openSUSE Security Announce
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
November 2001
- 3 participants
- 6 discussions
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: wuftpd
Announcement-ID: SuSE-SA:2001:043
Date: Wednesday, Nov. 28th, 2001 23:45 MET
Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: remote root compromise
Severity (1-10): 7
SuSE default package: no
Other affected systems: all liunx-like systems using wu-ftpd 2.4.x /
2.6.0 / 2.6.1
Content of this advisory:
1) security vulnerability resolved: wuftpd
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The wuftpd package as shipped with SuSE Linux distributions comes with
two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
The admin decides which version to use by the inetd/xinetd
configuration.
The CORE ST Team had found an exploitable bug in all versions of wuftpd's
ftpglob() function.
The glob function overwrites buffer bounds while matching open and closed
brackets. Due to a missing \0 at the end of the buffer a later call to a
function that frees allocated memory will feed free(3) with userdefined
data. This bug could be exploited depending on the implementation of
the dynmaic allocateable memory API (malloc(3), free(3)) in the libc
library. Linux and other system are exploitable!
Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed
by Thomas Biege, SuSE Security, revealed some other security related bugs
that are fixed in the new RPM packages. Additionally, code from wu-ftpd
2.6.1 were backported to version 2.6.0 to make it more stable.
A temporary fix other than using a different server implementation of
the ftp protocol is not available. We recommend to update the wuftpd
package on your system.
We thank the wuftpd team for their work on the bug, particularly because
the coordination between the vendors and the wuftpd developers lacked
the necessary discipline for the timely release of the information
about the problem.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Uhv file.rpm" to apply
the update.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm
d1b549b8c2d91d66a8b35fe17a1943b3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm
9ef0e6ac850499dc0150939c62bc146f
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm
4583443a993107b26529331fb1e6254d
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm
aaee0343670feae70ccc9217a8e22211
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm
347a030a85cb5fcbe32d3d79d382e19e
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm
aa3e53641f6ce0263196e6f1cb0447c3
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm
e34eec18ecc10f187f6aa1aa3b24b75b
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm
fafc8c2bbd68dd5ca3d04228433c359a
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm
2354abe95b056762c7f6584449291ff2
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm
507b8d484b13737c9d2b6a68fda0cc26
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm
9851ad02e656bba8b5e02ed2ddb46845
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm
5d7c4b6824836ca28b228cc5dcfc4fd6
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm
2d19e4ead17396a1e28fca8745f9629d
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm
bdb0b5ddd72f8563db3c8e444a0df7f5
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm
f6b04f284bece6bf3700facccc015ffe
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm
1660547ac9a5a3b32a4070d69803cf18
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm
1bd905b095b9a4bb354fc190b6e54a01
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm
597263eb7d0fbbf242d519d3c126a441
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm
e608bfd2cc9e511c6eb6932c33c68789
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm
34915af1ca79b27bad8bc2fd3a5cab05
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm
86a7d8f60d76a053873bcc13860b0bbb
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm
9674f9f1630b3107ac22d275705da76e
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm
2501444a1e4241e8f6f4cdcc6fd133b0
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm
34812d943900bdb902ad7edd40e1943f
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm
429a49ef9d4d0865fbb443c212b8a8c7
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm
76467dae0f460677ba80ec907eefca28
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm
a381269b3e2fc43fda59e4d08aef57ae
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm
7cacb696a88e57a843402a796212aee6
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm
bfc39be2c09323d96f974fdd0c73fda1
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm
e2681b2ed4801ce14b5dfb926480ac51
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm
19f989e637fd9b6fa652f8a4014bb7b1
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm
76c493a915691c51a2481f0925e8ce39
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm
ad29cf172bbd03a5e1f301cf6b9404e5
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm
82338702692eba599d8c3d242aff3d1a
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ssh/openssh exploits
The wrong fix for the crc32-compensation attack is currently actively
exploited in the internet for both the ssh and the openssh
implementation of the ssh-1 protocol.
We urge our users to upgrade their ssh or openssh packages to the
latest versions that are located on our ftp server at the usual
directories, referred to via
http://www.suse.de/de/support/security/adv004_ssh.txt from February
earlier this year.
Please note, the packages for the SuSE Linux distributions 7.0 and
older containing cryptographic code are located on the German ftp
server ftp.suse.de, the distributions 7.1 and newer have their crypto
updates on ftp.suse.com. There are legal constraints beyond our
control that lead to this situation.
Openssh packages of the version 2.9.9p2 ready to download on the ftp
server ftp.suse.com. They fix the security problems mentioned above,
along with a set of less serious security problems.
The announcement is still pending while investigations about the
status of the package are in progress.
- libgtop_daemon
The libgtop_daemon, part of the libgtop package for gathering and
monitoring process and system information, has been found vulnerable
to a format string error. We are in the process of providing fixes for
the affected distributions 6.4-7.3. In the meanwhile, we recommend to
disable the libgtop_daemon on systems where it is running. This daemon
is neither installed nor started (if installed) by default on SuSE
Systems.
- kernel updates
A bug in the elf loader of the linux kernels version 2.4 from our
announcement SSA:2001:036 can cause a system to crash if a user
executes a vmlinux kernel image. We are preparing another update
series to workaround this problem and will re-issue the kernel
announcement as soon as possible.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
===============================================
SuSE's security contact is <security(a)suse.com>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPAVrBHey5gA9JdPZAQFhHwf/Vw7FQu1H4TXqi3qHVaTK9S1o8lCFSvko
SS8aDJbmWSS0KXTF8iEI/tASxfk7sAE55QrBASjVC8drmAowhO1Xhw52esDdYeZX
2ygNhzVj0XRZ30e/ZjjBBhWXT91EP9F9h3R5T56BKJH1WVb5dmgVrLoiTqK1rafk
mXezFnhDqRzvMZWfJGlO4peuum8tBO8Eh8wXMhx6nXFOS71Cv0I4Em1tKeFrujjQ
kGf8CRexJZC3lr8PnAuyctdkdFInIC/KyroALmAsC/sQ0TR/YONi50BhYaeTV5Sc
jM4ENMmnF2VZ2C+iH1tJpUYHxgM6WoRHpE1aSFRDUMSxhiU1ifo6TQ==
=fm+e
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: cyrus-sasl
Announcement-ID: SuSE-SA:2001:042
Date: Friday, Nov 23th, 2001 12.00 MET
Affected SuSE versions: 7.0, 7.1, 7.2, 7.3
Vulnerability Type: possible local/remote privilege escalation
Severity (1-10): 4
SuSE default package: no
Other affected systems: all linux-like systems using this version
of cyrus-sasl
Content of this advisory:
1) security vulnerability resolved: cyrus-sasl
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The Cyrus SASL library provides an authentication API for mail clients
and servers.
A format bug was found in one of the logging functions, that could be
used by an attacker to gain access to a machine or to acquire higher
privileges.
There is no known temporary fix, so please update your system with
the new RPMs from our FTP server.
Download the update package from locations described below and install
the package with the command:
rpm -Uhv file.rpm
The md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command:
rpm --checksig --nogpg file.rpm
independently from the md5 signatures below.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/cyrus-sasl-1.5.24-157.i386…
e45171d1a76c91a0bfa3d086d9d599e5
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/cyrus-sasl-devel-1.5.24-15…
b03e76641050495d4ec44ac0d9f95e40
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/cyrus-sasl-gssapi-1.5.24-1…
acad2f6e40fd4de5d8729b24f1cb982d
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/cyrus-sasl-1.5.24-157.src.r…
b33d52a12efd4222b5f1886ff3b50eb8
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/cyrus-sasl-1.5.24-158.i386…
b6c6eacbb748b10077273e17c4530d70
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/cyrus-sasl-devel-1.5.24-15…
6bc208c1626367b5dce2637c533d46a4
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/cyrus-sasl-gssapi-1.5.24-1…
fed016e9eeb13fe2d1d8b43d5a7eb2a2
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/cyrus-sasl-1.5.24-158.src.r…
6dd7b8b037f12a8a5adef3abbb45f107
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/cyrus-sasl-1.5.24-157.i386…
5ae7eb3805130a03d8f27f89b1cee7b9
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/cyrus-sasl-1.5.24-157.src.r…
7b54ce2a549ab26a4cc7af2317c31114
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zima1/sasl-1.5.21-79.i386.rpm
f9d4b6cd6fa27028fba8da6e50368b11
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sasl-1.5.21-79.src.rpm
8edbdbd49ad826da014a60cbe0ecd4fb
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/cyrus-sasl-1.5.24-70.spar…
464d4d9ab8a46e104039e8811e3f4651
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/cyrus-sasl-1.5.24-70.src.r…
753b3e27311760372e7da9f52de3dcbf
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zima1/sasl-1.5.21-30.sparc.rpm
01b229e0fb42f48c24fef34462dbccbb
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sasl-1.5.21-30.src.rpm
df8d848c7998f3675fbb4755bd83a742
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/cyrus-sasl-1.5.24-62.alpha.…
ea80bba65ae8cf22ea587e38aae7a2ee
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/cyrus-sasl-1.5.24-62.src.rpm
b363227f99290c7866e5ac4fc7f7b6dc
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zima1/sasl-1.5.21-82.alpha.rpm
22a48ae6c7963df620a76e22899888e5
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/sasl-1.5.21-82.src.rpm
c39df74ca8900ac203360151f6e25d6b
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/cyrus-sasl-1.5.24-92.ppc.rpm
baddf572ea5dd550ffe952ec19315bef
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/cyrus-sasl-devel-1.5.24-92.…
4fce4a7aaf74f3b42538916a14abaea0
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/cyrus-sasl-gssapi-1.5.24-92…
fb4fe578f47d2f4b7abc697301330aef
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/cyrus-sasl-1.5.24-92.src.rpm
94a5288432b1957a6c3b8676049e1199
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/cyrus-sasl-1.5.24-92.ppc.rpm
8b5245304196e6b935c420394e14ae18
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/cyrus-sasl-1.5.24-92.src.rpm
10a5d72a03041fafb06d97d2730eb054
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zima1/sasl-1.5.21-30.ppc.rpm
ff3cdc2a4bd110632a8e9aa06794f3ec
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sasl-1.5.21-30.src.rpm
aeedefa1eb86cca0cb7d80e3fc0f76f9
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- openssh
After stabilizing the openssh package, updates for the distributions
6.4-7.2 are currently being prepared. The update packages fix a security
problem related to the recently discovered problems with source ip
based access restrictions in a user's ~/.ssh/authorized_keys2 file.
The packages will appear shortly on our ftp servers. Please note that
packages for the distributions 6.3 and up including 7.0 containing
cryptographic software are located on the German ftp server ftp.suse.de,
all other packages can be found on ftp.suse.com at the usual location.
We will issue a dedicated Security announcement for the openssh package.
- The ziptool program runs setuid root in the easy permission mode and
contains an overflow which allows local attackers to gain root
privileges. A zipdrive must be configured and a zipdisk being inserted
in order to exploit the bug. The overflow has been fixed. Please update
your packages.
- The ncpfs package containing the setuid root programs ncpmount and
ncpumount was vulnerable to local bufferoverflow attacks. The package
has been fixed.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
===============================================
SuSE's security contact is <security(a)suse.com>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv
iQEVAwUBO/5MiXey5gA9JdPZAQHnGQf9ElADckRy8toxiy7qOOXwUFeB999Ttrsi
gPrBR7OTLH/cCul4Pm4YMPGvfsLZ2z/eseOeA4XUAkY/acThlT0wClnLktmZ1mvI
+e/m6lMuhbdIAXXr3LBpKvHiZnmhjAkoNsUecikE1N1qnqvi7JMleqO9Fm/J19T7
E2w80Rzo4A7cq8x6l0J3Ie+32ywPwpQKsE4/vMReGrM76K/56OE1b3hW7KnaJwzr
/PGVN7i3b/H1S21OGJmKz8VKXweg3GS2NNdwMJLyKfZd1n8JOSxbvhUo+8q5meBf
wGzo9T8uyM0aEYXOzEwoaxmumFEUdNOVnEJaJp6ngXPl+kDUWFbepQ==
=ciYt
-----END PGP SIGNATURE-----
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83
--
Trete durch die Form ein, und trete aus der Form heraus.
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: susehelp
Announcement-ID: SuSE-SA:2001:041
Date: Thu Nov 22 11:36:00 MET 2001
Affected SuSE versions: 7.2, 7.3
Vulnerability Type: remote command execution
Severity (1-10): 8
SuSE default package: yes
Other affected systems: no
Content of this advisory:
1) security vulnerability resolved: CGI vulnerability in susehelp.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The susehelp package contains several CGI-scripts to provide a flexible
help-system to the user. Some of these scripts open files in an insecure
manner, thus allowing remote attackers to execute arbitrary commands
as wwwrun-user on the server running susehelp package. These bugs have been
fixed in the newly available packages. Please update your susehelp package
immediately if present on your system.
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/doc1/susehelp-2001.09.06-110.no…
8b441a44bda65f5e162d326d1e6ed1df
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/susehelp-2001.09.06-110.src…
9e38fa3bbc650974c8138981754610b6
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/doc1/susehelp-2001.05.14-41.noa…
27789618aeb317225c8262016afb65b9
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/susehelp-2001.05.14-41.src.…
fd5a85ebada13eb6de95067b066746c0
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- The ziptool program runs setuid root in the easy permission mode and
contains an overflow which allows local attackers to gain root
privileges. A zipdrive must be configured and a zipdisk being inserted
in order to exploit the bug. The overflow has been fixed. Please update
your packages.
- The ncpfs package containing the setuid root programs ncpmount and
ncpumount was vulnerable to local bufferoverflow attacks. The package
has been fixed.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
===================================================
SuSE's security contact is <security(a)suse.com>.
The <security(a)suse.com> public key is listed below.
===================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GZkBogQ57vSBEQQAk/GN+ftr
7+DBlSoixDDpfRnUk+jApGEt8hCnrnjVnPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45
t4E0fKyLVzDerCRFB1swz/mNDxT26DLysdBV5fwNHTPhxa67goAZVrehQPqJEckk
IpYriOaYcKpF3n5fQIZMEfMaHEElQhcXML8AoJVXDkJYh7vI8EUB8ZURNLZMEECN
A/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6TepRdLZhaylwVF/iu7uIn62ZUL4//NTOC
DY7V63qg4iba/fUbOsWtEnGaiE7mQuAlsSWvRspwRA9/g9rdVf3/JdLJrLmKBThe
yG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQnJn2euqylHRubEQP/aL53NZK0kBdvrKgf
f6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiY
I2lTRYT4uMdHuwVC3b4DqAKmoy375FERwHkrMVyKBJslv8QtbAWw5A1CAUseaHo+
91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1U0UgUGFja2FnZSBTaWduaW5nIEtleSA8
YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUCOe70gQUJA8JnAAQLCgMEAxUDAgMWAgEC
F4AACgkQqE7a6JyACspfLACffAYA+NM8NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0
xY7WbKoXs1+72b2AiEYEEBECAAYFAjpwXlIACgkQnkDjEAAKq6TczgCgi+ddhWb7
+FWcfeE6WwPZccqAHowAnjjtRyGwHLQHr5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey
5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk/xGJJREt7V12iSafaRzGuH8xWvIz1bb+
VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6iJXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq
2pudfwljp52lYVM53jgPYEz0q/v3091nlZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU
+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxKnlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKN
bWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc
9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelxufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr
6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7UVCiSfb9CV38dmeHdPCEEjDUWquFYEnvj
3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qTJzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBE
VE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/
9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiUXpRoFCdglMznbcAyCk9C2wqb2j/D1Z2B
eSBaGCSFkR6pRLebnE17LWcu72Iy+r0z+JecbPiyDpDZj4apn7IC81aNFGi7fNIT
sHODbwwjiwADBgf/YPvVdzkc8OC7ztacEWCanwylKvxCdKzTDA+DfES6WUYShyiV
JvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/pdGy1aKtJZrAnFEsofpmOj8VoqyyFgp/y
AGQBp12+mXek7SCZRhuqalDfEMRiWEJ6J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxx
QqNQXL6Z3NSxS61p+5n6BseiDUI39xxkKTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwb
sklszZt6xbU+R0SjFqTvjPWx6eHfqbmNC9WMDdTjGrXDDKXFp2aYlokfN6It9vsb
VlGNlOwHt/JjGoPMxW6Xqj0FLA7/VewgCdXW64hMBBgRAgAMBQI57vSSBQkDwmcA
AAoJEKhO2uicgArKSyIAmwUHf/vtKQfcmVg4asR7U6XQl0bAAJ4pO22B5U8UH6IY
l2LBCXFqw5+5fA==
=Jnnf
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBO/zWkney5gA9JdPZAQHHpwgAmJnvbDtdFiREznL1+rjN9lCOgD5Gej4C
P97rf7ArDg+uSGeHqZM4zDBGFukuZNzGPJWla8JwNk1BL1pgoXcDPlvtKXpxwLTW
fbQteH/Zul0aFPBLSekexpjAa9q1yKU9UWv58kVJNwtrp6+KDGc65zlMdzgM4pCt
hkZPwYNDpUhvsF9LdghOvj1NIZ7d7cfk46yO560tGkd9LxHHcMO7xvREmVg/guiT
Y1RSKlQirSXHQBLIb6NJSrFImBy/dUBV5SPlT/cZkINDWAjlV4WbcX5elHn7qD9m
Er9iXW2BO/UunKwoTMVedYlKd9K95pcmPeB1F/97AS/HqXw6KHWhCw==
=lznL
-----END PGP SIGNATURE-----
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer(a)suse.de - SuSE Security Team
~
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Effective Monday, December 10th 2001, after a lifespan of two years, SuSE
will discontinue support for the successful SuSE Linux distribution
SuSE Linux 6.3.
SuSE puts much effort into adding security improvements (patches) to the
software instead of publishing a new version; the same program with a fix
for a specific problem promises to work just as reliable as the original
version from the distribution, whereas new versions introduce new
functionality which changes the behaviour.
In some cases however, especially if the security leak is based on
problematic design decisions or when the fix(es) are fairly large, the
only reasonable fix for a security problem is to update to a newer version
of the software. These newer versions tend to become incompatible with our
older distribution releases because of missing features in the operating
system environment. This forces us to focus on the distributions of a
newer release date.
The remaining distributions
SuSE Linux 6.4
SuSE Linux 7.0
SuSE Linux 7.1
SuSE Linux 7.2
SuSE Linux 7.3
for the IA-32, IA-64, AXP Alpha, SPARC, S/390 as well as the PowerPC
platforms will continue to be supported for a two-year period after the
release of the respective product. Due to different maintenance terms, the
SuSE Linux Enterprise Server and other products based on the Enterprise
Server Edition are not affected by this notice.
The freshly released SuSE Linux 7.3 distribution is a stable, robust and
secure product that sets new standards in the Free and Open Source
Software world. We encourage our usership to make the transition to a
newer version of the SuSE Linux distribution.
Regards,
Roman Drahtmüller,
SuSE Security.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: http://www.suse.de/
iEYEARECAAYFAjvyxWUACgkQnkDjEAAKq6SfxACeL86Gc8Fe9W7NFGqlXSQH9MmN
+1kAoJFvvm6pERQ+YsPzsCJUq9k+5KH6
=f6Vw
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: webalizer
Announcement-ID: SuSE-SA:2001:040
Date: Tuesday, Nov 06th, 2001 12.00 MET
Affected SuSE versions: 7.1, 7.2, 7.3
Vulnerability Type: remote privilege escalation
(cross-site scripting)
Severity (1-10): 5
SuSE default package: no
Other affected systems: all linux-like systems using this version
of webalizer
Content of this advisory:
1) security vulnerability resolved: webalizer
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The webalizer is a widely used tool for analyzing web server logs and
produce statistics in HTML format.
An exploitable bug was found in webalizer which allows a remote attacker
to execute commands on other client machines or revealing sensitive
information by placing HTML tags in the right place. This is possible
due to missing sanity checks on untrusted data - hostnames and search
keywords in this case - that are received by webalizer. This kind of attack
is also known as "Cross-Site Scripting Vulnerability".
Additionally the untrusted data will be written to files on the server
running webalizer; this may lead to further problems when using this
data as input for third-party software/scripts.
There is no known temporary fix, so please update your system with
the new RPMs from our FTP server.
Download the update package from locations described below and install
the package with the command:
rpm -Uhv file.rpm
The md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command:
rpm --checksig --nogpg file.rpm
independently from the md5 signatures below.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/webalizer-2.01.06-140.i386.r…
3525fd6ab9c27be34edad9bef05ff061
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/webalizer-2.01.06-140.src.r…
898d975f34991a02f02da603b6bcd529
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/webalizer-2.01.06-139.i386.r…
593a7f033158f57bac47cf2fa9cb83bc
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/webalizer-2.01.06-139.src.r…
70ceb86a0373070a06f6d39ec0bc4377
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/webalizer-2.01.06-139.i386.r…
74288622703dec120b18c0fbb5003917
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/webalizer-2.01.06-139.src.r…
213f7a394052dc193be05a882768054a
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/webalizer-2.01.06-54.sparc.…
5aa3b7511d704415498fbec3bfc2ccd5
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/webalizer-2.01.06-54.src.r…
792efab485712286fc848234b1aa249d
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/webalizer-2.01.06-49.alpha.rpm
aa93070e8358b1cfd91b7fabffbfa985
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/webalizer-2.01.06-49.src.rpm
2065dd78c3f8147a94f97994fb37e6ce
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/webalizer-2.01.06-72.ppc.rpm
cc28460b1d6fac8f87cc4658fae45d3e
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/webalizer-2.01.06-72.src.rpm
7d7cec18f488f97187338723b0151426
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/webalizer-2.01.06-70.ppc.rpm
3630f538b0445ee462b73475b488b146
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/webalizer-2.01.06-70.src.rpm
4c998066d5eb545bb1551e246f2724c1
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- openssh
After stabilizing the openssh package, updates for the distributions
6.4-7.2 are currently being prepared. The update packages fix a security
problem related to the recently discovered problems with source ip
based access restrictions in a user's ~/.ssh/authorized_keys2 file.
The packages will appear shortly on our ftp servers. Please note that
packages for the distributions 6.3 and up including 7.0 containing
cryptographic software are located on the German ftp server ftp.suse.de,
all other packages can be found on ftp.suse.com at the usual location.
We will issue a dedicated Security announcement for the openssh package.
- nvi
Takeshi Uno found a format tag vulnerability in all versions of nvi.
The bug will be fixed in future version of SuSE Linux.
- Please watch out for more announcements that are currently in our queue.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
===============================================
SuSE's security contact is <security(a)suse.com>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBO+e7oney5gA9JdPZAQEOhgf/YYGOy0R1hVScGRcrMR1jNNNzKSe/xtqS
SC5SO8qFKnSIT5aFhDbc1BMdmPIGiJp8c0CS9M9mPyRop6LT55uPPdtRoLMgZkp0
TQVWVldz1F8Ou6fIjDXcv5blHR94ZRLi2is6Tzn+x1GC5srMJA6FDNMmwVWWdtjp
nJGulyqBrTdNMb6GkFKdCstc55WCa4/GExKbb0bMaJz3JR8EFD6PlBltYbf8Zk3g
PUeBMEkP7BeuzNci9I5SfD76/zbC3tta7i6h6SsjPFS8TE0GOojWWrBcc2yHOCZQ
i7PiWXqvSD/GnfCRIn/BuUlqEw4sTf412l4Ls7V+ubWniK6tZRrjcA==
=n24I
-----END PGP SIGNATURE-----
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83
--
Trete durch die Form ein, und trete aus der Form heraus.
1
0
02 Nov '01
-----BEGIN PGP SIGNED MESSAGE-----
Information about the security problems fixed with the new kernel rpm
packages from SuSE Security Announcement: kernel (SuSE-SA:2001:036)
has been withheld in coordination with other Linux distributors/vendors.
We hereby re-release SuSE-SA:2001:036 with the new announcement ID
SuSE-SA:2001:039, now including additional information about the bugs
fixed.
During testing of our kernel update packages, an additional kernel
security problem has been reported to SuSE kernel developer Andi
Kleen. Since his fix to this additional problem would have required
another public kernel update, we have decided to delay the release
of the announcement until this additional problem was sufficiently
analyzed and fixed.
By consequence, administrators who have applied the kernel update
packages from SuSE-SA:2001:036, dated Friday, Oct 26th 2001, already
have the complete fix and do not need to update again.
The information about this problem was withheld from the public
in coordination with other Linux vendors/distributors in order to
give the distributors enough time to update their kernel packages.
We find that this coordination is beneficial for the community,
while we regret that the bug could not be fixed in time before the
other distributor's kernel updates.
Specifics about the problem:
syncookies are a countermeasure against a SYN-flood attack, a remote
denial-of-service attack method where the remote attacker floods the
target host with packets that request a TCP connection (SYN-Bit set,
no other TCP flag set) from possibly numerous forged source IP
addresses. As a result, the attacked host is running out of resources,
denying legitimate connection attempts. If syncookies are enabled,
a host requesting a connection must answer a 24-bit cookie to be able
to connect to an open tcp socket while a SYN-flood is in progress and
detected by the syncookie mechanism.
If an attacker can guess the 24 bit cookie, he will be able to bypass
netfilter rules that match a TCP connection request (-y option to
ipchains/ipfwadm, --syn to iptables). All 2.0, 2.2 and 2.4 series
kernels are known to be affected.
Summary of conditions that need to be satisfied for the weakness to
impose a risk to a running system:
* The attacker must be able to connect to at least one open
(unfiltered) tcp port.
* The syncookie protection mechanism must be enabled in the kernel.
* netfilter rules protect one or more open tcp sockets, the attack
targets.
Workaround:
A quick workaround against the problem is to disable syncookies using
the following command:
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
Please also change the value of IP_TCP_SYNCOOKIES in /etc/rc.config
of a SuSE installation to not automatically turn on the syncookie
protection during a reboot of the system. The value of IP_TCP_SYNCOOKIES
defaults to "yes" in all SuSE Linux distributions.
A permanent countermeasure is to update the kernel according to
SuSE-SA:2001:036. If you already have updated your kernel as described
in Announcement SuSE-SA:2001:036, then your system already has the
necessary fix for the bug that is subject of this updated announcement.
We thank Manfred Spraul who reported a randomness weakness problem to
Andi Kleen <ak(a)suse.de>, and Andi Kleen for fixing this problem and
recognizing the effect of the fix for the netfilter code (bypassing
SYN filter rules).
Now follows a repost of our original Security Announcement about the
Linux kernel dated Friday, Oct 26th 2001, enhanced with more details
about the fixed problems.
This announcement is released as announcement ID SuSE-SA:2001:039.
______________________________________________________________________________
SuSE Security Announcement
Package: kernel
Announcement-ID: SuSE-SA:2001:036, SuSE-SA:2001:039 (update)
Date: Friday, Oct 26th 2001 18:00 MEST
Date: Friday, Nov 2nd 2001 19:50 MET (update)
Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: local privilege escalation,
remote netfilter bypass
Severity (1-10): 8
SuSE default package: yes
Other affected systems: all Linux systems, all kernel versions
Content of this advisory:
1) security vulnerability resolved: kernel
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) The Problem, Workaround, Recommended solution, Instructions, Notes,
Verification
The Problems
The SuSE Linux kernel is a standard kernel, enhanced with a set of
additional drivers and other improvements, to suit the end-user's
demand for a great variety of drivers for all kind of hardware.
Two security related problems have been found in both the 2.2 and
2.4 series kernels, a third problem additionally affects linux
kernels of version 2.0:
1) A recursive symlink structure can cause the kernel to consume excessive
CPU time, causing the machine to halt for an arbitrary amount of time.
2) ptrace(2), the system call used to trace processes as done by the
strace(1) command, must not be given permissions to trace setuid or
setgid programs (processes with a different effective uid or gid than
the caller's uid/gid). A race condition in the ptrace() kernel code
was the reason for the kernel update in May 2001. The flaw fixed with
this kernel update is based on the assumption that the calling process
is allowed to trace a running process. The fix consists of disallowing
a ptrace() system call for all setuid/setgid binaries, regardless
of the capabilities of the calling process.
3) syncookies are a countermeasure against a SYN-flood attack, a remote
denial-of-service attack method where the remote attacker floods the
target host with packets that request a TCP connection (SYN-Bit set,
no other TCP flag set) from possibly numerous forged source IP
addresses. As a result, the attacked host is running out of resources,
denying legitimate connection attempts. If syncookies are enabled,
a host requesting a connection must answer a 24-bit cookie to be able
to connect to an open tcp socket while a SYN-flood is in progress and
detected by the syncookie mechanism.
If an attacker can guess the 24 bit cookie, he will be able to bypass
netfilter rules that match a TCP connection request (-y option to
ipchains/ipfwadm, --syn to iptables).
Bug 1) can lead to a local DoS.
Bug 2) can allow a local attacker to gain root privileges.
Bug 3) can allow a remote attacker to bypass netfilter rules that
match TCP connection attempts, provided that
a) syncookies are enabled in the kernel
b) the attacker can connect to an open, unprotected tcp socket
c) netfilter rules protect one or more open tcp sockets, the
attack targets.
Workarounds:
It is possible to work around bug 2) by removing the setuid bit from the
programs newgrp, su, su1, sudo and possibly more programs in the system
that will start another program with different pivileges.
Workaround for bug 3) is to disable syncookies in the kernel using
the command
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
in addition to changing the value of IP_TCP_SYNCOOKIES in /etc/rc.config
of a SuSE installation to not automatically turn on the syncookie
protection during a reboot of the system. The value of IP_TCP_SYNCOOKIES
defaults to "yes" in all SuSE Linux distributions.
In order to completely solve the security problems, it is recommended to
update the kernel to a newer version as described below.
Recommended solution:
We have provided update kernels for our supported distributions
6.3, 6.4, 7.0, 7.1, 7.2 and the freshly released 7.3.
In addition to the update packages for the Intel i386 distributions,
packages for the sparc architecture are available. The update should be
performed with special care in order to make sure that the system will
properly boot after the package update.
Step-By-Step Installation Instructions:
The kernel of a Linux system is the most critical component with respect
to stability, reliability and security. By consequence, an update of that
component requires some care and full attention to succeed.
The following paragraphs will guide you through the installation
process in a step-by-step fashion. The character sequence "****"
marks the beginning of a new paragraph. In some cases, you decide
if the paragraph is needed for you or not. Please read through all
of the steps down to the end. All of the commands that need to be
executed are required to be run as the superuser (root). Each step
relies on the steps before to complete successfully.
**** Step 1: Determine the needed kernel version
SuSE-6.3, 6.4 and 7.0 are built for kernels of version 2.2, 7.1 and
up are also ready for a 2.4 kernel. You should use the same major kernel
version for the update as you are using already.
Determine the kernel version that is running on your system with the
command
uname -r
If your running kernel is version 2.2.x, you should use a 2.2.19 kernel
to update, if you use a 2.4 series kernel, use a 2.4 kernel to update
SuSE-7.3 users: See Step 3!).
Cross-version updates _may_ work in your installation but are dis-
recommended in order to preserve a properly running system.
**** Step 2: Determine the needed kernel type
After you have determined which version to install, you must select the
type of kernel rpm package to install. There are four types offered:
k_i386 a kernel that runs on i386 processors.
k_smp the kernel for computers with more than one CPU
k_psmp for dual Pentium-I processor computers, not configured
for 64GB memory support.
k_deflt the default kernel for most systems, includes support
for APM (laptops).
You can use the command
rpm -qf `awk -F= '/image/{print $2}' < /etc/lilo.conf`
to find the name of the kernel RPM package that is installed on
your system. In the case of inconclusive results, pick one from the
four choices above: k_deflt works on most systems, k_smp is for
multi processor computers.
Step 1 and 2 will lead you to one of these possiblities:
2.2-default 2.2-smp 2.2-psmp 2.2-i386
2.4-default 2.4-smp 2.4-psmp 2.4-i386
**** Step 3: SuSE-7.3 special: Download
If you have a SuSE-7.3 system, continue to read this paragraph,
otherwise jump to Step 4.
SuSE Linux 7.3 comes with a kernel version 2.4.10. We have made
a set of patched kernels of this particular version to seamlessly
fit into a 7.3 installation. SuSE Linux releases before 7.3 should
receive a 2.4.7 kernel update - we provide both versions for the update.
It should be possible though to run both 2.4 kernels on all 2.4 based
systems.
Please download your kernel rpm from the location
ftp://ftp.suse.com/pub/suse/i386/update/7.3/kernel/2.4.10-20011026/
After downloading the rpm package, you might want to verify the
authenticity of the rpm package according to Section 3 of this and every
SuSE Security announcement.
Then go to Step 5, omitting Step 4.
**** Step 4: Download your kernel rpm
Your kernel rpm package is available for download from
ftp://ftp.suse.com/pub/suse/i386/update/<dist>/kernel/
where <dist> is the release version of your distribution.
Sparc users please go to
ftp://ftp.suse.com/pub/suse/sparc/update/<dist>/kernel/.
If you need to download a 2.4 series kernel, enter the directory
called 2.4.7-20011026/ and download the kernel rpm type that you
have selected in Step 2.
If you need to download a 2.2 series kernel, enter the directory
called 2.2.19-20011026/ and download the kernel rpm type that you
have selected in Step 2.
An example: For a SuSE-7.2 distribution installed on an i386 SMP system
that is running a 2.4 series kernel, you should download the file
ftp://ftp.suse.com/pub/suse/i386/update/7.2/kernel/2.4.7-20011026/k_smp-2.4…
After downloading the rpm package, you might want to verify the
authenticity of the rpm package according to Section 3 of this
SuSE Security announcement at the bottom of this message.
**** Step 5: SuSE-6.3 special: Installing your kernel rpm package
If you have a SuSE-6.3 system, continue to read this paragraph,
otherwise jump to Step 6.
In SuSE Linux version 6.3, the kernel and the kernel modules are
packaged in two different packages. This will change with the success
of this update: Both kernel images and kernel modules will be contained
in the same package. For the update to succeed, you will have to either
remove the existing kernel package from your system using the command
rpm -e `rpm -qf /boot/vmlinuz`
or two kernel rpm packages will be installed on your system.
**** Step 6: Installing your kernel rpm package
Install the rpm package that you have downloaded in Steps 3 or 4 with
the command
rpm -Uhv --nodeps --force <K_FILE.RPM>
where <K_FILE.RPM> is the name of the rpm package that you downloaded.
Notice: After performing this step, your system will likely not be
able to boot if the following steps have not been fully applied.
**** Step 7: aic7xxx
If you use an Adaptec aic7xxx SCSI host adapter, continue to read
this paragraph, otherwise jump to Step 8.
The new kernel comes with two versions for the Adaptec aic7xxx driver.
If you have such a card, you should see the driver listed in the
output from the command
lsmod
or you should see the adapter in the output of the command
lspci
The new driver is known to work reliably. However, if you encounter
any problems with CDROM drives or other removeable devices (CD-RW
drives, tapes, etc) after this kernel upgrade, then you should try to
use the old driver which is called aic7xxx_old instead of aic7xxx.
If you decide to make this change, then the steps 10 and 11 are
mandatory for the update to succeed, regardless if you get back to
this paragraph after your first reboot or not.
To use the old driver, please use your favourite editor to edit
the file /etc/rc.config. Change aic7xxx into aic7xxx_old at the line
that starts with INITRD_MODULES. You should find it near the top of the
file. Do not forget to save your changes. Then go to Steps 10 and 11.
If you want to use the new driver, then do not change anything.
**** Step 8: LVM
If you use LVM, then continue to read this paragraph,
otherwise jump to Step 9.
If you use LVM (Logical Volume Manager) in your installation of SuSE
Linux before and including SuSE-7.1, then you need the updated lvm
package from the
/pub/suse/i386/update/<dist>/kernel/2.2.19-20011026/
directory for your distribution as well. The package contains the
userspace utilities to manage the Logical Volume Manager driver.
An update package is needed because the LVM data format/structure on
disk has changed with the new version of the LVM kernel driver.
Install the package as usual using the command
rpm -Uhv lvm-0.9.1_beta4-12.i386.rpm
Be sure you have downloaded the package for the explicit version
of your SuSE Linux Installation. The package names are identical
for all distribution versions.
With this kernel upgrade, the lvm driver is configured as a module,
it is _not_ compiled into the kernel image any more. Therefore, you
should use your favourite editor and edit /etc/rc.config. In this
file, the variable INITRD_MODULES must contain the word "lvm-mod".
Example: you have an NCR scsi hostadapter and use lvm and reiserfs.
The line in /etc/rc.config should look like
INITRD_MODULES="sym53c8xx lvm-mod"
Be careful about the double quotes!
WARNING: After the first boot with the new kernel you will not be able
to downgrade to older versions of LVM any more.
**** Step 9: reiserfs
If you use reiserfs, then continue to read this paragraph,
otherwise jump to Step 10.
If you use reiserfs (find out via "grep reiserfs /proc/mounts"), then
make sure that the variable INITRD_MODULES from /etc/rc.config contains
the word "reiserfs", like in the example in Step 8.
**** Step 10: configuring and creating the initrd
Upon kernel boot (after lilo runs), the kernel needs to use the
drivers for the device (disk/raid) where the root filesystem
is located in order to access it for mounting. If this driver is
not compiled into the kernel, it is supplied as a kernel module
that must be loaded _before_ the root filesystem is mounted. This
is done using a ramdisk that is loaded along with the kernel by lilo
(which is subject to the next Step).
The modules that will be packed into this initial ramdisk (initrd)
must be listed in the variable INITRD_MODULES in the file
/etc/rc.config . This ramdisk, called "initrd", must be generated
using the command
mk_initrd
If the driver for the device containing your root device is not
compiled directly into the kernel, then your system will most likely
not boot any more. If you have followed the above steps, you should be
safe. Special care should be taken with scsi hostadapters, logical volume
manager (lvm) and reiserfs.
**** Step 11: lilo
lilo is responsible for loading the kernel image and the initrd
ramdisk image into the system and for transferring control of the
system to the kernel. Therefore, a proper installation of the
bootloader (by calling the program lilo) is essential for the
system to boot (!).
Manually changed settings in /etc/lilo.conf require the admin to make
sure that /boot/vmlinuz is listed in the first "image" line in that
file. Verify that the line starting with initrd= is set to
initrd=/boot/initrd
Execute
lilo
and you should see your label(s) in an output like
Added linux *
Every other output should be considered an error and requires
attention. If your system managed to reboot before the upgrade, you
should not see any additional output from lilo at this stage.
**** Step 12: SuSE-7.0 special
If you have a SuSE Linux 7.0 distribution, then continue to read this
paragraph, otherwise jump to Step 13.
If you have performed the kernel upgrade as described in the last kernel
SuSE Security announcement SuSE-SA:2001:18 and if you have performed
the upgrade of the glibc as described in Step 8 of SuSE-SA:2001:18, then
you are done and you should go to Step 13. Otherwise, please read
SuSE-SA:2001:18 (from
http://www.suse.de/de/support/security/2001_018_kernel_txt.txt) and
return to the Step 13 in this announcement.
**** Step 13: reboot
If all of the steps above have been successfully applied to your
system, then the new kernel including the kernel modules and the
initrd should be ready to boot. The system needs to be rebooted for
the changes to become active. Please make sure that all steps are
complete, then reboot using the command
shutdown -r now
or
init 6
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- openssh
After stabilizing the openssh package, updates for the distributions
6.4-7.2 are currently being prepared. The update packages fix a security
problem related to the recently discovered problems with source ip
based access restrictions in a user's ~/.ssh/authorized_keys2 file.
The packages will appear shortly on our ftp servers. Please note that
packages for the distributions 6.3 and up including 7.0 containing
cryptographic software are located on the German ftp server ftp.suse.de,
all other packages can be found on ftp.suse.com at the usual location.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
===================================================
SuSE's security contact is <security(a)suse.com>.
The <security(a)suse.com> public key is listed below.
===================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
/xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
+JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
=rVRn
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBO+Ltnney5gA9JdPZAQGERAf/cLtwc9GCpyRtoUQQ3vfMWzj+6QFRhSet
4dRHyHiRs8T/nZNMkSzqc2mSfV5dp42cCdMEcvlqsK+FwJOIjqmaRhGk1O3faPT6
h2rhozRvrzeypqZ1bP20v6fKbG+D1nCm73K4+KqhtbZSUqahl6YNH9MtJuMe6PSa
szagS6OHa8kgYl1kzCU8h7+a9gkZ9ZWxgcvWMJh0WQ1m/c0jnbznRfGPChAAZbeG
dBIvMXKMPdQ5aLc2bUQkxrVKA87EIeZTeWgJeE8VKekZxar8wnmNNvNnZbvnfWvo
1pxzNYUWNfYZprEfi44IDcTzfogJ/20XtjWuEtdmUGx8ra3/TYMc3g==
=IR07
-----END PGP SIGNATURE-----
1
0