openSUSE Security Announce
Threads by month
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
March 2002
- 2 participants
- 4 discussions
SuSE Security Announcement: packages containing libz/zlib (SuSE-SA:2002:011) (tandem-announcement, second part)
by Roman Drahtmueller 11 Mar '02
by Roman Drahtmueller 11 Mar '02
11 Mar '02
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: packages containing libz/zlib
Announcement-ID: SuSE-SA:2002:011
Date: Monday, Mar 11th 2002 20:50 MET
Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
SuSE Linux Database Server
SuSE eMail Server III
SuSE Firewall
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7
Vulnerability Type: possible remote command execution
Severity (1-10): 8
SuSE default package: yes
Other affected systems: systems with these packages compiled with
default compile time options
Content of this advisory:
1) security vulnerability resolved: packages containing libz/zlib
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
This is the second announcement in the tandem-announcement about
libz/zlib.
SuSE Security Announcement SuSE-SA:2002:010 (libz/zlib) has been released
prior to this announcement (SuSE-SA:2002:011). Please see SuSE-SA:2002:010
for details on the libz weakness. The two announcements SuSE-SA:2002:010
and SuSE-SA:2002:011 are being published in quick succession.
The packages affected by the double-free() libz bug can be devided into
two categories:
1) packages that link dynamically against the system-provided
compression library. These packages get fixed automatically with
the update of the libz package as described in SuSE-SA:2002:010.
Please note that the processes will continue to use the old
version of the libz.so shared library if the have not been
restarted after the libz package upgrade.
2) packages that contain the compression library in their own
source distribution. These packages need an individual bugfix.
We have prepared update packages for this software that can be
downloaded from the locations as shown below.
The following is a list of the packages in category 2):
gpg
rsync
cvs
rrdtool
freeamp
netscape
vnc
kernel
In detail:
gpg:
gpg brings its own libz/zlib source. The fixed update packages
are available on the ftp server. The packages for SuSE Linux
6.4 and 7.0 are located on ftp.suse.de, all other packages can
be found on ftp.suse.com.
The package for SuSE Linux 7.3, Intel i386 platform, is
currently building and will be available shortly.
rsync:
The rsync package brings its own libz/zlib source. In addition
to the libz/zlib fixes, the rsync package has a number of other
security related problems fixed: The rsync daemon now properly
initializes group memberships when it changes to another userID.
The last security fix in the rsync packages has been corrected
to improve the reliability of the program.
The fixed update packages are available on the ftp server.
cvs:
The cvs package brings its own libz/zlib source. In addition
to the libz/zlib fixes, the cvs packages in SuSE Linux 6.4 and
7.0 contain a fix for a buffer overflow that may be remotely
exploitable. Versions of the cvs packages later than 7.0 do not
contain this flaw.
rrdtool:
SuSE Linux 7.2 and newer contain the package rrdtool. It brings
its own source of the libz/zlib compression library. Fixed
packages are available for download on the ftp server.
freeamp:
The freeamp package brings its own libz/zlib source. Fixed
packages for SuSE Linux 7.1 and 7.0 are available for download.
The update packages for the newer distributions will follow
soon without any further announcement.
netscape:
New netscape binary packages are expected from netscape.com soon.
Due to the closed source nature of the software, we depend on
netscape to fix the package.
vnc:
The vnc package brings its own libz/zlib source. We will provide
fixed packages for our supported products shortly. The
availiability of these packages will be announced in section 2)
of the next SuSE Security Announcement.
kernel:
The kernel of Linux systems is affected by the libz/zlib double-
free() problem as well. The routines from the compression library
are being used by functions that uncompress filesystems loaded
into ramdisks and other non-security-critical occasions. However,
the kernel uses the compression library in the ppp layer as well
as in the freeswan IPSec kernel module.
We are currently in the process of preparing update packages that
fix numerous other problems (some of them security related) in
both the 2.2 and the 2.4 series kernel. The availiability of these
kernel RPM packages will be announced in a seperate SuSE Security
Announcement soon.
Note:
The openssh package contains binaries that are linked dynamically against
libz.so. The ssh package, however, links statically against its own
version of the compression library. This version of libz/zlib is not
vulnerable to the double-free() problem.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
i386 Intel Platform:
SuSE-7.3
The gpg packages are currently building and will be available on the ftp
server shortly.
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/rsync-2.4.6-361.i386.rpm
d93679eb6200bc549966b03e3ef5b713
ftp://ftp.suse.com/pub/suse/i386/update/7.3/d2/cvs-1.11-216.i386.rpm
dfc4ef94db20ade5dec95d7ffeeea5c3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap3/rrdtool-1.0.33-186.i386.rpm
3f74c8ad1a12a20b1500ba2b316a6096
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/rsync-2.4.6-361.src.rpm
a3159d325cd2e61ffabbb7bc29d6612d
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/cvs-1.11-216.src.rpm
890df2775fa65847f294048bf002ab86
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/rrdtool-1.0.33-186.src.rpm
7079579c4d60e5d9cf324f544475d6e2
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/gpg-1.0.6-193.i386.rpm
18aaed31374c7d25950f9c329db2b3da
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/rsync-2.4.6-362.i386.rpm
16b2209c444bfe197b90b53913bea10f
ftp://ftp.suse.com/pub/suse/i386/update/7.2/d2/cvs-1.11-216.i386.rpm
82b197d54348aaa266a30870fa9c7333
ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap3/rrdtool-1.0.33-186.i386.rpm
85c086395eb5092468b9c368214d0f55
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/gpg-1.0.6-193.src.rpm
69313e9586549babb354348aeca613e4
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/rsync-2.4.6-362.src.rpm
4289b7727bd48da50948d228699f27bc
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/cvs-1.11-216.src.rpm
a4ddfb02d6c1ef9340ad05019eebb725
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/rrdtool-1.0.33-186.src.rpm
ca694bf598759e07d58d15750f436827
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/gpg-1.0.6-192.i386.rpm
b4d7d22864a78d36b61bf6151861acc7
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/rsync-2.4.6-361.i386.rpm
f9bb2a436ab97972d32fd998909ed289
ftp://ftp.suse.com/pub/suse/i386/update/7.1/d2/cvs-1.11-216.i386.rpm
2b4c10d95d29e02c2ffc1ed89872d5d3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/gpg-1.0.6-192.src.rpm
3648286b5847f2203a6debca039bfe09
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/rsync-2.4.6-361.src.rpm
56fc72c1c1e2780ab50944ac65148af3
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/cvs-1.11-216.src.rpm
c2fe82d14f8d98e33da59440872e1abf
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/gpg-1.0.6-192.i386.rpm
1030cfbfaa661692f40c8779bcfe7ebe
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/rsync-2.3.2-130.i386.rpm
889cbb6f76b3eb0777894c25558a5ccf
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/cvs-1.10.7-160.i386.rpm
6376028606f9e9fd5093fd3557ebceb1
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/gpg-1.0.6-192.src.rpm
c685b31952d90d701a96feaad51b50a6
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/rsync-2.3.2-130.src.rpm
6689e22925836a854b955f68306c57ae
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/cvs-1.10.7-160.src.rpm
b5864834aa05ba53873b5810af8c11fe
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/gpg-1.0.6-191.i386.rpm
73e1bd61d721a40dc72845bcd540572a
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/rsync-2.3.2-130.i386.rpm
16746c5c506f743120f947d422432376
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/cvs-1.10.7-159.i386.rpm
d31b782a1d85795862acae8f0c89baf0
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/gpg-1.0.6-191.src.rpm
6b39ca4bb7297ad71d10fd79558480b7
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/rsync-2.3.2-130.src.rpm
5c23fc8d7c51ba8b2f9e255f65f8e612
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/cvs-1.10.7-159.src.rpm
554ca35e9f536d82e042aebe847df28e
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/gpg-1.0.6-67.sparc.rpm
7bc6e19142f339667b40d4c6bbcda871
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/rsync-2.4.6-149.sparc.rpm
f0f4339f9bb20fa27be5710c1491dbf8
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/d2/cvs-1.11-98.sparc.rpm
79ffbab2594865c3ce52de7227e3e501
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap3/rrdtool-1.0.33-49.sparc.rpm
2fae8f0fa23735fbe99c1d4d48d278c3
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/gpg-1.0.6-67.src.rpm
f78fa7647eed1fddfb3131254cbec4a9
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/rsync-2.4.6-149.src.rpm
3eb6724d9327254325870e23d5ee76c5
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/cvs-1.11-98.src.rpm
6ee4505a182e7684c60607451ef019fb
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/rrdtool-1.0.33-49.src.rpm
c4a683e01dfe459f5342ddc4fc6865bd
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/gpg-1.0.6-67.sparc.rpm
b42f276176ed6a3d42e6471168e5dc15
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/rsync-2.4.6-149.sparc.rpm
d3d47231dffdbf303031c0395b7cf6e3
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/d2/cvs-1.11-98.sparc.rpm
8a305786bbfee100b6c261e8b3a0be8f
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/gpg-1.0.6-67.src.rpm
59b434ba4d31264a55f602d3b66fa0f0
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/rsync-2.4.6-149.src.rpm
49f929cbe50425512d29948e26220089
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/cvs-1.11-98.src.rpm
c4eaa2c573904ffd6ffaf3db2efebcfe
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/gpg-1.0.6-67.sparc.rpm
286642b0d5c7491c47c5570bad05a391
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/rsync-2.3.2-8.sparc.rpm
030c775ec89eb227b2d34a80c993f2dc
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/cvs-1.10.7-4.sparc.rpm
f0a734e3996bbb7a740c4bbb8d620218
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/gpg-1.0.6-67.src.rpm
14d52437ea98dfc47b7e5266aa7c675d
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/rsync-2.3.2-8.src.rpm
a42e3a8ad3852b58c80f3f25bd4a7873
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/cvs-1.10.7-4.src.rpm
c200f16ee87e6a559297795877260990
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/gpg-1.0.6-91.alpha.rpm
d2b3f32faad4930aebd83448f8cfe52e
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/rsync-2.4.6-160.alpha.rpm
75a09942d7abbb5faee6c57d25075ec2
ftp://ftp.suse.com/pub/suse/axp/update/7.1/d2/cvs-1.11-101.alpha.rpm
90ebabcec70121d6b4e578ed47e10475
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/gpg-1.0.6-91.src.rpm
d37f206d6627367af4173f16601f5f19
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/rsync-2.4.6-160.src.rpm
df8ab3b91f26d67484f773dec6227e80
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/cvs-1.11-101.src.rpm
348ec5ea873749a7de17efae7d32c6af
SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/gpg-1.0.6-91.alpha.rpm
385bbe68eab422ba8c06d6182acf3df0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/rsync-2.3.2-35.alpha.rpm
b0fd243d894fcdc354f092d7c171f776
ftp://ftp.suse.com/pub/suse/axp/update/7.0/d1/cvs-1.10.7-69.alpha.rpm
d5471a53f6f2b93cceb8e7ad8a2bde39
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/gpg-1.0.6-91.src.rpm
d2db252aeb9a231fe2ea9d42a1b40472
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/rsync-2.3.2-35.src.rpm
634bc1087e905ed1889400a82306957c
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/cvs-1.10.7-69.src.rpm
f5eda7e32648f0631772da3247f70245
SuSE-6.4
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/gpg-1.0.6-91.alpha.rpm
c1b82fda096a50de75f5d5b4851dd2b9
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/rsync-2.3.2-36.alpha.rpm
567602c9a262398599d401db44469660
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/cvs-1.10.7-69.alpha.rpm
56a7b8a0c5a122ddc5796a4445b4db71
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/gpg-1.0.6-91.src.rpm
28f3d6398d8cc232bf96247ca0cb895d
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/rsync-2.3.2-36.src.rpm
681e675e376481201e6d2be524eafbd7
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/cvs-1.10.7-69.src.rpm
65aca598906f07fe8ac6633c80ec0804
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/gpg-1.0.6-139.ppc.rpm
06986ca3c85c9211dd16bb7eb2142867
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/rsync-2.4.6-212.ppc.rpm
b40a7114913eaffe54674a102ca92237
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/d2/cvs-1.11-104.ppc.rpm
ff7d174babb5d1213e8f90930243ce9c
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap3/rrdtool-1.0.33-124.ppc.rpm
1edd2d5d460a897d5ce563b8739a3deb
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/gpg-1.0.6-139.src.rpm
449dc67ed777e1587bf112f3a38459dc
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/rsync-2.4.6-212.src.rpm
586e78e122109e482d58dcdd87e13dee
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/cvs-1.11-104.src.rpm
a67270b4c932b5f83e593549c22b06a7
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/rrdtool-1.0.33-124.src.rpm
aa1dbd6e3ca7464508dce8cbe8c3904f
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/gpg-1.0.6-139.ppc.rpm
2cd31ab33813c5747eb23a9f8c157d17
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/rsync-2.4.6-212.ppc.rpm
a198784c826e61e1ad94c669a17ac9fa
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/d2/cvs-1.11-104.ppc.rpm
4d45a8606df41ba3d16f5543e6b89865
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/gpg-1.0.6-139.src.rpm
56ee6bc10a0a33bf6dad112c6462517a
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/rsync-2.4.6-212.src.rpm
e0952c2fade289e49e20b7d3d7063631
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/cvs-1.11-104.src.rpm
96a0520c693523de8eafb8c37abf16ba
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/gpg-1.0.6-139.ppc.rpm
cee90f407dbabf66c9b9da119ad0e308
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/rsync-2.3.2-137.ppc.rpm
edbbab80c23963791d5385155ce2511f
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/d1/cvs-1.10.7-170.ppc.rpm
bd4195c9a078bfa0225719586140ea09
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/gpg-1.0.6-139.src.rpm
81f4af6730c4ad92b31de1df69f0e535
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/rsync-2.3.2-137.src.rpm
2d28b8a51463ff19f9c4b83aa4df4f51
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/cvs-1.10.7-170.src.rpm
d944cd23c532c18191d90bd752de5a1f
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/gpg-1.0.6-138.ppc.rpm
27e1aaa319bf35722a63fa73c2c4a543
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/rsync-2.3.2-137.ppc.rpm
94d0512db52f89f79171c7648255e32d
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/cvs-1.10.7-169.ppc.rpm
f5f9a3a3c2ed93776bbdb747217d3f65
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/gpg-1.0.6-138.src.rpm
45dd7ac7bba9e3bf0cc41a4f20d11ed8
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/rsync-2.3.2-137.src.rpm
993c4e7eb632a43be85a9e17369792cf
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/cvs-1.10.7-169.src.rpm
867ed44e362dd6fdfb2d0eec249190d6
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- The freeamp packages for the newer products will be available
shortly.
The gpg package for the Intel i386 platform, distribution SuSE Linux 7.3,
will be available shortly.
Update packages for the packages vnc, netscape and the kernel will follow
later this week. Please carefully read the section 2) in the upcoming
SuSE Security Announcements.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
Roman Drahtmüller,
SuSE Security.
- --
- -
| Roman Drahtmüller <draht(a)suse.de> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPI0MMney5gA9JdPZAQGjegf/fIMK92cjp0gx/6OTXOn2L2c2Z3vTY9BC
iZ8ykqSy+j4Q81CKJqykUoLA2CTziPWWuuCHJ2DV4lGKJlnik0db4X2MYTMIHJZw
0ljQb0LcAU0eUzCOkgKZFeztFyNwOnmdVMi8/jHX2H5tLAK+xQPujPw2DwAVSGqt
S2IfAAe3t5Fxrlb7nWS+SJ8iyWCLgStJFdDTOgFVQi061m1sU2nIQKzb1cvLh9Js
MQbecr6n0smWE4OF+0tpen/8vh8tVDIhAZ7fs3HgI/1CTyxD9wujTSyLkYO+OVzu
6KvRhwsDwDt6CtO73KnbsfCjoaa4kbOT50OPEcCVEABflk/DXv3eWg==
=1I9v
-----END PGP SIGNATURE-----
1
0
SuSE Security Announcement: libz/zlib (SuSE-SA:2002:010) (tandem-announcement, first part)
by Roman Drahtmueller 11 Mar '02
by Roman Drahtmueller 11 Mar '02
11 Mar '02
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: libz/zlib
Announcement-ID: SuSE-SA:2002:010
Date: Monday, Mar 11th 2002 20:45 MET
Affected products: 6.4, 7.0, 7.1, 7.2, 7.3
SuSE Linux Database Server
SuSE eMail Server III
SuSE Firewall
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7
Vulnerability Type: remote command execution
Severity (1-10): 8
SuSE default package: yes
Other affected systems: systems with recent versions of the
compression library
Content of this advisory:
1) security vulnerability resolved: libz/zlib
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The zlib compression library is being used by many applications to
provide data compression/decompression routines. An error in a
decompression routine can corrupt the internal data structures of
malloc by a double call to the free() function. If the data processed
by the compression library is provided from an untrusted source, it
may be possible for an attacker to interfere with the process using the
zlib routines. The attack scenario includes a denial of service attack
and memory/data disclosure, but it may also be possible to insert
arbitrary code into the running program and to execute this code.
This update fixes the known problems in the libz/zlib as a permanent
fix. There exists no temporary workaround that can efficiently remedy
the problem.
It is expected that a large range of software is affected. The systems
affected are by no means limited to Linux systems or other open-source
based operating systems.
Note:
The libz compression library is being used by several hundred packages
in all SuSE products. While the update of the libz package as itself is
not problematic, it must be noted that many packages bring their own
compression library in their source code. If these packages link against
their own version of the libz compression library, their source needs
to be fixed as well. Considering the length of a combined Security
Announcement, SuSE Security publish a tandem-announcement, consisting
of two seperate Security Announcements released in quick succession:
SuSE-SA:2002:010 libz/zlib
SuSE-SA:2002:011 packages containing libz/zlib
Acknowledgements:
We thank Owen Taylor who tracked down the bug in the compression
library, and to Matthias Clasen for reporting the problem that seemed
to be located in the libpng at first.
We also thank Mark Adler and Jean-loup Gailly, the authors of the zlib
package, for their quick response in the double-free() matter.
SPECIAL INSTALL INSTRUCTIONS:
===============================
* Installation of the update package:
The installation of shared libraries on an actively running system
should be done with special care. During the update of the libz package,
runtime-linking the shared libraries is likely to fail for processes
that execute a new binary with the execve(2) system call. If at all
applicable, a system receiving the update should be kept as quiet as
possible during the time that the RPM command runs. In doubt, please
perform the update in Single User Mode ("init S"). The RPM command must
not be interrupted during its operation.
After performing the update, the processes that still use the old
version of the package must be restarted for the libz upgrade to
become effective. If you have performed the update in Single User Mode,
this has been done already, and you can safely return to your default
runlevel. If in doubt, reboot your system to make sure that the changes
are becoming effective.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/a1/libz-1.1.3-597.i386.rpm
799491ca29f9bf95e3e38a73f25abea8
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/libz-1.1.3-597.src.rpm
a4071506da6ab39dca5495530028d291
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/a1/libz-1.1.3-573.i386.rpm
2197aff65b09fb05b8969ace64d7a4a6
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/libz-1.1.3-573.src.rpm
1694ed149ca946e7ea1cc2da3f14c181
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/libz-1.1.3-570.i386.rpm
c309b104231c596bb81008c38a4e473c
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/libz-1.1.3-570.src.rpm
950c86970cd7c3fc0a30cfab176769ac
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/libz-1.1.3-571.i386.rpm
8bde6b53a78e5f920080bfa3b6a236a6
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libz-1.1.3-571.src.rpm
718c36c91cd0f97466cbb2303967d51c
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/libz-1.1.3-575.i386.rpm
270fc89c1be6854288925a9326f9ca6e
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libz-1.1.3-575.src.rpm
625ed87653f820f7f65a4a8e045f6cc2
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/a1/libz-1.1.3-419.sparc.rpm
f890b6d04e9164fc2afa05241c0e94c9
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/libz-1.1.3-419.src.rpm
818d39946dc6c73f425620fba546935c
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/a1/libz-1.1.3-406.sparc.rpm
ff4ea0da2c5126311f654b2896a70dd9
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/libz-1.1.3-406.src.rpm
c3a49ea61f2642d53e29c8a81e07bfd9
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/libz-1.1.3-406.sparc.rpm
b9e22f0ff9785ca1d226bd2c5e135909
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libz-1.1.3-406.src.rpm
25c2b7cd4e20da69b7d806551966bae8
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/a1/libz-1.1.3-434.alpha.rpm
e8cd8561a1434c36afcccd856d79a483
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/libz-1.1.3-434.src.rpm
f7c21774f76fb240205291c4e91ad83c
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/a1/libz-1.1.3-434.alpha.rpm
15510fc7563e669145d28a69e0e77d8e
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/libz-1.1.3-434.src.rpm
008bc8f743e64e26dccd89baf882b214
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/libz-1.1.3-435.alpha.rpm
7d29b7d929e4b36dd6268058bf3c7538
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libz-1.1.3-435.src.rpm
67a4bd496c7625aaa3049417930e97f8
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/a1/libz-1.1.3-432.ppc.rpm
b06097a1496ca5fd7b3492c2ab4f7337
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/libz-1.1.3-432.src.rpm
45127ca06e4b019b2e700a0c87c2edb6
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/a1/libz-1.1.3-417.ppc.rpm
783a39b17295e169d344a5f7f1ad7e86
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/libz-1.1.3-417.src.rpm
2ac1e404e8a6723b1eb101b7c7d118e8
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/a1/libz-1.1.3-417.ppc.rpm
24901e0c7ccb6bf5bf17b2af60596d96
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/libz-1.1.3-417.src.rpm
f9e6cda577a5007baa84fb9940ec718d
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/libz-1.1.3-416.ppc.rpm
b3580d5e1b3702c330957bde4422486c
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libz-1.1.3-416.src.rpm
32cbca2dbc911da128b5bd1d19789792
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- Please see the following SuSE Security Announcement SuSE-SA:2002:011
(packages containing libz) for upgrade information regarding packages
that bring their own compression library in their source.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
Roman Drahtmüller,
SuSE Security.
- --
- -
| Roman Drahtmüller <draht(a)suse.de> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPI0L+ney5gA9JdPZAQHxZgf/bORLAqA2QUZ9udAPixhnIhfhMCRTHnvF
GXHbJ5kKFthOat011HFUIYAjzx501919EFdAY7Bs3RJfLicXtIB9LNpYKsVw4OU9
xfngF4jZ4sPYDtf1/5vG/JWlWVeae1hy5/zlfal+9ior3cZtO+z4ClI1eHr/25lU
ehwgDC3nLAd7wL2ZKRHPCTylQR95hrGQFn5rf+A+2/ll8uwPkLRuQSE5FwyaGhis
XsQHBVmJNj/4sw8Fz00ULxQTHPpk44cBYutbn6pJY0NqygJIXzDd/r8pPJ8g3I2o
E5XFPbicGhY+H03gOvZF44yZxcS+N5+u6beXnCSiLRiqqywNQfJFzg==
=rQ8h
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: 009
Announcement-ID: SuSE-SA:2002:009
Date: Thursday, Mar 7th 2002 19:00 MET
Affected products: 6.4, 7.0, 7.1, 7.2, 7.3,
SuSE Linux Firewall
SuSE Linux Database Server
SuSE eMail Server III
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7
Vulnerability Type: local and remote command execution
Severity (1-10): 6
SuSE default package: yes
Other affected systems: systems running versions of openssh before
version 3.1
Content of this advisory:
1) security vulnerability resolved: openssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
Joost Pol discovered an off-by-one bug in a routine in the openssh code
for checking channel IDs. This bug can be exploited on the remote side
by an already authenticated user, qualifying this bug as a local security
vulnerability, and on the local side if a malicious server attacks the
connected client, qualifying this bug as a remote vulnerability.
If the error is being exploited, it leads to arbitrary code execution
in the process under attack (either a local ssh client, attacking the
userID of the client user, or a remote secure shell daemon that has
an authenticated user session running, attacking the root account of
the remote system).
Please note that the possible attack scenario is different from the usual
attack scheme because "local vulnerability" refers to the remote side and
vice versa.
There is no temporary workaround for this bug. If you comply to the
following two conditions, the impact of the error is considerably small:
1) You only connect to hosts that you consider fully trusted and
not compromised.
2) The users that connect to your servers are fully trusted (the
users have root access, for instance).
As a permanent solution, we recommend to update the openssh package to
the version that is being offered for download on our servers.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Please note that the packages for SuSE Linux 6.4 and 7.0 are located
on the German ftp server ftp.suse.de. The SuSE Linux releases 7.1 and
newer have their openssh packages on ftp.suse.com.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
SPECIAL INSTALL INSTRUCTIONS:
==============================
After applying the update, the secure shell daemon should be restarted
for the update to become effective. To do this, execute the following
command as root:
rcsshd restart
If you do not run a secure shell daemon, the command above is obsolete.
The secure shell daemon (sshd) is activated by default on most SuSE
products.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-98.i386.rpm
21c6183843ab1a6b23bd5f820a32d564
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-98.src.rpm
566cd2c52235b872bf62ffce260c3237
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-96.i386.rpm
a2a21af13f0bac95f87a683cc7199fad
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-96.src.rpm
6e5ff91227e795dc903b545f1691aaba
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-98.i386.rpm
8cc626ac19a0a807d6b35790f0706af1
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-98.src.rpm
60823aaaece46cbddb884856c48214e1
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-97.i386.rpm
d83d4b1f4cd83c0b6d749f2c3375a1b6
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-97.src.rpm
61cebfe1223c564826dcbb04f04090a5
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-94.i386.rpm
9143ebef0b74a55fcb7220570cbbd5fe
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-94.src.rpm
002685e3ed9e3f26aa3410d433a801a0
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-36.sparc.…
d8e2819c511a58e6fe02e4dcfe4aa73a
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-36.src.rpm
ffb28fc074984c25aab75a227b9cf813
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh-2.9.9p2-36.sparc.…
c50b9c170b6b734e15285af8fc718fd7
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/openssh-2.9.9p2-36.src.rpm
5cf9ca6a8817399168a730bedca30667
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-36.sparc.rpm
d066f6898ed32dee71056a6d1a8be232
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-36.src.rpm
bbacf2fbe5a776fe0324137a727e50ac
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-39.alpha.rpm
b452ee9f9895fa3e6cf4faaa90ae95b4
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-39.src.rpm
7206777180ee646ecb80d788bf2162b4
SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.9.9p2-38.alpha.rpm
4c9c6648961be0143f1e916d1d341a22
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.9.9p2-38.src.rpm
b91b0ccd84e3d687e443157fe965a692
SuSE-6.4
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.9.9p2-37.alpha.rpm
c611ef5467d99739346a4c3952bc4f5f
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.9.9p2-37.src.rpm
10ca72afe81285d7ae2b70789091e024
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-69.ppc.rpm
5eb3b1cf92f25d85389d40878777a3ea
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-69.src.rpm
172e3720f9a4146513c59b57a0232048
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-69.ppc.rpm
b1a2fa0bbecc721ec847ed81a0dc99c4
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-69.src.rpm
748ff97c3c08d6a912b89df84da79b42
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-68.ppc.rpm
6c36b2ab8e38befc5ee9ff44ac1a666b
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-68.src.rpm
7e50623f5832d23e4d54b9409acdfdfc
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-67.ppc.rpm
4ee55305ea565867f7da0485a737ae6c
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-67.src.rpm
27d2d33466da141dceb42a0a13c57f0c
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- All kernel versions from 2.4.14 to 2.4.18-pre8 are known to have a bug
in the connection tracking module for the IRC-DCC (Internet Relay Chat
Direct Client-to-Client) protocol that would make it possible to open
arbitrary unwanted ports for expected inbound dcc connections.
SuSE are in the process of preparing update packages for this
vulnerability for administrators who have installed a kernel from
one of the update directories on ftp.suse.com. The respective update will
also cover the DoS problem in the kernel modules for the cipe tunnel
software that we reported about earlier. We will release these new kernel
packages as soon as we can assure the quality and stability that is
expected from SuSE kernel packages. As a temporary workaround, we
recommend to remove the kernel module in question with the following
command: "rm /lib/modules/*/kernel/net/ipv4/netfilter/*irc*"
In addition to removing the kernel module on your file system, you should
make sure that the kernel module is not loaded into your running kernel.
Use the command "lsmod" to view the loaded modules, and "rmmod" to remove
a loaded kernel module. In doubt, reboot your server.
The module (and the netfilter engine as a whole) are not used by default
on SuSE Linux installations. Please note that the SuSE Linux Firewall on
CD product uses a 2.2-series kernel which is not affected by this problem.
- ucd-snmpd
The UCD snmpd contains various security releated bugs.
We are currently reviewing the code and available fixes to ensure
they all get fixed. Patches will be available as soon as possible.
It is strongly recommended to filter SNMP (TCP and UDP packets
with destination of port 161) traffic.
- mod_ssl
We are currently testing update packages for the apache web server. These
packages contain the mod_ssl Secure Socket Layer apache module, which is
subject to a weakness (buffer overflow).
The availability of the update packages is a matter of hours. The
SuSE Security announcement for the apache webserver will follow very soon
after the packages have been published on our ftp server.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
Roman Drahtmüller,
SuSE Security.
- --
- -
| Roman Drahtmüller <draht(a)suse.de> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPIewqHey5gA9JdPZAQHgqwf/YeCAMDHRvjnM8NMvT0dQKz5tc/8sVHZ9
pTld1eDrxydyV4/6g6qb1ieuAItlCLcc/SZn5tIp8w4FJazvx87zR2NaGcu7Wyeh
Z6HUuhaP5CbJqli0IpVgyd2OR7T1aBvBR2n/LBmBz4N51ZFtZxg6a84K00QBKuDz
BEvoJeZmXZLBXTe3+/V1hojGrRlvQmoR9zH513HvD7rP1xG2ao2x5k6yz5spJKfC
7jeZu5HLGlLSYEAwlyt9eXzDwpQUdIFhPFcH9OSM72wk6vMYvSOgmHfPU5IsbrsQ
S9GM3TmVDB9YzYoQY6LwrB+IdtjrVAF92nzkGXbhtlzlL/HUgboGvw==
=KlGf
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: squid
Announcement-ID: SuSE-SA:2002:008
Date: Mon Mar 5 13:00:00 CET 2002
Affected SuSE products: 6.4, 7.0, 7.1, 7.2, 7.3,
Enterprise Server 7
Vulnerability Type: remote command execution
Severity (1-10): 6
SuSE default package: no
Other affected systems: all systems running vulnerable squid
Content of this advisory:
1) security vulnerability resolved: Heap overflow in squid.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The widely used proxy-server squid contains a heap overflow in one of its
URL constructing functions. Incorrect length-calculations for the user and
passwd fields in ftp-URLs turned out to be the origin of the problem. Only
users from hosts listed in squids ACL-files could trigger the overflow.
The ftp-URL problem is not present in the 6.4, 7.0 and 7.1 distributions,
but other security releated bugs have been fixed there.
A complete history can be found at
http://www.squid-cache.org/Versions/v2/2.4/bugs/
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update. For users of our SLES-based products, please use the yast
online update.
For the updates to take effect, invoke the following command as root:
/etc/rc.d/squid restart
If you added the htcp_port directive to your squid configuration file
you might now see a warning in the logs about that directive being
unrecognized. While this does not prevent squid from starting, you can
safely remove the directive from squid.conf since HTCP support is
disabled now.
Please note that there are two binary and two source packages for almost
every distribution available.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/squid-2.3.STABLE4-155.i386.r…
4b1cff53fddcaf8930ec6738c6763a94
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/squid-beta-2.4.STABLE2-94.i3…
4ca7f3594ec82b703c6c36c08fb46ecb
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/squid-2.3.STABLE4-155.src.r…
3751569a6c0ea21057d37cb7d3ca9076
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/squid-beta-2.4.STABLE2-94.s…
99f33e8d1e5b8a3e8d7f6501d26c6e67
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/squid-2.3.STABLE4-155.i386.r…
1f098dcb1020df788cc912d88f14bb96
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/squid-beta-2.4.STABLE1-100.i…
cc136eeaf6ed4ac305e93d306e6f7461
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/squid-2.3.STABLE4-155.src.r…
d3fae41b9128f73a0e457376bfb7a5c1
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/squid-beta-2.4.STABLE1-100.…
c24bf7c45b227b06ae1013dd6fcb9d92
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/squid2-2.2.STABLE5-218.i386.…
5a7b26c99855837331e2d375901a5fce
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/squid23-2.3.STABLE4-75.i386.…
f3a4a2e8d9fa4b56948e8a8d2bc6e2a0
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/squid2-2.2.STABLE5-218.src.…
6c208e3f13da8d93fecfdca62c98f46f
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/squid23-2.3.STABLE4-75.src.…
ad588c92719bffbc02e72fddf6195dd2
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/squid2-2.2.STABLE5-218.i386.…
f12ae33fd707f4ea86a48a77f48fafc8
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/squid23-2.3.STABLE4-75.i386.…
069c07843355ee473b8b4e10b6726455
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/squid2-2.2.STABLE5-218.src.…
5a2a5f0511cfd75f736ef485bcf6e5a1
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/squid23-2.3.STABLE4-75.src.…
d4bc56dc9240f5ab9582b746c5c18803
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/squid2-2.2.STABLE5-219.i386.…
13a3e9a366d3e09ee6dcc91148c86be7
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/squid23-2.3.STABLE4-76.i386.…
53b7ab8cfad2f14b211e1d505d721558
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/squid2-2.2.STABLE5-219.src.…
a9b0af504703aa7deeb2e0f6b7b0f512
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/squid23-2.3.STABLE4-76.src.…
fbe64c6fbe15e4a9d06847089bb65d13
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/squid-2.3.STABLE4-53.sparc.…
99bf4711c8e781622fd3aba55f21ae5a
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/squid-2.3.STABLE4-53.src.r…
d56d66c2fd92efa157b98efb1bf6a0c6
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/squid2-2.2.STABLE5-208.spar…
f6948f9862addc8d6805311b5760c95a
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/squid23-2.3.STABLE4-60.spar…
e6e9bf05539791905710ffb23fbd4801
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/squid2-2.2.STABLE5-208.src…
1ad2798d085326317590e0fb42346fa9
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/squid23-2.3.STABLE4-60.src…
1332572acea60f0c6ca1593fcd245771
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/squid2-2.2.STABLE5-207.spar…
1958de7d7f90d27c87e1dc1b21879736
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/squid23-2.3.STABLE4-60.spar…
a54038090e73a78a6f3cc77e1162e4a2
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/squid2-2.2.STABLE5-207.src…
3a398a096c2657059a093dcf58222e35
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/squid23-2.3.STABLE4-60.src…
7e1483d0b41f48ef3aa00e058b0e761f
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/squid2-2.2.STABLE5-225.alpha.…
7f39d3a0ff45f231713c6ba5afbdcc15
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/squid23-2.3.STABLE4-74.alpha.…
5fe79d7f9c2da83222978f75e3387e49
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/squid2-2.2.STABLE5-225.src.r…
705a5b370267d8d873f1e3504bcc55ed
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/squid23-2.3.STABLE4-74.src.r…
e42367f3ad73250ec9feda4687b406d2
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/squid2-2.2.STABLE5-226.alpha.…
b0977f9c5ed0750b12308d072da1b285
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/squid23-2.3.STABLE4-74.alpha.…
3906c0d918c745582a25fb1c480d3aef
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/squid2-2.2.STABLE5-226.src.r…
2afd7d60f6da4feb346ddfefc8bec34a
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/squid23-2.3.STABLE4-74.src.r…
cab334bf697df713d847ae8c569b7b30
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/squid2-2.2.STABLE5-227.alpha.…
1bc4ac5b27e3cfd62766d0258f91090a
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/squid23-2.3.STABLE4-75.alpha.…
b809b2523881fbea1f77f3f5b96879c5
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/squid2-2.2.STABLE5-227.src.r…
7d6d942bc8b4208fe610f714868009d8
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/squid23-2.3.STABLE4-75.src.r…
515cb7434886540fae57c5ac56acbb42
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/squid-2.3.STABLE4-71.ppc.rpm
2a14453696ced035fb21d272f7619a5c
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/squid-beta-2.4.STABLE2-59.ppc…
ceda7a8a291d8b3d01127b4e0fb1ccb2
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/squid-2.3.STABLE4-71.src.rpm
5427dd36485bdfb0d67060c9bad62127
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/squid-beta-2.4.STABLE2-59.sr…
a572e3f76e68a3577e6a4efe0ec016ae
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/squid2-2.2.STABLE5-200.ppc.rpm
a8e274378dc15aab4ca01760c112b770
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/squid23-2.3.STABLE4-68.ppc.rpm
133528338cb5253a12132e3e9ec2ee2e
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/squid2-2.2.STABLE5-200.src.r…
515cb7e5f04cd5980463a8b3f248e08e
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/squid23-2.3.STABLE4-68.src.r…
b923a7141e0fb4b1f3b6e6d0185cb4aa
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/squid2-2.2.STABLE5-200.ppc.rpm
2b301c87d0d2e1546cb6a63427dc9cea
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/squid23-2.3.STABLE4-68.ppc.rpm
20eef813e618d3ac3e8e24abcaca894c
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/squid2-2.2.STABLE5-200.src.r…
7d41eaa9985c49cec7afb76dd29355e7
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/squid23-2.3.STABLE4-68.src.r…
11bb4cb51a8abf8ebe994dc08f8a7c24
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/squid2-2.2.STABLE5-200.ppc.rpm
e8020a0a7153208e58f202b0655f1ce5
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/squid23-2.3.STABLE4-68.ppc.rpm
efd648b5575b6fce60cd7403fbb15d5a
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/squid2-2.2.STABLE5-200.src.r…
521d058bc1513947642f74a121e4e98b
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/squid23-2.3.STABLE4-68.src.r…
8c9bf3882aa81c7de4b2b920f31e4f69
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ucd-snmpd
The UCD snmpd contains various security releated bugs.
We are currently reviewing the code and available fixes to ensure
they all get fixed. Patches will be available as soon as possible.
It is strongly recommended to filter SNMP (TCP and UDP packets
with destination of port 161) traffic.
- hanterm/wmtv
The recently reported vulnerabilities in hanterm and wmtv do not
affect SuSE installations because they are not installed setuid
or setgid.
- cipe
We are about to prepare kernel update packages that fix a DoS
problem in the kernel modules for the cipe encrypted tunneling software.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPINe7Hey5gA9JdPZAQGDuQf+PIbXwU/pUs88pt5DjLvZHeG9Tna1so2r
STXBudCW+B/RvBHyFq5kjvaAYwMlBcXl/9V88rEbMF3DhFiYnxndDFb0Z6A0ItCZ
w0+cS0lOC1okXi2NFCma+YiIBV1zwlUF6cj/zehG/D0oOM8rydhq4gYO2SX1cLFV
KCbCB035zeYQN9uL18E4SHsNT6RIyN94k9zDs6JmSBxpCFVBUPQslx86MwI2ccOM
rD3yXlXNT7Iw5kPe5G3DZA6NuGvkfVbFhXzAfyu/xRqcLdTdaf962M5dqz7f+U1g
C4G606sqHg/AS9nf2MhLgHoCfUi3vO+ag62Xvrjo3nZ9sBdtuGjqgw==
=AlQv
-----END PGP SIGNATURE-----
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer(a)suse.de - SuSE Security Team
~
1
0