, then the new kernel including the kernel modules and the
> initrd should be ready to boot. The system needs to be rebooted
for
> the changes to become active. Please make sure that all steps are
> complete, then reboot using the command
> shutdown -r now
> or
> init 6
>
>
________________________________________________________________________
______
>
> 2) Pending vulnerabilities in SuSE Distributions and Workarounds:
>
> - openssh
> After stabilizing the openssh package, updates for the
distributions
> 6.4-7.2 are currently being prepared. The update packages fix a
security
> problem related to the recently discovered problems with source ip
> based access restrictions in a user's ~/.ssh/authorized_keys2
file.
> The packages will appear shortly on our ftp servers. Please note
that
> packages for the distributions 6.3 and up including 7.0 containing
> cryptographic software are located on the German ftp server
ftp.suse.de,
> all other packages can be found on ftp.suse.com at the usual
location.
>
> - squid
> A squid server can be brought to a crash upon receipt of certain
> requests. The attacker must have request access to the running
squid
> proxy to be able to take advantage of this weakness. The only
effect
> of an attack is the Denial of Service (DoS). After an attack, the
> squid proxy must be restarted.
> Update packages are available on our ftp server that eliminate the
> problem. The security announcement for this issue will follow
soon.
>
>
________________________________________________________________________
______
>
> 3) standard appendix: authenticity verification, additional
information
>
> - Package authenticity verification:
>
> SuSE update packages are available on many mirror ftp servers all
over
> the world. While this service is being considered valuable and
important
> to the free and open source software community, many users wish to
be
> sure about the origin of the package and its content before
installing
> the package. There are two verification methods that can be used
> independently from each other to prove the authenticity of a
downloaded
> file or rpm package:
> 1) md5sums as provided in the (cryptographically signed)
announcement.
> 2) using the internal gpg signatures of the rpm package.
>
> 1) execute the command
> md5sum <name-of-the-file.rpm>
> after you downloaded the file from a SuSE ftp server or its
mirrors.
> Then, compare the resulting md5sum with the one that is listed
in the
> announcement. Since the announcement containing the checksums
is
> cryptographically signed (usually using the key
security@xxxxxxx),
> the checksums show proof of the authenticity of the package.
> We disrecommend to subscribe to security lists which cause the
> email message containing the announcement to be modified so
that
> the signature does not match after transport through the
mailing
> list software.
> Downsides: You must be able to verify the authenticity of the
> announcement in the first place. If RPM packages are being
rebuilt
> and a new version of a package is published on the ftp server,
all
> md5 sums for the files are useless.
>
> 2) rpm package signatures provide an easy way to verify the
authenticity
> of an rpm package. Use the command
> rpm -v --checksig <file.rpm>
> to verify the signature of the package, where <file.rpm> is the
> filename of the rpm package that you have downloaded. Of
course,
> package authenticity verification can only target an
uninstalled rpm
> package file.
> Prerequisites:
> a) gpg is installed
> b) The package is signed using a certain key. The public part
of this
> key must be installed by the gpg program in the directory
> ~/.gnupg/ under the user's home directory who performs the
> signature verification (usually root). You can import the
key
> that is used by SuSE in rpm packages for SuSE Linux by
saving
> this announcement to a file ("announcement.txt") and
> running the command (do "su -" to be root):
> gpg --batch; gpg < announcement.txt | gpg --import
> SuSE Linux distributions version 7.1 and thereafter install
the
> key "build@xxxxxxx" upon installation or upgrade, provided
that
> the package gpg is installed. The file containing the
public key
> is placed at the toplevel directory of the first CD
(pubring.gpg)
> and at
ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
>
> - SuSE runs two security mailing lists to which any interested party
may
> subscribe:
>
> suse-security@xxxxxxxx
> - general/linux/SuSE security discussion.
> All SuSE security announcements are sent to this list.
> To subscribe, send an email to
> <suse-security-subscribe@xxxxxxxx>.
>
> suse-security-announce@xxxxxxxx
> - SuSE's announce-only mailing list.
> Only SuSE's security annoucements are sent to this list.
> To subscribe, send an email to
> <suse-security-announce-subscribe@xxxxxxxx>.
>
> For general information or the frequently asked questions (faq)
> send mail to:
> <suse-security-info@xxxxxxxx> or
> <suse-security-faq@xxxxxxxx> respectively.
>
> ===================================================
> SuSE's security contact is <security@xxxxxxxx>.
> The <security@xxxxxxxx> public key is listed below.
> ===================================================
>
________________________________________________________________________
______
>
> The information in this advisory may be distributed or reproduced,
> provided that the advisory is not modified in any way. In
particular,
> it is desired that the cleartext signature shows proof of the
> authenticity of the text.
> SuSE GmbH makes no warranties of any kind whatsoever with respect
> to the information contained in this security advisory.
>
> Type Bits/KeyID Date User ID
> pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
<build@xxxxxxx>
>
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
> BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
> JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
> 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
> P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
> cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
> VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
> yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
> tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
> xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
> Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
> choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
> BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
> v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
> x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
> Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
> MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
> saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
> L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
> nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
> sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
> ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
> epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
> sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
> Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
> mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
> wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
> U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
> Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
> NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
> XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
> r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
> /xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
> JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
> lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
> nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
> Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
> ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
> VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
> Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
> 89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
> XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
> +JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
> EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
> dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
> J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
> KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
> C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
> CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
> mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
> =rVRn
> - -----END PGP PUBLIC KEY BLOCK-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQEVAwUBO9mMI3ey5gA9JdPZAQGH8Qf9Fw4zJCYTXHQxQrfEVV2abEoCaPL+K6U2
> p4GlZyZs9Ggt0kXQWPrRgLzsgQB97upJBgbNfJ5xV9mYbCyLbkP4uZ/e/8CGnsca
> /qTf+cOkW/DLFCsPa2utbdFm5BhXlrrKyohlCRIHIab1fSQoy0GKhRHq2jTTdmkO
> h48uwo9g2DWJJ8t00lQR2h3Z9Pd0PvZpWiceQktcmy2NAEnhCa4o+wyQctTJwiez
> s9bO1DfK3MN5cgJjO63+n/zLXRMwfAIXqr+/HB4ggs1VOf7lvmonlwVfI171YkDF
> bmiWx6grq2vfqOtSOJZRtvwKxm8t/ayJFEaRHg2mqIWD+TmFVSY8uw==
> =xhBs
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
update eMail Server II. It works so far.
- Alexey.
_____
< http://members.home.com/asolofnenko/ > Alexey N. Solofnenko
< http://www.inventigo.com/ Inventigo LLC
Pleasant Hill, CA (GMT-8 usually)
-----Original Message-----
From: herman@xxxxxxxxx [mailto:herman@xxxxxxxxx]
Sent: Friday, October 26, 2001 5:48 PM
To: suse-security@xxxxxxx
Subject: Re: [suse-security] SuSE Security Announcement: kernel
(SuSE-SA:2001:036)
Are we to assume that we should use the kernel for the 7.0 distro tp
update the eMail Server II
product? Or will there be a separate update posted for it?
- Herman
Roman Drahtmueller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
________________________________________________________________________
______
>
> SuSE Security Announcement
>
> Package: kernel
> Announcement-ID: SuSE-SA:2001:036
> Date: Friday, Oct 26th 2001 18:00 MEST
> Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
> Vulnerability Type: local privilege escalation
> Severity (1-10): 8
> SuSE default package: yes
> Other affected systems: all Linux systems, all kernel versions
>
> Content of this advisory:
> 1) security vulnerability resolved: kernel
> problem description, discussion, solution and upgrade
information
> 2) pending vulnerabilities, solutions, workarounds
> 3) standard appendix (further information)
>
>
________________________________________________________________________
______
>
> 1) The Problem, Workaround, Recommended solution, Instructions,
Notes,
> Verification
>
> The Problem:
>
> The SuSE Linux kernel is a standard kernel, enhanced with a set of
> additional drivers and other improvements, to suit the end-user's
> demand for a great variety of drivers for all kind of hardware.
>
> Two security related problems have been found in both the 2.2 and
> 2.4 series kernels:
>
> 1) A recursive symlink structure can cause the kernel to consume
excessive
> CPU time, causing the machine to halt for an arbitrary amount of
time.
> 2) ptrace(2), the system call used to trace processes as done by
the
> strace(1) command, must not be given permissions to trace setuid
or
> setgid programs (processes with a different effective uid or gid
than
> the caller's uid/gid). A race condition in the ptrace() kernel
code
> was the reason for the kernel update in May 2001. The flaw fixed
with
> this kernel update is based on the assumption that the calling
process
> is allowed to trace a running process. The fix consists of
disallowing
> a ptrace() system call for all setuid/setgid binaries,
regardless
> of the capabilities of the calling process.
>
> Bug 1) can lead to a local DoS.
> Bug 2) can allow a local attacker to gain root privileges.
>
> Workarounds:
>
> It is possible to work around bug 2) by removing the setuid bit
from the
> programs newgrp, su, su1, sudo and possibly more programs in the
system
> that will start another program with different pivileges.
> In order to completely solve the security problems, it is
recommended to
> update the kernel to a newer version as described below.
>
> Recommended solution:
>
> We have provided update kernels for our supported distributions
> 6.3, 6.4, 7.0, 7.1, 7.2 and the freshly released 7.3. Currently,
> only kernel update packages for the Intel i386 distributions are
> available. The update should be performed with special care in
order
> to make sure that the system will properly boot after the package
> update.
>
> Step-By-Step Installation Instructions:
>
> The kernel of a Linux system is the most critical component with
respect
> to stability, reliability and security. By consequence, an update
of that
> component requires some care and full attention to succeed.
> The following paragraphs will guide you through the installation
> process in a step-by-step fashion. The character sequence "****"
> marks the beginning of a new paragraph. In some cases, you decide
> if the paragraph is needed for you or not. Please read through all
> of the steps down to the end. All of the commands that need to be
> executed are required to be run as the superuser (root). Each step
> relies on the steps before to complete successfully.
>
> **** Step 1: Determine the needed kernel version
>
> SuSE-6.3, 6.4 and 7.0 are built for kernels of version 2.2, 7.1
and
> up are also ready for a 2.4 kernel. You should use the same major
kernel
> version for the update as you are using already.
>
> Determine the kernel version that is running on your system with
the
> command
> uname -r
>
> If your running kernel is version 2.2.x, you should use a 2.2.19
kernel
> to update, if you use a 2.4 series kernel, use a 2.4 kernel to
update
> SuSE-7.3 users: See Step 3!).
> Cross-version updates _may_ work in your installation but are dis-
> recommended in order to preserve a properly running system.
>
> **** Step 2: Determine the needed kernel type
>
> After you have determined which version to install, you must
select the
> type of kernel rpm package to install. There are four types
offered:
>
> k_i386 a kernel that runs on i386 processors.
> k_smp the kernel for computers with more than one CPU
> k_psmp for dual Pentium-I processor computers
> k_deflt the default kernel for most systems, includes
support
> for APM (laptops).
>
> You can use the command
> rpm -qf `awk -F= '/image/{print $2}' < /etc/lilo.conf`
> to find the name of the kernel RPM package that is installed on
> your system. In the case of inconclusive results, pick one from
the
> four choices above: k_deflt works on most systems, k_smp is for
> multi processor computers.
>
> Step 1 and 2 will lead you to one of these possiblities:
>
> 2.2-default 2.2-smp 2.2-psmp 2.2-i386
> 2.4-default 2.4-smp 2.4-psmp 2.4-i386
>
> **** Step 3: SuSE-7.3 special: Download
>
> If you have a SuSE-7.3 system, continue to read this paragraph,
> otherwise jump to Step 4.
> SuSE Linux 7.3 comes with a kernel version 2.4.10. We have made
> a set of patched kernels of this particular version to seamlessly
> fit into a 7.3 installation. SuSE Linux releases before 7.3 should
> receive a 2.4.7 kernel update - we provide both versions for the
update.
> It should be possible though to run both 2.4 kernels on all 2.4
based
> systems.
>
> Please download your kernel rpm from the location
>
ftp://ftp.suse.com/pub/suse/i386/update/7.3/kernel/2.4.10-20011026/
> After downloading the rpm package, you might want to verify the
> authenticity of the rpm package according to Section 3 of this and
every
> SuSE Security announcement.
> Then go to Step 5, omitting Step 4.
>
> **** Step 4: Download your kernel rpm
>
> Your kernel rpm package is available for download from
>
> ftp://ftp.suse.com/pub/suse/i386/update/<dist>/kernel/
>
> where <dist> is the release version of your distribution.
> If you need to download a 2.4 series kernel, enter the directory
> called 2.4.7-20011026/ and download the kernel rpm type that you
> have selected in Step 2.
> If you need to download a 2.2 series kernel, enter the directory
> called 2.2.19-20011026/ and download the kernel rpm type that you
> have selected in Step 2.
>
> An example: For a SuSE-7.2 distribution installed on an SMP system
> that is running a 2.4 series kernel, you should download the
file
>
ftp://ftp.suse.com/pub/suse/i386/update/7.2/kernel/2.4.7-20011026/k_smp-
2.4.7-22.i386.rpm
>
> After downloading the rpm package, you might want to verify the
> authenticity of the rpm package according to Section 3 of this
> SuSE Security announcement at the bottom of this message.
>
> **** Step 5: SuSE-6.3 special: Installing your kernel rpm package
>
> If you have a SuSE-6.3 system, continue to read this paragraph,
> otherwise jump to Step 6.
> In SuSE Linux version 6.3, the kernel and the kernel modules are
> packaged in two different packages. This will change with the
success
> of this update: Both kernel images and kernel modules will be
contained
> in the same package. For the update to succeed, you will have to
either
> remove the existing kernel package from your system using the
command
> rpm -e `rpm -qf /boot/vmlinuz`
> or two kernel rpm packages will be installed on your system.
>
> **** Step 6: Installing your kernel rpm package
>
> Install the rpm package that you have downloaded in Steps 3 or 4
with
> the command
> rpm -Uhv --nodeps --force <K_FILE.RPM>
> where <K_FILE.RPM> is the name of the rpm package that you
downloaded.
>
> Notice: After performing this step, your system will likely not be
> able to boot if the following steps have not been fully
applied.
>
> **** Step 7: aic7xxx
>
> If you use an Adaptec aic7xxx SCSI host adapter, continue to read
> this paragraph, otherwise jump to Step 8.
> The new kernel comes with two versions for the Adaptec aic7xxx
driver.
> If you have such a card, you should see the driver listed in the
> output from the command
> lsmod
> or you should see the adapter in the output of the command
> lspci
> The new driver is known to work reliably. However, if you
encounter
> any problems with CDROM drives or other removeable devices (CD-RW
> drives, tapes, etc) after this kernel upgrade, then you should try
to
> use the old driver which is called aic7xxx_old instead of aic7xxx.
> If you decide to make this change, then the steps 10 and 11 are
> mandatory for the update to succeed, regardless if you get back to
> this paragraph after your first reboot or not.
> To use the old driver, please use your favourite editor to edit
> the file /etc/rc.config. Change aic7xxx into aic7xxx_old at the
line
> that starts with INITRD_MODULES. You should find it near the top
of the
> file. Do not forget to save your changes. Then go to Steps 10 and
11.
>
> If you want to use the new driver, then do not change anything.
>
> **** Step 8: LVM
>
> If you use LVM, then continue to read this paragraph,
> otherwise jump to Step 9.
> If you use LVM (Logical Volume Manager) in your installation of
SuSE
> Linux before and including SuSE-7.1, then you need the updated lvm
> package from the
> /pub/suse/i386/update/<dist>/kernel/2.2.19-20011026/
> directory for your distribution as well. The package contains the
> userspace utilities to manage the Logical Volume Manager driver.
> An update package is needed because the LVM data format/structure
on
> disk has changed with the new version of the LVM kernel driver.
> Install the package as usual using the command
> rpm -Uhv lvm-0.9.1_beta4-12.i386.rpm
> Be sure you have downloaded the package for the explicit version
> of your SuSE Linux Installation. The package names are identical
> for all distribution versions.
>
> With this kernel upgrade, the lvm driver is configured as a
module,
> it is _not_ compiled into the kernel image any more. Therefore,
you
> should use your favourite editor and edit /etc/rc.config. In this
> file, the variable INITRD_MODULES must contain the word "lvm-mod".
> Example: you have an NCR scsi hostadapter and use lvm and
reiserfs.
> The line in /etc/rc.config should look like
> INITRD_MODULES="sym53c8xx lvm-mod"
> Be careful about the double quotes!
>
> WARNING: After the first boot with the new kernel you will not be
able
> to downgrade to older versions of LVM any more.
>
> **** Step 9: reiserfs
>
> If you use reiserfs, then continue to read this paragraph,
> otherwise jump to Step 10.
>
> If you use reiserfs (find out via "grep reiserfs /proc/mounts"),
then
> make sure that the variable INITRD_MODULES from /etc/rc.config
contains
> the word "reiserfs", like in the example in Step 8.
>
> **** Step 10: configuring and creating the initrd
>
> Upon kernel boot (after lilo runs), the kernel needs to use the
> drivers for the device (disk/raid) where the root filesystem
> is located in order to access it for mounting. If this driver is
> not compiled into the kernel, it is supplied as a kernel module
> that must be loaded _before_ the root filesystem is mounted. This
> is done using a ramdisk that is loaded along with the kernel by
lilo
> (which is subject to the next Step).
>
> The modules that will be packed into this initial ramdisk (initrd)
> must be listed in the variable INITRD_MODULES in the file
> /etc/rc.config . This ramdisk, called "initrd", must be generated
> using the command
> mk_initrd
> If the driver for the device containing your root device is not
> compiled directly into the kernel, then your system will most
likely
> not boot any more. If you have followed the above steps, you
should be
> safe. Special care should be taken with scsi hostadapters, logical
volume
> manager (lvm) and reiserfs.
>
> **** Step 11: lilo
>
> lilo is responsible for loading the kernel image and the initrd
> ramdisk image into the system and for transferring control of the
> system to the kernel. Therefore, a proper installation of the
> bootloader (by calling the program lilo) is essential for the
> system to boot (!).
> Manually changed settings in /etc/lilo.conf require the admin to
make
> sure that /boot/vmlinuz is listed in the first "image" line in
that
> file. Verify that the line starting with initrd= is set to
> initrd=/boot/initrd
> Execute
> lilo
> and you should see your label(s) in an output like
> Added linux *
> Every other output should be considered an error and requires
> attention. If your system managed to reboot before the upgrade,
you
> should not see any additional output from lilo at this stage.
>
> **** Step 12: SuSE-7.0 special
>
> If you have a SuSE Linux 7.0 distribution, then continue to read
this
> paragraph, otherwise jump to Step 13.
> If you have performed the kernel upgrade as described in the last
kernel
> SuSE Security announcement SuSE-SA:2001:18 and if you have
performed
> the upgrade of the glibc as described in Step 8 of
SuSE-SA:2001:18, then
> you are done and you should go to Step 13. Otherwise, please read
> SuSE-SA:2001:18 (from
> http://www.suse.de/de/support/security/2001_018_kernel_txt.txt)
and
> return to the Step 13 in this announcement.
>
> **** Step 13: reboot
>
> If all of the steps above have been successfully applied to your
> system, then the new kernel including the kernel modules and the
> initrd should be ready to boot. The system needs to be rebooted
for
> the changes to become active. Please make sure that all steps are
> complete, then reboot using the command
> shutdown -r now
> or
> init 6
>
>
________________________________________________________________________
______
>
> 2) Pending vulnerabilities in SuSE Distributions and Workarounds:
>
> - openssh
> After stabilizing the openssh package, updates for the
distributions
> 6.4-7.2 are currently being prepared. The update packages fix a
security
> problem related to the recently discovered problems with source ip
> based access restrictions in a user's ~/.ssh/authorized_keys2
file.
> The packages will appear shortly on our ftp servers. Please note
that
> packages for the distributions 6.3 and up including 7.0 containing
> cryptographic software are located on the German ftp server
ftp.suse.de,
> all other packages can be found on ftp.suse.com at the usual
location.
>
> - squid
> A squid server can be brought to a crash upon receipt of certain
> requests. The attacker must have request access to the running
squid
> proxy to be able to take advantage of this weakness. The only
effect
> of an attack is the Denial of Service (DoS). After an attack, the
> squid proxy must be restarted.
> Update packages are available on our ftp server that eliminate the
> problem. The security announcement for this issue will follow
soon.
>
>
________________________________________________________________________
______
>
> 3) standard appendix: authenticity verification, additional
information
>
> - Package authenticity verification:
>
> SuSE update packages are available on many mirror ftp servers all
over
> the world. While this service is being considered valuable and
important
> to the free and open source software community, many users wish to
be
> sure about the origin of the package and its content before
installing
> the package. There are two verification methods that can be used
> independently from each other to prove the authenticity of a
downloaded
> file or rpm package:
> 1) md5sums as provided in the (cryptographically signed)
announcement.
> 2) using the internal gpg signatures of the rpm package.
>
> 1) execute the command
> md5sum <name-of-the-file.rpm>
> after you downloaded the file from a SuSE ftp server or its
mirrors.
> Then, compare the resulting md5sum with the one that is listed
in the
> announcement. Since the announcement containing the checksums
is
> cryptographically signed (usually using the key
security@xxxxxxx),
> the checksums show proof of the authenticity of the package.
> We disrecommend to subscribe to security lists which cause the
> email message containing the announcement to be modified so
that
> the signature does not match after transport through the
mailing
> list software.
> Downsides: You must be able to verify the authenticity of the
> announcement in the first place. If RPM packages are being
rebuilt
> and a new version of a package is published on the ftp server,
all
> md5 sums for the files are useless.
>
> 2) rpm package signatures provide an easy way to verify the
authenticity
> of an rpm package. Use the command
> rpm -v --checksig <file.rpm>
> to verify the signature of the package, where <file.rpm> is the
> filename of the rpm package that you have downloaded. Of
course,
> package authenticity verification can only target an
uninstalled rpm
> package file.
> Prerequisites:
> a) gpg is installed
> b) The package is signed using a certain key. The public part
of this
> key must be installed by the gpg program in the directory
> ~/.gnupg/ under the user's home directory who performs the
> signature verification (usually root). You can import the
key
> that is used by SuSE in rpm packages for SuSE Linux by
saving
> this announcement to a file ("announcement.txt") and
> running the command (do "su -" to be root):
> gpg --batch; gpg < announcement.txt | gpg --import
> SuSE Linux distributions version 7.1 and thereafter install
the
> key "build@xxxxxxx" upon installation or upgrade, provided
that
> the package gpg is installed. The file containing the
public key
> is placed at the toplevel directory of the first CD
(pubring.gpg)
> and at
ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
>
> - SuSE runs two security mailing lists to which any interested party
may
> subscribe:
>
> suse-security@xxxxxxxx
> - general/linux/SuSE security discussion.
> All SuSE security announcements are sent to this list.
> To subscribe, send an email to
> <suse-security-subscribe@xxxxxxxx>.
>
> suse-security-announce@xxxxxxxx
> - SuSE's announce-only mailing list.
> Only SuSE's security annoucements are sent to this list.
> To subscribe, send an email to
> <suse-security-announce-subscribe@xxxxxxxx>.
>
> For general information or the frequently asked questions (faq)
> send mail to:
> <suse-security-info@xxxxxxxx> or
> <suse-security-faq@xxxxxxxx> respectively.
>
> ===================================================
> SuSE's security contact is <security@xxxxxxxx>.
> The <security@xxxxxxxx> public key is listed below.
> ===================================================
>
________________________________________________________________________
______
>
> The information in this advisory may be distributed or reproduced,
> provided that the advisory is not modified in any way. In
particular,
> it is desired that the cleartext signature shows proof of the
> authenticity of the text.
> SuSE GmbH makes no warranties of any kind whatsoever with respect
> to the information contained in this security advisory.
>
> Type Bits/KeyID Date User ID
> pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
<build@xxxxxxx>
>
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
> BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
> JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
> 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
> P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
> cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
> VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
> yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
> tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
> xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
> Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
> choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
> BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
> v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
> x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
> Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
> MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
> saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
> L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
> nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
> sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
> ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
> epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
> sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
> Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
> mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
> wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
> U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
> Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
> NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
> XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
> r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
> /xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
> JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
> lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
> nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
> Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
> ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
> VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
> Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
> 89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
> XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
> +JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
> EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
> dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
> J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
> KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
> C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
> CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
> mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
> =rVRn
> - -----END PGP PUBLIC KEY BLOCK-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQEVAwUBO9mMI3ey5gA9JdPZAQGH8Qf9Fw4zJCYTXHQxQrfEVV2abEoCaPL+K6U2
> p4GlZyZs9Ggt0kXQWPrRgLzsgQB97upJBgbNfJ5xV9mYbCyLbkP4uZ/e/8CGnsca
> /qTf+cOkW/DLFCsPa2utbdFm5BhXlrrKyohlCRIHIab1fSQoy0GKhRHq2jTTdmkO
> h48uwo9g2DWJJ8t00lQR2h3Z9Pd0PvZpWiceQktcmy2NAEnhCa4o+wyQctTJwiez
> s9bO1DfK3MN5cgJjO63+n/zLXRMwfAIXqr+/HB4ggs1VOf7lvmonlwVfI171YkDF
> bmiWx6grq2vfqOtSOJZRtvwKxm8t/ayJFEaRHg2mqIWD+TmFVSY8uw==
> =xhBs
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
| < Previous | Next > |