March 2002 - openSUSE Security Announce

SuSE Security Announcement: packages containing libz/zlib (SuSE-SA:2002:011) (tandem-announcement, second part)
by Roman Drahtmueller 11 Mar '02

11 Mar '02

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: packages containing libz/zlib Announcement-ID: SuSE-SA:2002:011 Date: Monday, Mar 11th 2002 20:50 MET Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3 SuSE Linux Database Server SuSE eMail Server III SuSE Firewall SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 Vulnerability Type: possible remote command execution Severity (1-10): 8 SuSE default package: yes Other affected systems: systems with these packages compiled with default compile time options Content of this advisory: 1) security vulnerability resolved: packages containing libz/zlib problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information This is the second announcement in the tandem-announcement about libz/zlib. SuSE Security Announcement SuSE-SA:2002:010 (libz/zlib) has been released prior to this announcement (SuSE-SA:2002:011). Please see SuSE-SA:2002:010 for details on the libz weakness. The two announcements SuSE-SA:2002:010 and SuSE-SA:2002:011 are being published in quick succession. The packages affected by the double-free() libz bug can be devided into two categories: 1) packages that link dynamically against the system-provided compression library. These packages get fixed automatically with the update of the libz package as described in SuSE-SA:2002:010. Please note that the processes will continue to use the old version of the libz.so shared library if the have not been restarted after the libz package upgrade. 2) packages that contain the compression library in their own source distribution. These packages need an individual bugfix. We have prepared update packages for this software that can be downloaded from the locations as shown below. The following is a list of the packages in category 2): gpg rsync cvs rrdtool freeamp netscape vnc kernel In detail: gpg: gpg brings its own libz/zlib source. The fixed update packages are available on the ftp server. The packages for SuSE Linux 6.4 and 7.0 are located on ftp.suse.de, all other packages can be found on ftp.suse.com. The package for SuSE Linux 7.3, Intel i386 platform, is currently building and will be available shortly. rsync: The rsync package brings its own libz/zlib source. In addition to the libz/zlib fixes, the rsync package has a number of other security related problems fixed: The rsync daemon now properly initializes group memberships when it changes to another userID. The last security fix in the rsync packages has been corrected to improve the reliability of the program. The fixed update packages are available on the ftp server. cvs: The cvs package brings its own libz/zlib source. In addition to the libz/zlib fixes, the cvs packages in SuSE Linux 6.4 and 7.0 contain a fix for a buffer overflow that may be remotely exploitable. Versions of the cvs packages later than 7.0 do not contain this flaw. rrdtool: SuSE Linux 7.2 and newer contain the package rrdtool. It brings its own source of the libz/zlib compression library. Fixed packages are available for download on the ftp server. freeamp: The freeamp package brings its own libz/zlib source. Fixed packages for SuSE Linux 7.1 and 7.0 are available for download. The update packages for the newer distributions will follow soon without any further announcement. netscape: New netscape binary packages are expected from netscape.com soon. Due to the closed source nature of the software, we depend on netscape to fix the package. vnc: The vnc package brings its own libz/zlib source. We will provide fixed packages for our supported products shortly. The availiability of these packages will be announced in section 2) of the next SuSE Security Announcement. kernel: The kernel of Linux systems is affected by the libz/zlib double- free() problem as well. The routines from the compression library are being used by functions that uncompress filesystems loaded into ramdisks and other non-security-critical occasions. However, the kernel uses the compression library in the ppp layer as well as in the freeswan IPSec kernel module. We are currently in the process of preparing update packages that fix numerous other problems (some of them security related) in both the 2.2 and the 2.4 series kernel. The availiability of these kernel RPM packages will be announced in a seperate SuSE Security Announcement soon. Note: The openssh package contains binaries that are linked dynamically against libz.so. The ssh package, however, links statically against its own version of the compression library. This version of libz/zlib is not vulnerable to the double-free() problem. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-7.3 The gpg packages are currently building and will be available on the ftp server shortly. ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/rsync-2.4.6-361.i386.rpm d93679eb6200bc549966b03e3ef5b713 ftp://ftp.suse.com/pub/suse/i386/update/7.3/d2/cvs-1.11-216.i386.rpm dfc4ef94db20ade5dec95d7ffeeea5c3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap3/rrdtool-1.0.33-186.i386.rpm 3f74c8ad1a12a20b1500ba2b316a6096 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/rsync-2.4.6-361.src.rpm a3159d325cd2e61ffabbb7bc29d6612d ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/cvs-1.11-216.src.rpm 890df2775fa65847f294048bf002ab86 ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/rrdtool-1.0.33-186.src.rpm 7079579c4d60e5d9cf324f544475d6e2 SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/gpg-1.0.6-193.i386.rpm 18aaed31374c7d25950f9c329db2b3da ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/rsync-2.4.6-362.i386.rpm 16b2209c444bfe197b90b53913bea10f ftp://ftp.suse.com/pub/suse/i386/update/7.2/d2/cvs-1.11-216.i386.rpm 82b197d54348aaa266a30870fa9c7333 ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap3/rrdtool-1.0.33-186.i386.rpm 85c086395eb5092468b9c368214d0f55 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/gpg-1.0.6-193.src.rpm 69313e9586549babb354348aeca613e4 ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/rsync-2.4.6-362.src.rpm 4289b7727bd48da50948d228699f27bc ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/cvs-1.11-216.src.rpm a4ddfb02d6c1ef9340ad05019eebb725 ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/rrdtool-1.0.33-186.src.rpm ca694bf598759e07d58d15750f436827 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/gpg-1.0.6-192.i386.rpm b4d7d22864a78d36b61bf6151861acc7 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/rsync-2.4.6-361.i386.rpm f9bb2a436ab97972d32fd998909ed289 ftp://ftp.suse.com/pub/suse/i386/update/7.1/d2/cvs-1.11-216.i386.rpm 2b4c10d95d29e02c2ffc1ed89872d5d3 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/gpg-1.0.6-192.src.rpm 3648286b5847f2203a6debca039bfe09 ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/rsync-2.4.6-361.src.rpm 56fc72c1c1e2780ab50944ac65148af3 ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/cvs-1.11-216.src.rpm c2fe82d14f8d98e33da59440872e1abf SuSE-7.0 ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/gpg-1.0.6-192.i386.rpm 1030cfbfaa661692f40c8779bcfe7ebe ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/rsync-2.3.2-130.i386.rpm 889cbb6f76b3eb0777894c25558a5ccf ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/cvs-1.10.7-160.i386.rpm 6376028606f9e9fd5093fd3557ebceb1 source rpm: ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/gpg-1.0.6-192.src.rpm c685b31952d90d701a96feaad51b50a6 ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/rsync-2.3.2-130.src.rpm 6689e22925836a854b955f68306c57ae ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/cvs-1.10.7-160.src.rpm b5864834aa05ba53873b5810af8c11fe SuSE-6.4 ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/gpg-1.0.6-191.i386.rpm 73e1bd61d721a40dc72845bcd540572a ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/rsync-2.3.2-130.i386.rpm 16746c5c506f743120f947d422432376 ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/cvs-1.10.7-159.i386.rpm d31b782a1d85795862acae8f0c89baf0 source rpm: ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/gpg-1.0.6-191.src.rpm 6b39ca4bb7297ad71d10fd79558480b7 ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/rsync-2.3.2-130.src.rpm 5c23fc8d7c51ba8b2f9e255f65f8e612 ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/cvs-1.10.7-159.src.rpm 554ca35e9f536d82e042aebe847df28e Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/gpg-1.0.6-67.sparc.rpm 7bc6e19142f339667b40d4c6bbcda871 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/rsync-2.4.6-149.sparc.rpm f0f4339f9bb20fa27be5710c1491dbf8 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/d2/cvs-1.11-98.sparc.rpm 79ffbab2594865c3ce52de7227e3e501 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap3/rrdtool-1.0.33-49.sparc.rpm 2fae8f0fa23735fbe99c1d4d48d278c3 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/gpg-1.0.6-67.src.rpm f78fa7647eed1fddfb3131254cbec4a9 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/rsync-2.4.6-149.src.rpm 3eb6724d9327254325870e23d5ee76c5 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/cvs-1.11-98.src.rpm 6ee4505a182e7684c60607451ef019fb ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/rrdtool-1.0.33-49.src.rpm c4a683e01dfe459f5342ddc4fc6865bd SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/gpg-1.0.6-67.sparc.rpm b42f276176ed6a3d42e6471168e5dc15 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/rsync-2.4.6-149.sparc.rpm d3d47231dffdbf303031c0395b7cf6e3 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/d2/cvs-1.11-98.sparc.rpm 8a305786bbfee100b6c261e8b3a0be8f source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/gpg-1.0.6-67.src.rpm 59b434ba4d31264a55f602d3b66fa0f0 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/rsync-2.4.6-149.src.rpm 49f929cbe50425512d29948e26220089 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/cvs-1.11-98.src.rpm c4eaa2c573904ffd6ffaf3db2efebcfe SuSE-7.0 ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/gpg-1.0.6-67.sparc.rpm 286642b0d5c7491c47c5570bad05a391 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/rsync-2.3.2-8.sparc.rpm 030c775ec89eb227b2d34a80c993f2dc ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/cvs-1.10.7-4.sparc.rpm f0a734e3996bbb7a740c4bbb8d620218 source rpm: ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/gpg-1.0.6-67.src.rpm 14d52437ea98dfc47b7e5266aa7c675d ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/rsync-2.3.2-8.src.rpm a42e3a8ad3852b58c80f3f25bd4a7873 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/cvs-1.10.7-4.src.rpm c200f16ee87e6a559297795877260990 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/gpg-1.0.6-91.alpha.rpm d2b3f32faad4930aebd83448f8cfe52e ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/rsync-2.4.6-160.alpha.rpm 75a09942d7abbb5faee6c57d25075ec2 ftp://ftp.suse.com/pub/suse/axp/update/7.1/d2/cvs-1.11-101.alpha.rpm 90ebabcec70121d6b4e578ed47e10475 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/gpg-1.0.6-91.src.rpm d37f206d6627367af4173f16601f5f19 ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/rsync-2.4.6-160.src.rpm df8ab3b91f26d67484f773dec6227e80 ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/cvs-1.11-101.src.rpm 348ec5ea873749a7de17efae7d32c6af SuSE-7.0 ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/gpg-1.0.6-91.alpha.rpm 385bbe68eab422ba8c06d6182acf3df0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/rsync-2.3.2-35.alpha.rpm b0fd243d894fcdc354f092d7c171f776 ftp://ftp.suse.com/pub/suse/axp/update/7.0/d1/cvs-1.10.7-69.alpha.rpm d5471a53f6f2b93cceb8e7ad8a2bde39 source rpm: ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/gpg-1.0.6-91.src.rpm d2db252aeb9a231fe2ea9d42a1b40472 ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/rsync-2.3.2-35.src.rpm 634bc1087e905ed1889400a82306957c ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/cvs-1.10.7-69.src.rpm f5eda7e32648f0631772da3247f70245 SuSE-6.4 ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/gpg-1.0.6-91.alpha.rpm c1b82fda096a50de75f5d5b4851dd2b9 ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/rsync-2.3.2-36.alpha.rpm 567602c9a262398599d401db44469660 ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/cvs-1.10.7-69.alpha.rpm 56a7b8a0c5a122ddc5796a4445b4db71 source rpm: ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/gpg-1.0.6-91.src.rpm 28f3d6398d8cc232bf96247ca0cb895d ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/rsync-2.3.2-36.src.rpm 681e675e376481201e6d2be524eafbd7 ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/cvs-1.10.7-69.src.rpm 65aca598906f07fe8ac6633c80ec0804 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/gpg-1.0.6-139.ppc.rpm 06986ca3c85c9211dd16bb7eb2142867 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/rsync-2.4.6-212.ppc.rpm b40a7114913eaffe54674a102ca92237 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/d2/cvs-1.11-104.ppc.rpm ff7d174babb5d1213e8f90930243ce9c ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap3/rrdtool-1.0.33-124.ppc.rpm 1edd2d5d460a897d5ce563b8739a3deb source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/gpg-1.0.6-139.src.rpm 449dc67ed777e1587bf112f3a38459dc ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/rsync-2.4.6-212.src.rpm 586e78e122109e482d58dcdd87e13dee ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/cvs-1.11-104.src.rpm a67270b4c932b5f83e593549c22b06a7 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/rrdtool-1.0.33-124.src.rpm aa1dbd6e3ca7464508dce8cbe8c3904f SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/gpg-1.0.6-139.ppc.rpm 2cd31ab33813c5747eb23a9f8c157d17 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/rsync-2.4.6-212.ppc.rpm a198784c826e61e1ad94c669a17ac9fa ftp://ftp.suse.com/pub/suse/ppc/update/7.1/d2/cvs-1.11-104.ppc.rpm 4d45a8606df41ba3d16f5543e6b89865 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/gpg-1.0.6-139.src.rpm 56ee6bc10a0a33bf6dad112c6462517a ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/rsync-2.4.6-212.src.rpm e0952c2fade289e49e20b7d3d7063631 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/cvs-1.11-104.src.rpm 96a0520c693523de8eafb8c37abf16ba SuSE-7.0 ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/gpg-1.0.6-139.ppc.rpm cee90f407dbabf66c9b9da119ad0e308 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/rsync-2.3.2-137.ppc.rpm edbbab80c23963791d5385155ce2511f ftp://ftp.suse.com/pub/suse/ppc/update/7.0/d1/cvs-1.10.7-170.ppc.rpm bd4195c9a078bfa0225719586140ea09 source rpm: ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/gpg-1.0.6-139.src.rpm 81f4af6730c4ad92b31de1df69f0e535 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/rsync-2.3.2-137.src.rpm 2d28b8a51463ff19f9c4b83aa4df4f51 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/cvs-1.10.7-170.src.rpm d944cd23c532c18191d90bd752de5a1f SuSE-6.4 ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/gpg-1.0.6-138.ppc.rpm 27e1aaa319bf35722a63fa73c2c4a543 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/rsync-2.3.2-137.ppc.rpm 94d0512db52f89f79171c7648255e32d ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/cvs-1.10.7-169.ppc.rpm f5f9a3a3c2ed93776bbdb747217d3f65 source rpm: ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/gpg-1.0.6-138.src.rpm 45dd7ac7bba9e3bf0cc41a4f20d11ed8 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/rsync-2.3.2-137.src.rpm 993c4e7eb632a43be85a9e17369792cf ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/cvs-1.10.7-169.src.rpm 867ed44e362dd6fdfb2d0eec249190d6 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - The freeamp packages for the newer products will be available shortly. The gpg package for the Intel i386 platform, distribution SuSE Linux 7.3, will be available shortly. Update packages for the packages vnc, netscape and the kernel will follow later this week. Please carefully read the section 2) in the upcoming SuSE Security Announcements. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- Roman Drahtmüller, SuSE Security. - -- - - | Roman Drahtmüller <draht(a)suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPI0MMney5gA9JdPZAQGjegf/fIMK92cjp0gx/6OTXOn2L2c2Z3vTY9BC iZ8ykqSy+j4Q81CKJqykUoLA2CTziPWWuuCHJ2DV4lGKJlnik0db4X2MYTMIHJZw 0ljQb0LcAU0eUzCOkgKZFeztFyNwOnmdVMi8/jHX2H5tLAK+xQPujPw2DwAVSGqt S2IfAAe3t5Fxrlb7nWS+SJ8iyWCLgStJFdDTOgFVQi061m1sU2nIQKzb1cvLh9Js MQbecr6n0smWE4OF+0tpen/8vh8tVDIhAZ7fs3HgI/1CTyxD9wujTSyLkYO+OVzu 6KvRhwsDwDt6CtO73KnbsfCjoaa4kbOT50OPEcCVEABflk/DXv3eWg== =1I9v -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: libz/zlib (SuSE-SA:2002:010) (tandem-announcement, first part)
by Roman Drahtmueller 11 Mar '02

11 Mar '02

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: libz/zlib Announcement-ID: SuSE-SA:2002:010 Date: Monday, Mar 11th 2002 20:45 MET Affected products: 6.4, 7.0, 7.1, 7.2, 7.3 SuSE Linux Database Server SuSE eMail Server III SuSE Firewall SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 Vulnerability Type: remote command execution Severity (1-10): 8 SuSE default package: yes Other affected systems: systems with recent versions of the compression library Content of this advisory: 1) security vulnerability resolved: libz/zlib problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The zlib compression library is being used by many applications to provide data compression/decompression routines. An error in a decompression routine can corrupt the internal data structures of malloc by a double call to the free() function. If the data processed by the compression library is provided from an untrusted source, it may be possible for an attacker to interfere with the process using the zlib routines. The attack scenario includes a denial of service attack and memory/data disclosure, but it may also be possible to insert arbitrary code into the running program and to execute this code. This update fixes the known problems in the libz/zlib as a permanent fix. There exists no temporary workaround that can efficiently remedy the problem. It is expected that a large range of software is affected. The systems affected are by no means limited to Linux systems or other open-source based operating systems. Note: The libz compression library is being used by several hundred packages in all SuSE products. While the update of the libz package as itself is not problematic, it must be noted that many packages bring their own compression library in their source code. If these packages link against their own version of the libz compression library, their source needs to be fixed as well. Considering the length of a combined Security Announcement, SuSE Security publish a tandem-announcement, consisting of two seperate Security Announcements released in quick succession: SuSE-SA:2002:010 libz/zlib SuSE-SA:2002:011 packages containing libz/zlib Acknowledgements: We thank Owen Taylor who tracked down the bug in the compression library, and to Matthias Clasen for reporting the problem that seemed to be located in the libpng at first. We also thank Mark Adler and Jean-loup Gailly, the authors of the zlib package, for their quick response in the double-free() matter. SPECIAL INSTALL INSTRUCTIONS: =============================== * Installation of the update package: The installation of shared libraries on an actively running system should be done with special care. During the update of the libz package, runtime-linking the shared libraries is likely to fail for processes that execute a new binary with the execve(2) system call. If at all applicable, a system receiving the update should be kept as quiet as possible during the time that the RPM command runs. In doubt, please perform the update in Single User Mode ("init S"). The RPM command must not be interrupted during its operation. After performing the update, the processes that still use the old version of the package must be restarted for the libz upgrade to become effective. If you have performed the update in Single User Mode, this has been done already, and you can safely return to your default runlevel. If in doubt, reboot your system to make sure that the changes are becoming effective. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/a1/libz-1.1.3-597.i386.rpm 799491ca29f9bf95e3e38a73f25abea8 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/libz-1.1.3-597.src.rpm a4071506da6ab39dca5495530028d291 SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/a1/libz-1.1.3-573.i386.rpm 2197aff65b09fb05b8969ace64d7a4a6 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/libz-1.1.3-573.src.rpm 1694ed149ca946e7ea1cc2da3f14c181 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/libz-1.1.3-570.i386.rpm c309b104231c596bb81008c38a4e473c source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/libz-1.1.3-570.src.rpm 950c86970cd7c3fc0a30cfab176769ac SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/libz-1.1.3-571.i386.rpm 8bde6b53a78e5f920080bfa3b6a236a6 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libz-1.1.3-571.src.rpm 718c36c91cd0f97466cbb2303967d51c SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/libz-1.1.3-575.i386.rpm 270fc89c1be6854288925a9326f9ca6e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libz-1.1.3-575.src.rpm 625ed87653f820f7f65a4a8e045f6cc2 Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/a1/libz-1.1.3-419.sparc.rpm f890b6d04e9164fc2afa05241c0e94c9 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/libz-1.1.3-419.src.rpm 818d39946dc6c73f425620fba546935c SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/a1/libz-1.1.3-406.sparc.rpm ff4ea0da2c5126311f654b2896a70dd9 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/libz-1.1.3-406.src.rpm c3a49ea61f2642d53e29c8a81e07bfd9 SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/libz-1.1.3-406.sparc.rpm b9e22f0ff9785ca1d226bd2c5e135909 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libz-1.1.3-406.src.rpm 25c2b7cd4e20da69b7d806551966bae8 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/a1/libz-1.1.3-434.alpha.rpm e8cd8561a1434c36afcccd856d79a483 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/libz-1.1.3-434.src.rpm f7c21774f76fb240205291c4e91ad83c SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/a1/libz-1.1.3-434.alpha.rpm 15510fc7563e669145d28a69e0e77d8e source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/libz-1.1.3-434.src.rpm 008bc8f743e64e26dccd89baf882b214 SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/libz-1.1.3-435.alpha.rpm 7d29b7d929e4b36dd6268058bf3c7538 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libz-1.1.3-435.src.rpm 67a4bd496c7625aaa3049417930e97f8 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/a1/libz-1.1.3-432.ppc.rpm b06097a1496ca5fd7b3492c2ab4f7337 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/libz-1.1.3-432.src.rpm 45127ca06e4b019b2e700a0c87c2edb6 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/a1/libz-1.1.3-417.ppc.rpm 783a39b17295e169d344a5f7f1ad7e86 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/libz-1.1.3-417.src.rpm 2ac1e404e8a6723b1eb101b7c7d118e8 SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/a1/libz-1.1.3-417.ppc.rpm 24901e0c7ccb6bf5bf17b2af60596d96 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/libz-1.1.3-417.src.rpm f9e6cda577a5007baa84fb9940ec718d SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/libz-1.1.3-416.ppc.rpm b3580d5e1b3702c330957bde4422486c source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libz-1.1.3-416.src.rpm 32cbca2dbc911da128b5bd1d19789792 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - Please see the following SuSE Security Announcement SuSE-SA:2002:011 (packages containing libz) for upgrade information regarding packages that bring their own compression library in their source. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- Roman Drahtmüller, SuSE Security. - -- - - | Roman Drahtmüller <draht(a)suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPI0L+ney5gA9JdPZAQHxZgf/bORLAqA2QUZ9udAPixhnIhfhMCRTHnvF GXHbJ5kKFthOat011HFUIYAjzx501919EFdAY7Bs3RJfLicXtIB9LNpYKsVw4OU9 xfngF4jZ4sPYDtf1/5vG/JWlWVeae1hy5/zlfal+9ior3cZtO+z4ClI1eHr/25lU ehwgDC3nLAd7wL2ZKRHPCTylQR95hrGQFn5rf+A+2/ll8uwPkLRuQSE5FwyaGhis XsQHBVmJNj/4sw8Fz00ULxQTHPpk44cBYutbn6pJY0NqygJIXzDd/r8pPJ8g3I2o E5XFPbicGhY+H03gOvZF44yZxcS+N5+u6beXnCSiLRiqqywNQfJFzg== =rQ8h -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: openssh (SuSE-SA:2002:009)
by Roman Drahtmueller 07 Mar '02

07 Mar '02

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: 009 Announcement-ID: SuSE-SA:2002:009 Date: Thursday, Mar 7th 2002 19:00 MET Affected products: 6.4, 7.0, 7.1, 7.2, 7.3, SuSE Linux Firewall SuSE Linux Database Server SuSE eMail Server III SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 Vulnerability Type: local and remote command execution Severity (1-10): 6 SuSE default package: yes Other affected systems: systems running versions of openssh before version 3.1 Content of this advisory: 1) security vulnerability resolved: openssh problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information Joost Pol discovered an off-by-one bug in a routine in the openssh code for checking channel IDs. This bug can be exploited on the remote side by an already authenticated user, qualifying this bug as a local security vulnerability, and on the local side if a malicious server attacks the connected client, qualifying this bug as a remote vulnerability. If the error is being exploited, it leads to arbitrary code execution in the process under attack (either a local ssh client, attacking the userID of the client user, or a remote secure shell daemon that has an authenticated user session running, attacking the root account of the remote system). Please note that the possible attack scenario is different from the usual attack scheme because "local vulnerability" refers to the remote side and vice versa. There is no temporary workaround for this bug. If you comply to the following two conditions, the impact of the error is considerably small: 1) You only connect to hosts that you consider fully trusted and not compromised. 2) The users that connect to your servers are fully trusted (the users have root access, for instance). As a permanent solution, we recommend to update the openssh package to the version that is being offered for download on our servers. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Please note that the packages for SuSE Linux 6.4 and 7.0 are located on the German ftp server ftp.suse.de. The SuSE Linux releases 7.1 and newer have their openssh packages on ftp.suse.com. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. SPECIAL INSTALL INSTRUCTIONS: ============================== After applying the update, the secure shell daemon should be restarted for the update to become effective. To do this, execute the following command as root: rcsshd restart If you do not run a secure shell daemon, the command above is obsolete. The secure shell daemon (sshd) is activated by default on most SuSE products. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-98.i386.rpm 21c6183843ab1a6b23bd5f820a32d564 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-98.src.rpm 566cd2c52235b872bf62ffce260c3237 SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-96.i386.rpm a2a21af13f0bac95f87a683cc7199fad source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-96.src.rpm 6e5ff91227e795dc903b545f1691aaba SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-98.i386.rpm 8cc626ac19a0a807d6b35790f0706af1 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-98.src.rpm 60823aaaece46cbddb884856c48214e1 SuSE-7.0 ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-97.i386.rpm d83d4b1f4cd83c0b6d749f2c3375a1b6 source rpm: ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-97.src.rpm 61cebfe1223c564826dcbb04f04090a5 SuSE-6.4 ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-94.i386.rpm 9143ebef0b74a55fcb7220570cbbd5fe source rpm: ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-94.src.rpm 002685e3ed9e3f26aa3410d433a801a0 Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-36.sparc.… d8e2819c511a58e6fe02e4dcfe4aa73a source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-36.src.rpm ffb28fc074984c25aab75a227b9cf813 SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh-2.9.9p2-36.sparc.… c50b9c170b6b734e15285af8fc718fd7 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/openssh-2.9.9p2-36.src.rpm 5cf9ca6a8817399168a730bedca30667 SuSE-7.0 ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-36.sparc.rpm d066f6898ed32dee71056a6d1a8be232 source rpm: ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-36.src.rpm bbacf2fbe5a776fe0324137a727e50ac AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-39.alpha.rpm b452ee9f9895fa3e6cf4faaa90ae95b4 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-39.src.rpm 7206777180ee646ecb80d788bf2162b4 SuSE-7.0 ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.9.9p2-38.alpha.rpm 4c9c6648961be0143f1e916d1d341a22 source rpm: ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.9.9p2-38.src.rpm b91b0ccd84e3d687e443157fe965a692 SuSE-6.4 ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.9.9p2-37.alpha.rpm c611ef5467d99739346a4c3952bc4f5f source rpm: ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.9.9p2-37.src.rpm 10ca72afe81285d7ae2b70789091e024 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-69.ppc.rpm 5eb3b1cf92f25d85389d40878777a3ea source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-69.src.rpm 172e3720f9a4146513c59b57a0232048 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-69.ppc.rpm b1a2fa0bbecc721ec847ed81a0dc99c4 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-69.src.rpm 748ff97c3c08d6a912b89df84da79b42 SuSE-7.0 ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-68.ppc.rpm 6c36b2ab8e38befc5ee9ff44ac1a666b source rpm: ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-68.src.rpm 7e50623f5832d23e4d54b9409acdfdfc SuSE-6.4 ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-67.ppc.rpm 4ee55305ea565867f7da0485a737ae6c source rpm: ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-67.src.rpm 27d2d33466da141dceb42a0a13c57f0c ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - All kernel versions from 2.4.14 to 2.4.18-pre8 are known to have a bug in the connection tracking module for the IRC-DCC (Internet Relay Chat Direct Client-to-Client) protocol that would make it possible to open arbitrary unwanted ports for expected inbound dcc connections. SuSE are in the process of preparing update packages for this vulnerability for administrators who have installed a kernel from one of the update directories on ftp.suse.com. The respective update will also cover the DoS problem in the kernel modules for the cipe tunnel software that we reported about earlier. We will release these new kernel packages as soon as we can assure the quality and stability that is expected from SuSE kernel packages. As a temporary workaround, we recommend to remove the kernel module in question with the following command: "rm /lib/modules/*/kernel/net/ipv4/netfilter/*irc*" In addition to removing the kernel module on your file system, you should make sure that the kernel module is not loaded into your running kernel. Use the command "lsmod" to view the loaded modules, and "rmmod" to remove a loaded kernel module. In doubt, reboot your server. The module (and the netfilter engine as a whole) are not used by default on SuSE Linux installations. Please note that the SuSE Linux Firewall on CD product uses a 2.2-series kernel which is not affected by this problem. - ucd-snmpd The UCD snmpd contains various security releated bugs. We are currently reviewing the code and available fixes to ensure they all get fixed. Patches will be available as soon as possible. It is strongly recommended to filter SNMP (TCP and UDP packets with destination of port 161) traffic. - mod_ssl We are currently testing update packages for the apache web server. These packages contain the mod_ssl Secure Socket Layer apache module, which is subject to a weakness (buffer overflow). The availability of the update packages is a matter of hours. The SuSE Security announcement for the apache webserver will follow very soon after the packages have been published on our ftp server. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- Roman Drahtmüller, SuSE Security. - -- - - | Roman Drahtmüller <draht(a)suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPIewqHey5gA9JdPZAQHgqwf/YeCAMDHRvjnM8NMvT0dQKz5tc/8sVHZ9 pTld1eDrxydyV4/6g6qb1ieuAItlCLcc/SZn5tIp8w4FJazvx87zR2NaGcu7Wyeh Z6HUuhaP5CbJqli0IpVgyd2OR7T1aBvBR2n/LBmBz4N51ZFtZxg6a84K00QBKuDz BEvoJeZmXZLBXTe3+/V1hojGrRlvQmoR9zH513HvD7rP1xG2ao2x5k6yz5spJKfC 7jeZu5HLGlLSYEAwlyt9eXzDwpQUdIFhPFcH9OSM72wk6vMYvSOgmHfPU5IsbrsQ S9GM3TmVDB9YzYoQY6LwrB+IdtjrVAF92nzkGXbhtlzlL/HUgboGvw== =KlGf -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: squid (SuSE-SA:2002:008)
by Sebastian Krahmer 04 Mar '02

04 Mar '02

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: squid Announcement-ID: SuSE-SA:2002:008 Date: Mon Mar 5 13:00:00 CET 2002 Affected SuSE products: 6.4, 7.0, 7.1, 7.2, 7.3, Enterprise Server 7 Vulnerability Type: remote command execution Severity (1-10): 6 SuSE default package: no Other affected systems: all systems running vulnerable squid Content of this advisory: 1) security vulnerability resolved: Heap overflow in squid. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The widely used proxy-server squid contains a heap overflow in one of its URL constructing functions. Incorrect length-calculations for the user and passwd fields in ftp-URLs turned out to be the origin of the problem. Only users from hosts listed in squids ACL-files could trigger the overflow. The ftp-URL problem is not present in the 6.4, 7.0 and 7.1 distributions, but other security releated bugs have been fixed there. A complete history can be found at http://www.squid-cache.org/Versions/v2/2.4/bugs/ Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. For users of our SLES-based products, please use the yast online update. For the updates to take effect, invoke the following command as root: /etc/rc.d/squid restart If you added the htcp_port directive to your squid configuration file you might now see a warning in the logs about that directive being unrecognized. While this does not prevent squid from starting, you can safely remove the directive from squid.conf since HTCP support is disabled now. Please note that there are two binary and two source packages for almost every distribution available. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/squid-2.3.STABLE4-155.i386.r… 4b1cff53fddcaf8930ec6738c6763a94 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/squid-beta-2.4.STABLE2-94.i3… 4ca7f3594ec82b703c6c36c08fb46ecb source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/squid-2.3.STABLE4-155.src.r… 3751569a6c0ea21057d37cb7d3ca9076 ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/squid-beta-2.4.STABLE2-94.s… 99f33e8d1e5b8a3e8d7f6501d26c6e67 SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/squid-2.3.STABLE4-155.i386.r… 1f098dcb1020df788cc912d88f14bb96 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/squid-beta-2.4.STABLE1-100.i… cc136eeaf6ed4ac305e93d306e6f7461 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/squid-2.3.STABLE4-155.src.r… d3fae41b9128f73a0e457376bfb7a5c1 ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/squid-beta-2.4.STABLE1-100.… c24bf7c45b227b06ae1013dd6fcb9d92 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/squid2-2.2.STABLE5-218.i386.… 5a7b26c99855837331e2d375901a5fce ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/squid23-2.3.STABLE4-75.i386.… f3a4a2e8d9fa4b56948e8a8d2bc6e2a0 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/squid2-2.2.STABLE5-218.src.… 6c208e3f13da8d93fecfdca62c98f46f ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/squid23-2.3.STABLE4-75.src.… ad588c92719bffbc02e72fddf6195dd2 SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/squid2-2.2.STABLE5-218.i386.… f12ae33fd707f4ea86a48a77f48fafc8 ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/squid23-2.3.STABLE4-75.i386.… 069c07843355ee473b8b4e10b6726455 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/squid2-2.2.STABLE5-218.src.… 5a2a5f0511cfd75f736ef485bcf6e5a1 ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/squid23-2.3.STABLE4-75.src.… d4bc56dc9240f5ab9582b746c5c18803 SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/squid2-2.2.STABLE5-219.i386.… 13a3e9a366d3e09ee6dcc91148c86be7 ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/squid23-2.3.STABLE4-76.i386.… 53b7ab8cfad2f14b211e1d505d721558 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/squid2-2.2.STABLE5-219.src.… a9b0af504703aa7deeb2e0f6b7b0f512 ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/squid23-2.3.STABLE4-76.src.… fbe64c6fbe15e4a9d06847089bb65d13 Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/squid-2.3.STABLE4-53.sparc.… 99bf4711c8e781622fd3aba55f21ae5a source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/squid-2.3.STABLE4-53.src.r… d56d66c2fd92efa157b98efb1bf6a0c6 SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/squid2-2.2.STABLE5-208.spar… f6948f9862addc8d6805311b5760c95a ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/squid23-2.3.STABLE4-60.spar… e6e9bf05539791905710ffb23fbd4801 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/squid2-2.2.STABLE5-208.src… 1ad2798d085326317590e0fb42346fa9 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/squid23-2.3.STABLE4-60.src… 1332572acea60f0c6ca1593fcd245771 SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/squid2-2.2.STABLE5-207.spar… 1958de7d7f90d27c87e1dc1b21879736 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/squid23-2.3.STABLE4-60.spar… a54038090e73a78a6f3cc77e1162e4a2 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/squid2-2.2.STABLE5-207.src… 3a398a096c2657059a093dcf58222e35 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/squid23-2.3.STABLE4-60.src… 7e1483d0b41f48ef3aa00e058b0e761f AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/squid2-2.2.STABLE5-225.alpha.… 7f39d3a0ff45f231713c6ba5afbdcc15 ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/squid23-2.3.STABLE4-74.alpha.… 5fe79d7f9c2da83222978f75e3387e49 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/squid2-2.2.STABLE5-225.src.r… 705a5b370267d8d873f1e3504bcc55ed ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/squid23-2.3.STABLE4-74.src.r… e42367f3ad73250ec9feda4687b406d2 SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/squid2-2.2.STABLE5-226.alpha.… b0977f9c5ed0750b12308d072da1b285 ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/squid23-2.3.STABLE4-74.alpha.… 3906c0d918c745582a25fb1c480d3aef source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/squid2-2.2.STABLE5-226.src.r… 2afd7d60f6da4feb346ddfefc8bec34a ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/squid23-2.3.STABLE4-74.src.r… cab334bf697df713d847ae8c569b7b30 SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/squid2-2.2.STABLE5-227.alpha.… 1bc4ac5b27e3cfd62766d0258f91090a ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/squid23-2.3.STABLE4-75.alpha.… b809b2523881fbea1f77f3f5b96879c5 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/squid2-2.2.STABLE5-227.src.r… 7d6d942bc8b4208fe610f714868009d8 ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/squid23-2.3.STABLE4-75.src.r… 515cb7434886540fae57c5ac56acbb42 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/squid-2.3.STABLE4-71.ppc.rpm 2a14453696ced035fb21d272f7619a5c ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/squid-beta-2.4.STABLE2-59.ppc… ceda7a8a291d8b3d01127b4e0fb1ccb2 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/squid-2.3.STABLE4-71.src.rpm 5427dd36485bdfb0d67060c9bad62127 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/squid-beta-2.4.STABLE2-59.sr… a572e3f76e68a3577e6a4efe0ec016ae SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/squid2-2.2.STABLE5-200.ppc.rpm a8e274378dc15aab4ca01760c112b770 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/squid23-2.3.STABLE4-68.ppc.rpm 133528338cb5253a12132e3e9ec2ee2e source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/squid2-2.2.STABLE5-200.src.r… 515cb7e5f04cd5980463a8b3f248e08e ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/squid23-2.3.STABLE4-68.src.r… b923a7141e0fb4b1f3b6e6d0185cb4aa SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/squid2-2.2.STABLE5-200.ppc.rpm 2b301c87d0d2e1546cb6a63427dc9cea ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/squid23-2.3.STABLE4-68.ppc.rpm 20eef813e618d3ac3e8e24abcaca894c source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/squid2-2.2.STABLE5-200.src.r… 7d41eaa9985c49cec7afb76dd29355e7 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/squid23-2.3.STABLE4-68.src.r… 11bb4cb51a8abf8ebe994dc08f8a7c24 SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/squid2-2.2.STABLE5-200.ppc.rpm e8020a0a7153208e58f202b0655f1ce5 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/squid23-2.3.STABLE4-68.ppc.rpm efd648b5575b6fce60cd7403fbb15d5a source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/squid2-2.2.STABLE5-200.src.r… 521d058bc1513947642f74a121e4e98b ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/squid23-2.3.STABLE4-68.src.r… 8c9bf3882aa81c7de4b2b920f31e4f69 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - ucd-snmpd The UCD snmpd contains various security releated bugs. We are currently reviewing the code and available fixes to ensure they all get fixed. Patches will be available as soon as possible. It is strongly recommended to filter SNMP (TCP and UDP packets with destination of port 161) traffic. - hanterm/wmtv The recently reported vulnerabilities in hanterm and wmtv do not affect SuSE installations because they are not installed setuid or setgid. - cipe We are about to prepare kernel update packages that fix a DoS problem in the kernel modules for the cipe encrypted tunneling software. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPINe7Hey5gA9JdPZAQGDuQf+PIbXwU/pUs88pt5DjLvZHeG9Tna1so2r STXBudCW+B/RvBHyFq5kjvaAYwMlBcXl/9V88rEbMF3DhFiYnxndDFb0Z6A0ItCZ w0+cS0lOC1okXi2NFCma+YiIBV1zwlUF6cj/zehG/D0oOM8rydhq4gYO2SX1cLFV KCbCB035zeYQN9uL18E4SHsNT6RIyN94k9zDs6JmSBxpCFVBUPQslx86MwI2ccOM rD3yXlXNT7Iw5kPe5G3DZA6NuGvkfVbFhXzAfyu/xRqcLdTdaf962M5dqz7f+U1g C4G606sqHg/AS9nf2MhLgHoCfUi3vO+ag62Xvrjo3nZ9sBdtuGjqgw== =AlQv -----END PGP SIGNATURE----- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer(a)suse.de - SuSE Security Team ~

1 0