November 2001 - openSUSE Security Announce

SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)
by Roman Drahtmueller 28 Nov '01

28 Nov '01

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: wuftpd Announcement-ID: SuSE-SA:2001:043 Date: Wednesday, Nov. 28th, 2001 23:45 MET Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3 Vulnerability Type: remote root compromise Severity (1-10): 7 SuSE default package: no Other affected systems: all liunx-like systems using wu-ftpd 2.4.x / 2.6.0 / 2.6.1 Content of this advisory: 1) security vulnerability resolved: wuftpd problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The wuftpd package as shipped with SuSE Linux distributions comes with two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd, and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6. The admin decides which version to use by the inetd/xinetd configuration. The CORE ST Team had found an exploitable bug in all versions of wuftpd's ftpglob() function. The glob function overwrites buffer bounds while matching open and closed brackets. Due to a missing \0 at the end of the buffer a later call to a function that frees allocated memory will feed free(3) with userdefined data. This bug could be exploited depending on the implementation of the dynmaic allocateable memory API (malloc(3), free(3)) in the libc library. Linux and other system are exploitable! Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed by Thomas Biege, SuSE Security, revealed some other security related bugs that are fixed in the new RPM packages. Additionally, code from wu-ftpd 2.6.1 were backported to version 2.6.0 to make it more stable. A temporary fix other than using a different server implementation of the ftp protocol is not available. We recommend to update the wuftpd package on your system. We thank the wuftpd team for their work on the bug, particularly because the coordination between the vendors and the wuftpd developers lacked the necessary discipline for the timely release of the information about the problem. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Uhv file.rpm" to apply the update. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm d1b549b8c2d91d66a8b35fe17a1943b3 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm 9ef0e6ac850499dc0150939c62bc146f SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm 4583443a993107b26529331fb1e6254d source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm aaee0343670feae70ccc9217a8e22211 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm 347a030a85cb5fcbe32d3d79d382e19e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm aa3e53641f6ce0263196e6f1cb0447c3 SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm e34eec18ecc10f187f6aa1aa3b24b75b source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm fafc8c2bbd68dd5ca3d04228433c359a SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm 2354abe95b056762c7f6584449291ff2 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm 507b8d484b13737c9d2b6a68fda0cc26 SuSE-6.3 ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm 9851ad02e656bba8b5e02ed2ddb46845 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm 5d7c4b6824836ca28b228cc5dcfc4fd6 Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm 2d19e4ead17396a1e28fca8745f9629d source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm bdb0b5ddd72f8563db3c8e444a0df7f5 SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm f6b04f284bece6bf3700facccc015ffe source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm 1660547ac9a5a3b32a4070d69803cf18 SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm 1bd905b095b9a4bb354fc190b6e54a01 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm 597263eb7d0fbbf242d519d3c126a441 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm e608bfd2cc9e511c6eb6932c33c68789 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm 34915af1ca79b27bad8bc2fd3a5cab05 SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm 86a7d8f60d76a053873bcc13860b0bbb source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm 9674f9f1630b3107ac22d275705da76e SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm 2501444a1e4241e8f6f4cdcc6fd133b0 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm 34812d943900bdb902ad7edd40e1943f SuSE-6.3 ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm 429a49ef9d4d0865fbb443c212b8a8c7 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm 76467dae0f460677ba80ec907eefca28 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm a381269b3e2fc43fda59e4d08aef57ae source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm 7cacb696a88e57a843402a796212aee6 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm bfc39be2c09323d96f974fdd0c73fda1 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm e2681b2ed4801ce14b5dfb926480ac51 SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm 19f989e637fd9b6fa652f8a4014bb7b1 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm 76c493a915691c51a2481f0925e8ce39 SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm ad29cf172bbd03a5e1f301cf6b9404e5 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm 82338702692eba599d8c3d242aff3d1a ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - ssh/openssh exploits The wrong fix for the crc32-compensation attack is currently actively exploited in the internet for both the ssh and the openssh implementation of the ssh-1 protocol. We urge our users to upgrade their ssh or openssh packages to the latest versions that are located on our ftp server at the usual directories, referred to via http://www.suse.de/de/support/security/adv004_ssh.txt from February earlier this year. Please note, the packages for the SuSE Linux distributions 7.0 and older containing cryptographic code are located on the German ftp server ftp.suse.de, the distributions 7.1 and newer have their crypto updates on ftp.suse.com. There are legal constraints beyond our control that lead to this situation. Openssh packages of the version 2.9.9p2 ready to download on the ftp server ftp.suse.com. They fix the security problems mentioned above, along with a set of less serious security problems. The announcement is still pending while investigations about the status of the package are in progress. - libgtop_daemon The libgtop_daemon, part of the libgtop package for gathering and monitoring process and system information, has been found vulnerable to a format string error. We are in the process of providing fixes for the affected distributions 6.4-7.3. In the meanwhile, we recommend to disable the libgtop_daemon on systems where it is running. This daemon is neither installed nor started (if installed) by default on SuSE Systems. - kernel updates A bug in the elf loader of the linux kernels version 2.4 from our announcement SSA:2001:036 can cause a system to crash if a user executes a vmlinux kernel image. We are preparing another update series to workaround this problem and will re-issue the kernel announcement as soon as possible. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. =============================================== SuSE's security contact is <security(a)suse.com>. =============================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPAVrBHey5gA9JdPZAQFhHwf/Vw7FQu1H4TXqi3qHVaTK9S1o8lCFSvko SS8aDJbmWSS0KXTF8iEI/tASxfk7sAE55QrBASjVC8drmAowhO1Xhw52esDdYeZX 2ygNhzVj0XRZ30e/ZjjBBhWXT91EP9F9h3R5T56BKJH1WVb5dmgVrLoiTqK1rafk mXezFnhDqRzvMZWfJGlO4peuum8tBO8Eh8wXMhx6nXFOS71Cv0I4Em1tKeFrujjQ kGf8CRexJZC3lr8PnAuyctdkdFInIC/KyroALmAsC/sQ0TR/YONi50BhYaeTV5Sc jM4ENMmnF2VZ2C+iH1tJpUYHxgM6WoRHpE1aSFRDUMSxhiU1ifo6TQ== =fm+e -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: cyrus-sasl (SuSE-SA:2001:042)
by Thomas Biege 23 Nov '01

23 Nov '01

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: cyrus-sasl Announcement-ID: SuSE-SA:2001:042 Date: Friday, Nov 23th, 2001 12.00 MET Affected SuSE versions: 7.0, 7.1, 7.2, 7.3 Vulnerability Type: possible local/remote privilege escalation Severity (1-10): 4 SuSE default package: no Other affected systems: all linux-like systems using this version of cyrus-sasl Content of this advisory: 1) security vulnerability resolved: cyrus-sasl problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The Cyrus SASL library provides an authentication API for mail clients and servers. A format bug was found in one of the logging functions, that could be used by an attacker to gain access to a machine or to acquire higher privileges. There is no known temporary fix, so please update your system with the new RPMs from our FTP server. Download the update package from locations described below and install the package with the command: rpm -Uhv file.rpm The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command: rpm --checksig --nogpg file.rpm independently from the md5 signatures below. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/cyrus-sasl-1.5.24-157.i386… e45171d1a76c91a0bfa3d086d9d599e5 ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/cyrus-sasl-devel-1.5.24-15… b03e76641050495d4ec44ac0d9f95e40 ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/cyrus-sasl-gssapi-1.5.24-1… acad2f6e40fd4de5d8729b24f1cb982d source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/cyrus-sasl-1.5.24-157.src.r… b33d52a12efd4222b5f1886ff3b50eb8 SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/cyrus-sasl-1.5.24-158.i386… b6c6eacbb748b10077273e17c4530d70 ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/cyrus-sasl-devel-1.5.24-15… 6bc208c1626367b5dce2637c533d46a4 ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/cyrus-sasl-gssapi-1.5.24-1… fed016e9eeb13fe2d1d8b43d5a7eb2a2 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/cyrus-sasl-1.5.24-158.src.r… 6dd7b8b037f12a8a5adef3abbb45f107 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/cyrus-sasl-1.5.24-157.i386… 5ae7eb3805130a03d8f27f89b1cee7b9 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/cyrus-sasl-1.5.24-157.src.r… 7b54ce2a549ab26a4cc7af2317c31114 SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/zima1/sasl-1.5.21-79.i386.rpm f9d4b6cd6fa27028fba8da6e50368b11 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sasl-1.5.21-79.src.rpm 8edbdbd49ad826da014a60cbe0ecd4fb Sparc Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/cyrus-sasl-1.5.24-70.spar… 464d4d9ab8a46e104039e8811e3f4651 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/cyrus-sasl-1.5.24-70.src.r… 753b3e27311760372e7da9f52de3dcbf SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zima1/sasl-1.5.21-30.sparc.rpm 01b229e0fb42f48c24fef34462dbccbb source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sasl-1.5.21-30.src.rpm df8d848c7998f3675fbb4755bd83a742 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/cyrus-sasl-1.5.24-62.alpha.… ea80bba65ae8cf22ea587e38aae7a2ee source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/cyrus-sasl-1.5.24-62.src.rpm b363227f99290c7866e5ac4fc7f7b6dc SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/zima1/sasl-1.5.21-82.alpha.rpm 22a48ae6c7963df620a76e22899888e5 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/sasl-1.5.21-82.src.rpm c39df74ca8900ac203360151f6e25d6b PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/cyrus-sasl-1.5.24-92.ppc.rpm baddf572ea5dd550ffe952ec19315bef ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/cyrus-sasl-devel-1.5.24-92.… 4fce4a7aaf74f3b42538916a14abaea0 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/cyrus-sasl-gssapi-1.5.24-92… fb4fe578f47d2f4b7abc697301330aef source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/cyrus-sasl-1.5.24-92.src.rpm 94a5288432b1957a6c3b8676049e1199 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/cyrus-sasl-1.5.24-92.ppc.rpm 8b5245304196e6b935c420394e14ae18 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/cyrus-sasl-1.5.24-92.src.rpm 10a5d72a03041fafb06d97d2730eb054 SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zima1/sasl-1.5.21-30.ppc.rpm ff3cdc2a4bd110632a8e9aa06794f3ec source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sasl-1.5.21-30.src.rpm aeedefa1eb86cca0cb7d80e3fc0f76f9 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - openssh After stabilizing the openssh package, updates for the distributions 6.4-7.2 are currently being prepared. The update packages fix a security problem related to the recently discovered problems with source ip based access restrictions in a user's ~/.ssh/authorized_keys2 file. The packages will appear shortly on our ftp servers. Please note that packages for the distributions 6.3 and up including 7.0 containing cryptographic software are located on the German ftp server ftp.suse.de, all other packages can be found on ftp.suse.com at the usual location. We will issue a dedicated Security announcement for the openssh package. - The ziptool program runs setuid root in the easy permission mode and contains an overflow which allows local attackers to gain root privileges. A zipdrive must be configured and a zipdisk being inserted in order to exploit the bug. The overflow has been fixed. Please update your packages. - The ncpfs package containing the setuid root programs ncpmount and ncpumount was vulnerable to local bufferoverflow attacks. The package has been fixed. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. =============================================== SuSE's security contact is <security(a)suse.com>. =============================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: noconv iQEVAwUBO/5MiXey5gA9JdPZAQHnGQf9ElADckRy8toxiy7qOOXwUFeB999Ttrsi gPrBR7OTLH/cCul4Pm4YMPGvfsLZ2z/eseOeA4XUAkY/acThlT0wClnLktmZ1mvI +e/m6lMuhbdIAXXr3LBpKvHiZnmhjAkoNsUecikE1N1qnqvi7JMleqO9Fm/J19T7 E2w80Rzo4A7cq8x6l0J3Ie+32ywPwpQKsE4/vMReGrM76K/56OE1b3hW7KnaJwzr /PGVN7i3b/H1S21OGJmKz8VKXweg3GS2NNdwMJLyKfZd1n8JOSxbvhUo+8q5meBf wGzo9T8uyM0aEYXOzEwoaxmumFEUdNOVnEJaJp6ngXPl+kDUWFbepQ== =ciYt -----END PGP SIGNATURE----- Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka" Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83 -- Trete durch die Form ein, und trete aus der Form heraus.

1 0

SuSE Security Announcement: susehelp
by Sebastian Krahmer 22 Nov '01

22 Nov '01

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: susehelp Announcement-ID: SuSE-SA:2001:041 Date: Thu Nov 22 11:36:00 MET 2001 Affected SuSE versions: 7.2, 7.3 Vulnerability Type: remote command execution Severity (1-10): 8 SuSE default package: yes Other affected systems: no Content of this advisory: 1) security vulnerability resolved: CGI vulnerability in susehelp. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The susehelp package contains several CGI-scripts to provide a flexible help-system to the user. Some of these scripts open files in an insecure manner, thus allowing remote attackers to execute arbitrary commands as wwwrun-user on the server running susehelp package. These bugs have been fixed in the newly available packages. Please update your susehelp package immediately if present on your system. SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/doc1/susehelp-2001.09.06-110.no… 8b441a44bda65f5e162d326d1e6ed1df source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/susehelp-2001.09.06-110.src… 9e38fa3bbc650974c8138981754610b6 SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/doc1/susehelp-2001.05.14-41.noa… 27789618aeb317225c8262016afb65b9 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/susehelp-2001.05.14-41.src.… fd5a85ebada13eb6de95067b066746c0 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - The ziptool program runs setuid root in the easy permission mode and contains an overflow which allows local attackers to gain root privileges. A zipdrive must be configured and a zipdisk being inserted in order to exploit the bug. The overflow has been fixed. Please update your packages. - The ncpfs package containing the setuid root programs ncpmount and ncpumount was vulnerable to local bufferoverflow attacks. The package has been fixed. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. =================================================== SuSE's security contact is <security(a)suse.com>. The <security(a)suse.com> public key is listed below. =================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GZkBogQ57vSBEQQAk/GN+ftr 7+DBlSoixDDpfRnUk+jApGEt8hCnrnjVnPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45 t4E0fKyLVzDerCRFB1swz/mNDxT26DLysdBV5fwNHTPhxa67goAZVrehQPqJEckk IpYriOaYcKpF3n5fQIZMEfMaHEElQhcXML8AoJVXDkJYh7vI8EUB8ZURNLZMEECN A/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6TepRdLZhaylwVF/iu7uIn62ZUL4//NTOC DY7V63qg4iba/fUbOsWtEnGaiE7mQuAlsSWvRspwRA9/g9rdVf3/JdLJrLmKBThe yG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQnJn2euqylHRubEQP/aL53NZK0kBdvrKgf f6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiY I2lTRYT4uMdHuwVC3b4DqAKmoy375FERwHkrMVyKBJslv8QtbAWw5A1CAUseaHo+ 91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1U0UgUGFja2FnZSBTaWduaW5nIEtleSA8 YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUCOe70gQUJA8JnAAQLCgMEAxUDAgMWAgEC F4AACgkQqE7a6JyACspfLACffAYA+NM8NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0 xY7WbKoXs1+72b2AiEYEEBECAAYFAjpwXlIACgkQnkDjEAAKq6TczgCgi+ddhWb7 +FWcfeE6WwPZccqAHowAnjjtRyGwHLQHr5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey 5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk/xGJJREt7V12iSafaRzGuH8xWvIz1bb+ VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6iJXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq 2pudfwljp52lYVM53jgPYEz0q/v3091nlZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU +lDQT2EC6VKaxeWK8pNt6UFDwICRDQxKnlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKN bWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc 9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelxufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr 6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7UVCiSfb9CV38dmeHdPCEEjDUWquFYEnvj 3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qTJzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBE VE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/ 9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiUXpRoFCdglMznbcAyCk9C2wqb2j/D1Z2B eSBaGCSFkR6pRLebnE17LWcu72Iy+r0z+JecbPiyDpDZj4apn7IC81aNFGi7fNIT sHODbwwjiwADBgf/YPvVdzkc8OC7ztacEWCanwylKvxCdKzTDA+DfES6WUYShyiV JvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/pdGy1aKtJZrAnFEsofpmOj8VoqyyFgp/y AGQBp12+mXek7SCZRhuqalDfEMRiWEJ6J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxx QqNQXL6Z3NSxS61p+5n6BseiDUI39xxkKTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwb sklszZt6xbU+R0SjFqTvjPWx6eHfqbmNC9WMDdTjGrXDDKXFp2aYlokfN6It9vsb VlGNlOwHt/JjGoPMxW6Xqj0FLA7/VewgCdXW64hMBBgRAgAMBQI57vSSBQkDwmcA AAoJEKhO2uicgArKSyIAmwUHf/vtKQfcmVg4asR7U6XQl0bAAJ4pO22B5U8UH6IY l2LBCXFqw5+5fA== =Jnnf - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO/zWkney5gA9JdPZAQHHpwgAmJnvbDtdFiREznL1+rjN9lCOgD5Gej4C P97rf7ArDg+uSGeHqZM4zDBGFukuZNzGPJWla8JwNk1BL1pgoXcDPlvtKXpxwLTW fbQteH/Zul0aFPBLSekexpjAa9q1yKU9UWv58kVJNwtrp6+KDGc65zlMdzgM4pCt hkZPwYNDpUhvsF9LdghOvj1NIZ7d7cfk46yO560tGkd9LxHHcMO7xvREmVg/guiT Y1RSKlQirSXHQBLIb6NJSrFImBy/dUBV5SPlT/cZkINDWAjlV4WbcX5elHn7qD9m Er9iXW2BO/UunKwoTMVedYlKd9K95pcmPeB1F/97AS/HqXw6KHWhCw== =lznL -----END PGP SIGNATURE----- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer(a)suse.de - SuSE Security Team ~

1 0

Supported Distributions
by Roman Drahtmueller 14 Nov '01

14 Nov '01

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Effective Monday, December 10th 2001, after a lifespan of two years, SuSE will discontinue support for the successful SuSE Linux distribution SuSE Linux 6.3. SuSE puts much effort into adding security improvements (patches) to the software instead of publishing a new version; the same program with a fix for a specific problem promises to work just as reliable as the original version from the distribution, whereas new versions introduce new functionality which changes the behaviour. In some cases however, especially if the security leak is based on problematic design decisions or when the fix(es) are fairly large, the only reasonable fix for a security problem is to update to a newer version of the software. These newer versions tend to become incompatible with our older distribution releases because of missing features in the operating system environment. This forces us to focus on the distributions of a newer release date. The remaining distributions SuSE Linux 6.4 SuSE Linux 7.0 SuSE Linux 7.1 SuSE Linux 7.2 SuSE Linux 7.3 for the IA-32, IA-64, AXP Alpha, SPARC, S/390 as well as the PowerPC platforms will continue to be supported for a two-year period after the release of the respective product. Due to different maintenance terms, the SuSE Linux Enterprise Server and other products based on the Enterprise Server Edition are not affected by this notice. The freshly released SuSE Linux 7.3 distribution is a stable, robust and secure product that sets new standards in the Free and Open Source Software world. We encourage our usership to make the transition to a newer version of the SuSE Linux distribution. Regards, Roman Drahtmüller, SuSE Security. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: http://www.suse.de/ iEYEARECAAYFAjvyxWUACgkQnkDjEAAKq6SfxACeL86Gc8Fe9W7NFGqlXSQH9MmN +1kAoJFvvm6pERQ+YsPzsCJUq9k+5KH6 =f6Vw -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: webalizer (SuSE-SA:2001:040)
by Thomas Biege 06 Nov '01

06 Nov '01

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: webalizer Announcement-ID: SuSE-SA:2001:040 Date: Tuesday, Nov 06th, 2001 12.00 MET Affected SuSE versions: 7.1, 7.2, 7.3 Vulnerability Type: remote privilege escalation (cross-site scripting) Severity (1-10): 5 SuSE default package: no Other affected systems: all linux-like systems using this version of webalizer Content of this advisory: 1) security vulnerability resolved: webalizer problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The webalizer is a widely used tool for analyzing web server logs and produce statistics in HTML format. An exploitable bug was found in webalizer which allows a remote attacker to execute commands on other client machines or revealing sensitive information by placing HTML tags in the right place. This is possible due to missing sanity checks on untrusted data - hostnames and search keywords in this case - that are received by webalizer. This kind of attack is also known as "Cross-Site Scripting Vulnerability". Additionally the untrusted data will be written to files on the server running webalizer; this may lead to further problems when using this data as input for third-party software/scripts. There is no known temporary fix, so please update your system with the new RPMs from our FTP server. Download the update package from locations described below and install the package with the command: rpm -Uhv file.rpm The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command: rpm --checksig --nogpg file.rpm independently from the md5 signatures below. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/webalizer-2.01.06-140.i386.r… 3525fd6ab9c27be34edad9bef05ff061 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/webalizer-2.01.06-140.src.r… 898d975f34991a02f02da603b6bcd529 SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/webalizer-2.01.06-139.i386.r… 593a7f033158f57bac47cf2fa9cb83bc source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/webalizer-2.01.06-139.src.r… 70ceb86a0373070a06f6d39ec0bc4377 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/webalizer-2.01.06-139.i386.r… 74288622703dec120b18c0fbb5003917 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/webalizer-2.01.06-139.src.r… 213f7a394052dc193be05a882768054a Sparc Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/webalizer-2.01.06-54.sparc.… 5aa3b7511d704415498fbec3bfc2ccd5 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/webalizer-2.01.06-54.src.r… 792efab485712286fc848234b1aa249d AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/webalizer-2.01.06-49.alpha.rpm aa93070e8358b1cfd91b7fabffbfa985 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/webalizer-2.01.06-49.src.rpm 2065dd78c3f8147a94f97994fb37e6ce PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/webalizer-2.01.06-72.ppc.rpm cc28460b1d6fac8f87cc4658fae45d3e source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/webalizer-2.01.06-72.src.rpm 7d7cec18f488f97187338723b0151426 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/webalizer-2.01.06-70.ppc.rpm 3630f538b0445ee462b73475b488b146 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/webalizer-2.01.06-70.src.rpm 4c998066d5eb545bb1551e246f2724c1 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - openssh After stabilizing the openssh package, updates for the distributions 6.4-7.2 are currently being prepared. The update packages fix a security problem related to the recently discovered problems with source ip based access restrictions in a user's ~/.ssh/authorized_keys2 file. The packages will appear shortly on our ftp servers. Please note that packages for the distributions 6.3 and up including 7.0 containing cryptographic software are located on the German ftp server ftp.suse.de, all other packages can be found on ftp.suse.com at the usual location. We will issue a dedicated Security announcement for the openssh package. - nvi Takeshi Uno found a format tag vulnerability in all versions of nvi. The bug will be fixed in future version of SuSE Linux. - Please watch out for more announcements that are currently in our queue. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. =============================================== SuSE's security contact is <security(a)suse.com>. =============================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO+e7oney5gA9JdPZAQEOhgf/YYGOy0R1hVScGRcrMR1jNNNzKSe/xtqS SC5SO8qFKnSIT5aFhDbc1BMdmPIGiJp8c0CS9M9mPyRop6LT55uPPdtRoLMgZkp0 TQVWVldz1F8Ou6fIjDXcv5blHR94ZRLi2is6Tzn+x1GC5srMJA6FDNMmwVWWdtjp nJGulyqBrTdNMb6GkFKdCstc55WCa4/GExKbb0bMaJz3JR8EFD6PlBltYbf8Zk3g PUeBMEkP7BeuzNci9I5SfD76/zbC3tta7i6h6SsjPFS8TE0GOojWWrBcc2yHOCZQ i7PiWXqvSD/GnfCRIn/BuUlqEw4sTf412l4Ls7V+ubWniK6tZRrjcA== =n24I -----END PGP SIGNATURE----- Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka" Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83 -- Trete durch die Form ein, und trete aus der Form heraus.

1 0

SuSE Security Announcement: kernel (update) (SuSE-SA:2001:039)
by Roman Drahtmueller 02 Nov '01

02 Nov '01

-----BEGIN PGP SIGNED MESSAGE----- Information about the security problems fixed with the new kernel rpm packages from SuSE Security Announcement: kernel (SuSE-SA:2001:036) has been withheld in coordination with other Linux distributors/vendors. We hereby re-release SuSE-SA:2001:036 with the new announcement ID SuSE-SA:2001:039, now including additional information about the bugs fixed. During testing of our kernel update packages, an additional kernel security problem has been reported to SuSE kernel developer Andi Kleen. Since his fix to this additional problem would have required another public kernel update, we have decided to delay the release of the announcement until this additional problem was sufficiently analyzed and fixed. By consequence, administrators who have applied the kernel update packages from SuSE-SA:2001:036, dated Friday, Oct 26th 2001, already have the complete fix and do not need to update again. The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. Specifics about the problem: syncookies are a countermeasure against a SYN-flood attack, a remote denial-of-service attack method where the remote attacker floods the target host with packets that request a TCP connection (SYN-Bit set, no other TCP flag set) from possibly numerous forged source IP addresses. As a result, the attacked host is running out of resources, denying legitimate connection attempts. If syncookies are enabled, a host requesting a connection must answer a 24-bit cookie to be able to connect to an open tcp socket while a SYN-flood is in progress and detected by the syncookie mechanism. If an attacker can guess the 24 bit cookie, he will be able to bypass netfilter rules that match a TCP connection request (-y option to ipchains/ipfwadm, --syn to iptables). All 2.0, 2.2 and 2.4 series kernels are known to be affected. Summary of conditions that need to be satisfied for the weakness to impose a risk to a running system: * The attacker must be able to connect to at least one open (unfiltered) tcp port. * The syncookie protection mechanism must be enabled in the kernel. * netfilter rules protect one or more open tcp sockets, the attack targets. Workaround: A quick workaround against the problem is to disable syncookies using the following command: echo 0 > /proc/sys/net/ipv4/tcp_syncookies Please also change the value of IP_TCP_SYNCOOKIES in /etc/rc.config of a SuSE installation to not automatically turn on the syncookie protection during a reboot of the system. The value of IP_TCP_SYNCOOKIES defaults to "yes" in all SuSE Linux distributions. A permanent countermeasure is to update the kernel according to SuSE-SA:2001:036. If you already have updated your kernel as described in Announcement SuSE-SA:2001:036, then your system already has the necessary fix for the bug that is subject of this updated announcement. We thank Manfred Spraul who reported a randomness weakness problem to Andi Kleen <ak(a)suse.de>, and Andi Kleen for fixing this problem and recognizing the effect of the fix for the netfilter code (bypassing SYN filter rules). Now follows a repost of our original Security Announcement about the Linux kernel dated Friday, Oct 26th 2001, enhanced with more details about the fixed problems. This announcement is released as announcement ID SuSE-SA:2001:039. ______________________________________________________________________________ SuSE Security Announcement Package: kernel Announcement-ID: SuSE-SA:2001:036, SuSE-SA:2001:039 (update) Date: Friday, Oct 26th 2001 18:00 MEST Date: Friday, Nov 2nd 2001 19:50 MET (update) Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3 Vulnerability Type: local privilege escalation, remote netfilter bypass Severity (1-10): 8 SuSE default package: yes Other affected systems: all Linux systems, all kernel versions Content of this advisory: 1) security vulnerability resolved: kernel problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) The Problem, Workaround, Recommended solution, Instructions, Notes, Verification The Problems The SuSE Linux kernel is a standard kernel, enhanced with a set of additional drivers and other improvements, to suit the end-user's demand for a great variety of drivers for all kind of hardware. Two security related problems have been found in both the 2.2 and 2.4 series kernels, a third problem additionally affects linux kernels of version 2.0: 1) A recursive symlink structure can cause the kernel to consume excessive CPU time, causing the machine to halt for an arbitrary amount of time. 2) ptrace(2), the system call used to trace processes as done by the strace(1) command, must not be given permissions to trace setuid or setgid programs (processes with a different effective uid or gid than the caller's uid/gid). A race condition in the ptrace() kernel code was the reason for the kernel update in May 2001. The flaw fixed with this kernel update is based on the assumption that the calling process is allowed to trace a running process. The fix consists of disallowing a ptrace() system call for all setuid/setgid binaries, regardless of the capabilities of the calling process. 3) syncookies are a countermeasure against a SYN-flood attack, a remote denial-of-service attack method where the remote attacker floods the target host with packets that request a TCP connection (SYN-Bit set, no other TCP flag set) from possibly numerous forged source IP addresses. As a result, the attacked host is running out of resources, denying legitimate connection attempts. If syncookies are enabled, a host requesting a connection must answer a 24-bit cookie to be able to connect to an open tcp socket while a SYN-flood is in progress and detected by the syncookie mechanism. If an attacker can guess the 24 bit cookie, he will be able to bypass netfilter rules that match a TCP connection request (-y option to ipchains/ipfwadm, --syn to iptables). Bug 1) can lead to a local DoS. Bug 2) can allow a local attacker to gain root privileges. Bug 3) can allow a remote attacker to bypass netfilter rules that match TCP connection attempts, provided that a) syncookies are enabled in the kernel b) the attacker can connect to an open, unprotected tcp socket c) netfilter rules protect one or more open tcp sockets, the attack targets. Workarounds: It is possible to work around bug 2) by removing the setuid bit from the programs newgrp, su, su1, sudo and possibly more programs in the system that will start another program with different pivileges. Workaround for bug 3) is to disable syncookies in the kernel using the command echo 0 > /proc/sys/net/ipv4/tcp_syncookies in addition to changing the value of IP_TCP_SYNCOOKIES in /etc/rc.config of a SuSE installation to not automatically turn on the syncookie protection during a reboot of the system. The value of IP_TCP_SYNCOOKIES defaults to "yes" in all SuSE Linux distributions. In order to completely solve the security problems, it is recommended to update the kernel to a newer version as described below. Recommended solution: We have provided update kernels for our supported distributions 6.3, 6.4, 7.0, 7.1, 7.2 and the freshly released 7.3. In addition to the update packages for the Intel i386 distributions, packages for the sparc architecture are available. The update should be performed with special care in order to make sure that the system will properly boot after the package update. Step-By-Step Installation Instructions: The kernel of a Linux system is the most critical component with respect to stability, reliability and security. By consequence, an update of that component requires some care and full attention to succeed. The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, you decide if the paragraph is needed for you or not. Please read through all of the steps down to the end. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before to complete successfully. **** Step 1: Determine the needed kernel version SuSE-6.3, 6.4 and 7.0 are built for kernels of version 2.2, 7.1 and up are also ready for a 2.4 kernel. You should use the same major kernel version for the update as you are using already. Determine the kernel version that is running on your system with the command uname -r If your running kernel is version 2.2.x, you should use a 2.2.19 kernel to update, if you use a 2.4 series kernel, use a 2.4 kernel to update SuSE-7.3 users: See Step 3!). Cross-version updates _may_ work in your installation but are dis- recommended in order to preserve a properly running system. **** Step 2: Determine the needed kernel type After you have determined which version to install, you must select the type of kernel rpm package to install. There are four types offered: k_i386 a kernel that runs on i386 processors. k_smp the kernel for computers with more than one CPU k_psmp for dual Pentium-I processor computers, not configured for 64GB memory support. k_deflt the default kernel for most systems, includes support for APM (laptops). You can use the command rpm -qf `awk -F= '/image/{print $2}' < /etc/lilo.conf` to find the name of the kernel RPM package that is installed on your system. In the case of inconclusive results, pick one from the four choices above: k_deflt works on most systems, k_smp is for multi processor computers. Step 1 and 2 will lead you to one of these possiblities: 2.2-default 2.2-smp 2.2-psmp 2.2-i386 2.4-default 2.4-smp 2.4-psmp 2.4-i386 **** Step 3: SuSE-7.3 special: Download If you have a SuSE-7.3 system, continue to read this paragraph, otherwise jump to Step 4. SuSE Linux 7.3 comes with a kernel version 2.4.10. We have made a set of patched kernels of this particular version to seamlessly fit into a 7.3 installation. SuSE Linux releases before 7.3 should receive a 2.4.7 kernel update - we provide both versions for the update. It should be possible though to run both 2.4 kernels on all 2.4 based systems. Please download your kernel rpm from the location ftp://ftp.suse.com/pub/suse/i386/update/7.3/kernel/2.4.10-20011026/ After downloading the rpm package, you might want to verify the authenticity of the rpm package according to Section 3 of this and every SuSE Security announcement. Then go to Step 5, omitting Step 4. **** Step 4: Download your kernel rpm Your kernel rpm package is available for download from ftp://ftp.suse.com/pub/suse/i386/update/<dist>/kernel/ where <dist> is the release version of your distribution. Sparc users please go to ftp://ftp.suse.com/pub/suse/sparc/update/<dist>/kernel/. If you need to download a 2.4 series kernel, enter the directory called 2.4.7-20011026/ and download the kernel rpm type that you have selected in Step 2. If you need to download a 2.2 series kernel, enter the directory called 2.2.19-20011026/ and download the kernel rpm type that you have selected in Step 2. An example: For a SuSE-7.2 distribution installed on an i386 SMP system that is running a 2.4 series kernel, you should download the file ftp://ftp.suse.com/pub/suse/i386/update/7.2/kernel/2.4.7-20011026/k_smp-2.4… After downloading the rpm package, you might want to verify the authenticity of the rpm package according to Section 3 of this SuSE Security announcement at the bottom of this message. **** Step 5: SuSE-6.3 special: Installing your kernel rpm package If you have a SuSE-6.3 system, continue to read this paragraph, otherwise jump to Step 6. In SuSE Linux version 6.3, the kernel and the kernel modules are packaged in two different packages. This will change with the success of this update: Both kernel images and kernel modules will be contained in the same package. For the update to succeed, you will have to either remove the existing kernel package from your system using the command rpm -e `rpm -qf /boot/vmlinuz` or two kernel rpm packages will be installed on your system. **** Step 6: Installing your kernel rpm package Install the rpm package that you have downloaded in Steps 3 or 4 with the command rpm -Uhv --nodeps --force <K_FILE.RPM> where <K_FILE.RPM> is the name of the rpm package that you downloaded. Notice: After performing this step, your system will likely not be able to boot if the following steps have not been fully applied. **** Step 7: aic7xxx If you use an Adaptec aic7xxx SCSI host adapter, continue to read this paragraph, otherwise jump to Step 8. The new kernel comes with two versions for the Adaptec aic7xxx driver. If you have such a card, you should see the driver listed in the output from the command lsmod or you should see the adapter in the output of the command lspci The new driver is known to work reliably. However, if you encounter any problems with CDROM drives or other removeable devices (CD-RW drives, tapes, etc) after this kernel upgrade, then you should try to use the old driver which is called aic7xxx_old instead of aic7xxx. If you decide to make this change, then the steps 10 and 11 are mandatory for the update to succeed, regardless if you get back to this paragraph after your first reboot or not. To use the old driver, please use your favourite editor to edit the file /etc/rc.config. Change aic7xxx into aic7xxx_old at the line that starts with INITRD_MODULES. You should find it near the top of the file. Do not forget to save your changes. Then go to Steps 10 and 11. If you want to use the new driver, then do not change anything. **** Step 8: LVM If you use LVM, then continue to read this paragraph, otherwise jump to Step 9. If you use LVM (Logical Volume Manager) in your installation of SuSE Linux before and including SuSE-7.1, then you need the updated lvm package from the /pub/suse/i386/update/<dist>/kernel/2.2.19-20011026/ directory for your distribution as well. The package contains the userspace utilities to manage the Logical Volume Manager driver. An update package is needed because the LVM data format/structure on disk has changed with the new version of the LVM kernel driver. Install the package as usual using the command rpm -Uhv lvm-0.9.1_beta4-12.i386.rpm Be sure you have downloaded the package for the explicit version of your SuSE Linux Installation. The package names are identical for all distribution versions. With this kernel upgrade, the lvm driver is configured as a module, it is _not_ compiled into the kernel image any more. Therefore, you should use your favourite editor and edit /etc/rc.config. In this file, the variable INITRD_MODULES must contain the word "lvm-mod". Example: you have an NCR scsi hostadapter and use lvm and reiserfs. The line in /etc/rc.config should look like INITRD_MODULES="sym53c8xx lvm-mod" Be careful about the double quotes! WARNING: After the first boot with the new kernel you will not be able to downgrade to older versions of LVM any more. **** Step 9: reiserfs If you use reiserfs, then continue to read this paragraph, otherwise jump to Step 10. If you use reiserfs (find out via "grep reiserfs /proc/mounts"), then make sure that the variable INITRD_MODULES from /etc/rc.config contains the word "reiserfs", like in the example in Step 8. **** Step 10: configuring and creating the initrd Upon kernel boot (after lilo runs), the kernel needs to use the drivers for the device (disk/raid) where the root filesystem is located in order to access it for mounting. If this driver is not compiled into the kernel, it is supplied as a kernel module that must be loaded _before_ the root filesystem is mounted. This is done using a ramdisk that is loaded along with the kernel by lilo (which is subject to the next Step). The modules that will be packed into this initial ramdisk (initrd) must be listed in the variable INITRD_MODULES in the file /etc/rc.config . This ramdisk, called "initrd", must be generated using the command mk_initrd If the driver for the device containing your root device is not compiled directly into the kernel, then your system will most likely not boot any more. If you have followed the above steps, you should be safe. Special care should be taken with scsi hostadapters, logical volume manager (lvm) and reiserfs. **** Step 11: lilo lilo is responsible for loading the kernel image and the initrd ramdisk image into the system and for transferring control of the system to the kernel. Therefore, a proper installation of the bootloader (by calling the program lilo) is essential for the system to boot (!). Manually changed settings in /etc/lilo.conf require the admin to make sure that /boot/vmlinuz is listed in the first "image" line in that file. Verify that the line starting with initrd= is set to initrd=/boot/initrd Execute lilo and you should see your label(s) in an output like Added linux * Every other output should be considered an error and requires attention. If your system managed to reboot before the upgrade, you should not see any additional output from lilo at this stage. **** Step 12: SuSE-7.0 special If you have a SuSE Linux 7.0 distribution, then continue to read this paragraph, otherwise jump to Step 13. If you have performed the kernel upgrade as described in the last kernel SuSE Security announcement SuSE-SA:2001:18 and if you have performed the upgrade of the glibc as described in Step 8 of SuSE-SA:2001:18, then you are done and you should go to Step 13. Otherwise, please read SuSE-SA:2001:18 (from http://www.suse.de/de/support/security/2001_018_kernel_txt.txt) and return to the Step 13 in this announcement. **** Step 13: reboot If all of the steps above have been successfully applied to your system, then the new kernel including the kernel modules and the initrd should be ready to boot. The system needs to be rebooted for the changes to become active. Please make sure that all steps are complete, then reboot using the command shutdown -r now or init 6 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - openssh After stabilizing the openssh package, updates for the distributions 6.4-7.2 are currently being prepared. The update packages fix a security problem related to the recently discovered problems with source ip based access restrictions in a user's ~/.ssh/authorized_keys2 file. The packages will appear shortly on our ftp servers. Please note that packages for the distributions 6.3 and up including 7.0 containing cryptographic software are located on the German ftp server ftp.suse.de, all other packages can be found on ftp.suse.com at the usual location. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. =================================================== SuSE's security contact is <security(a)suse.com>. The <security(a)suse.com> public key is listed below. =================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+ mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1 U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8 NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk /xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852 Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN 89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z +JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6 J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA== =rVRn - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO+Ltnney5gA9JdPZAQGERAf/cLtwc9GCpyRtoUQQ3vfMWzj+6QFRhSet 4dRHyHiRs8T/nZNMkSzqc2mSfV5dp42cCdMEcvlqsK+FwJOIjqmaRhGk1O3faPT6 h2rhozRvrzeypqZ1bP20v6fKbG+D1nCm73K4+KqhtbZSUqahl6YNH9MtJuMe6PSa szagS6OHa8kgYl1kzCU8h7+a9gkZ9ZWxgcvWMJh0WQ1m/c0jnbznRfGPChAAZbeG dBIvMXKMPdQ5aLc2bUQkxrVKA87EIeZTeWgJeE8VKekZxar8wnmNNvNnZbvnfWvo 1pxzNYUWNfYZprEfi44IDcTzfogJ/20XtjWuEtdmUGx8ra3/TYMc3g== =IR07 -----END PGP SIGNATURE-----

1 0