openSUSE Security Announce
Threads by month
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
October 2004
- 3 participants
- 5 discussions
SUSE Security Announcement: xpdf, gpdf, kpdf, pdftohtml, cups (SUSE-SA:2004:039)
by Thomas Biege 26 Oct '04
by Thomas Biege 26 Oct '04
26 Oct '04
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups
Announcement-ID: SUSE-SA:2004:039
Date: Tuesday, Oct 26th 2004 10:30 MEST
Affected products: 8.1, 8.2, 9.0, 9.1, 9.2
SUSE Linux Enterprise Server 8, 9
SUSE Linux Desktop 1.0
Vulnerability Type: remote system compromise
Severity (1-10): 5
SUSE default package: yes
Cross References: CAN-2004-0888
CAN-2004-0889
Content of this advisory:
1) security vulnerability resolved:
- integer overflows
- arithmetic errors
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- freeradius denial of service problems
- mpg123
- squid
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
Xpdf is a widely used fast PDF file viewer. Various other PDF viewer
and PDF conversion tools use xpdf code to accomplish their tasks.
Chris Evans found several integer overflows and arithmetic errors.
Additionally Sebastian Krahmer from the SuSE Security-Team found similar
bugs in xpdf 3.
These bugs can be exploited by tricking an user to open a malformated PDF
file. As a result the PDF viewer can be crashed or may be even code can be
executed.
2) solution/workaround
Due to the wide usage of xpdf-based code we do not recommend switching to
another PDF viewer as a workaround.
You have to install the updates.
3) special instructions and notes
Please restart all running instances of xpdf, gpdf, kpdf, pdftohtml, cups
after updating successfully.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
Cups packages and all 9.2 packages will be available later.
x86 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i…
f17866987c9099ed8b0395d184adfffc
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.r…
d648d6e96013cc339dd424041f8bc973
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586…
16864a7b7652a3183f9f8cac034cf70e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1…
8f09aa7927d9cdcfc52ab06e520b2441
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i…
2d3da1271fc9e072186fca6aa1de8c5c
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.p…
093d0aaa7f4fbe24afc722057cbe334e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586…
3af8141ddfbdf558afdf4f2f8f94a9f8
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1…
0d765c907e89a91186e03d8c8de87857
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/pdftohtml-0.36-112.3.sr…
d4892578f2d84c1bdbc36b0df9341607
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/xpdf-3.00-64.21.src.rpm
d4c06775143e5e6fec7bc544d248daee
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/gpdf-0.112.1-26.3.src.r…
cfda8ff6f352e1bc4f827a3118521b25
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdegraphics3-3.2.1-67.6…
bb4d96dd72f0ee94315afd7b4c81e16b
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i58…
dc822cef09e27e169acd94cda1fb622a
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.…
c99912bc5656546b028a8c4fe0473a75
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i58…
58b8a44ae02482d19c73959bfd85e85e
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.…
8055fbed4ac1e664706701e3b7d3e1bc
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/pdftohtml-0.36-118.src.…
35e37ded2db7d772d854748e606f42d0
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/xpdf-2.02pl1-141.src.rpm
d42fe2976009b8ab44d6c166caf0840c
SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/xpdf-2.01-137.i586.rpm
e198f2fc43f1f455676a9dc1ee42af5e
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/xpdf-2.01-137.i586.pat…
acb5181c10c7b365cca71ae307b11553
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/xpdf-2.01-137.src.rpm
aada3bee6ac1517f50468777c49d8d91
SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xpdf-1.01-255.i586.rpm
c0d7beba46d02e1090e9b6c7795a10c3
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xpdf-1.01-255.i586.pat…
ac395b4518a4c83d2af7805f35626a22
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/xpdf-1.01-255.src.rpm
5ec84289ef8ca520e78cc80360d05665
x86-64 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pdftohtml-0.36-112…
2b0b08249164043db0e3a5b080b03f1d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.21.x8…
c10bbbb43b8af6bc4da4922ce2afaede
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.3.…
7021ae8a2e9bc809240c8e953ef74fab
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3…
94200c51e06e9f31bc13139ea66c1626
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pdftohtml-0.36-112…
e0d057eeb94492d62be6794dfde196c9
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.21.x8…
ae9382a68c4d424cdee65324208f9e84
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.3.…
33a0a7fd7b0758175f465f8f1fa6ce36
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3…
c4629d75d822cf47b243cf34bd8cbacb
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/pdftohtml-0.36-112.3.…
f2acee920bd51b347e072463edc8f6bc
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/xpdf-3.00-64.21.src.r…
5b5c9c5d9aa1ddff06f56f83cf0365d9
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/gpdf-0.112.1-26.3.src…
2e2b8e6903b724462f30c07db1e76755
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdegraphics3-3.2.1-67…
e6988ea49a337ebd49f42d15afdeb188
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/pdftohtml-0.36-118…
942676168c21ac7253637dd3312e35d1
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-141.x…
7a5076aec7aae7e6e05bf8d0f6b5e523
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/pdftohtml-0.36-118…
b14da314a640e3afd3e72f417937c461
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-141.x…
fd4047d3c5392d63040e576effb32df5
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/pdftohtml-0.36-118.sr…
5300f04533ee5b490e1f7de0a29fd705
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/xpdf-2.02pl1-141.src.…
dd9b695199beaea8122037705eb1a581
______________________________________________________________________________
5) pending vulnerabilities in SUSE Distributions and Workarounds:
- freeradius
Several bugs that can be abused to remotely crash freeradius have
been discovered (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961).
New packages will be available soon.
- mpg123
A buffer overflow in mpg123 has been discovered. New packages will
be available soon.
- squid
A bug in the ASN.1 parser of the SNMP module has been fixed which
would have allowed an attacker to crash squid (CAN-2004-0918).
Updates will be available soon.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iQEVAwUBQX4pgXey5gA9JdPZAQHb0wf+P6dH8VFUyh7nVV8xd6tb/ccBFtpMOaCa
Wq1i0754TcOpk6RKpVpzNEjB2bSh51aWvRykVEguQdo1MlpNZdlE5Zc/T38S+B3U
H2hzK9o2d9FAUxHFEpjSRRQxFdDEP7Hx3JV/OnVIqZfycVij0MaTSN6j9c7GSUZP
SQ97CdbMTgRe25lL2k1FofNaYpDKyng/yF78pxD8dI79abbupcJo7BokPtZ6yEGZ
AL2PT3OhyYX3HJphNJ+4wcRIS71IWhB54kA0igB1Qp83ltROgbz1rr9OgUwf3fDi
zvYGxNX4Eu0rxiaU6U81z+m5dScUoNMSM8CK+uZK/dn3iSHHNzjaLA==
=j7Hh
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: libtiff
Announcement-ID: SUSE-SA:2004:038
Date: Friday, Oct 22nd 2004 18:00 MEST
Affected products: 8.1, 8.2, 9.0, 9.1
SUSE Linux Enterprise Server 8, 9
SUSE Linux Desktop 1.0
Vulnerability Type: local privilege escalation
Severity (1-10): 9
SUSE default package: yes
Cross References: CAN-2004-0803
CAN-2004-0804
CAN-2004-0886
CAN-2004-0929
Content of this advisory:
1) security vulnerability resolved:
- several buffer overflows and related problems in
libtiff were fixed.
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- security problems in PDF viewers
- freeradius denial of service problems
- mpg123 buffer overflow
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
libtiff is used by image viewers and web browser to view "TIFF" images.
These usually open and display those images without querying the user,
making a normal system by default vulnerable to exploits of image
library bugs.
Chris Evans found several security related problems during an audit of
the image handling library libtiff, some related to buffer overflows,
some related to integer overflows and similar. This issue is being
tracked by the CVE ID CAN-2004-0803.
Matthias Claasen found a division by zero in libtiff. This is tracked
by the CVE ID CAN-2004-0804.
Further auditing by Dmitry Levin exposed several additional integer
overflows. These are tracked by the CVE ID CAN-2004-0886.
Additionally, iDEFENSE Security located a buffer overflow in the OJPEG
(old JPEG) handling in the SUSE libtiff package. This was fixed by
disabling the old JPEG support and is tracked by the CVE ID CAN-2004-0929.
SUSE wishes to thank all the reporters, auditors, and programmers
for helping to fix these problems.
2) solution/workaround
There is no workaround. Update the libtiff packages.
3) special instructions and notes
Make sure that you restart your web browser after updating.
4) package location and checksums
Download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
You can also use the YaST Online Update tool to install the security
updates.
Our maintenance customers are being notified individually. The packages
are being offered for installation from the maintenance web.
x86 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libtiff-3.6.1-38.12.i5…
cd373c181599ebbf3be0f021b811c7da
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libtiff-3.6.1-38.12.i5…
a45416ea1ac9628b9e4e7e6f09653cb5
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/tiff-3.6.1-38.12.src.rpm
2387abe21eebb97f319b6ddf1a982314
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libtiff-3.5.7-376.i586…
db8b4d23eb887b3c391f5262f766ff86
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libtiff-3.5.7-376.i586…
58112fc9e5c6395bc316f3b46ffeb0ca
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/tiff-3.5.7-376.src.rpm
0810ea6ffe77b7a450698386a6238e61
SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libtiff-3.5.7-376.i586…
339e0ce21cceadb883d2022ec01c1219
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libtiff-3.5.7-376.i586…
608c1b39e6d67c9da02e02d2176b7a97
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/tiff-3.5.7-376.src.rpm
8891d3c8ff0dd0f283f63d4b3021b894
SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/libtiff-3.5.7-376.i586…
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
- security problems in pdf viewers
Chris Evans, Dmitry Levin and others found several buffer and
integer overflow problems in xpdf and xpdf clones.
These are being tracked under the CVE Ids CAN-2004-0888 and
CAN-2004-0889.
New packages will be available soon.
- freeradius
Several bugs that can be abused to remotely crash freeradius have
been discovered (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961).
New packages will be available soon.
- mpg123
A buffer overflow in mpg123 has been discovered. New packages will
be available soon.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We recommend against subscribing to security lists that cause the
e-mail message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
file name of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQXkecney5gA9JdPZAQF/GwgAntBKf1MLJmRS+UHtYZsUqLr+7AJDKG2/
4P8pVw/YlCJxUtboIIy5Mc1FVDsz5oq94YvqKssUkQFEiD8IpkeWQIckmClKiw5f
CL46LQqDFocJrhU10+aTgh69eULZ3GL0XWi/7QXHZ/8Dq+Yttrwy6dSu5UiBC4Fu
kRGLzNge09hraai4wY0OH/28Dp6NeziXpGx7RYf2heNfewo6gD/rDlAI1mQMAXYI
lhbDBfYTMipRmx4Lk4y+ZJJ9HuU6w1ACFNQ0GtiaBoNl1+EoZJqht6WpyN350Rul
Mf97jAjfGjbe0h31JgD7dAybY1nsl1o8bYOmnIZTZs3Nf5YEm9+wUA==
=c8DY
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement-ID: SUSE-SA:2004:037
Date: Wednesday, Oct 20th 2004 18:00 MEST
Affected products: 9.1
SUSE Linux Enterprise Server 9
Vulnerability Type: remote denial of service
Severity (1-10): 9
SUSE default package: yes
Cross References: CAN-2004-0816
CAN-2004-0887
Content of this advisory:
1) security vulnerability resolved:
- remote system crash with enabled firewall
- local root exploit on the S/390 platform
- minor /proc information leaks
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- libtiff
- cyrus-sasl
- php4
- zinf
______________________________________________________________________________
1) problem description, brief discussion
An integer underflow problem in the iptables firewall logging rules
can allow a remote attacker to crash the machine by using a handcrafted
IP packet. This attack is only possible with firewalling enabled.
We would like to thank Richard Hart for reporting the problem.
This problem has already been fixed in the 2.6.8 upstream Linux kernel,
this update contains a backport of the fix.
Products running a 2.4 kernel are not affected.
Mitre has assigned the CVE ID CAN-2004-0816 for this problem.
Additionaly Martin Schwidefsky of IBM found an incorrectly handled
privileged instruction which can lead to a local user gaining
root user privileges.
This only affects the SUSE Linux Enterprise Server 9 on the S/390
platform and has been assigned CVE ID CAN-2004-0887.
Additionaly the following non-security bugs were fixed:
- Two CD burning problems.
- USB 2.0 stability problems under high load on SMP systems.
- Several SUSE Linux Enterprise Server issues.
(see the Maintenance Information Mail for more informations).
2) solution/workaround
If you are not using an iptables based firewall (like SUSEfirewall2)
on your system, you are not affected.
If you are using a firewall, a workaround is to disable firewall
logging of IP and TCP options.
We recommend to update the kernel.
3) special instructions and notes
SPECIAL INSTALL INSTRUCTIONS:
==============================
The following paragraphs will guide you through the installation
process in a step-by-step fashion. The character sequence "****"
marks the beginning of a new paragraph. In some cases, the steps
outlined in a particular paragraph may or may not be applicable
to your situation.
Therefore, please make sure to read through all of the steps below
before attempting any of these procedures.
All of the commands that need to be executed are required to be
run as the superuser (root). Each step relies on the steps before
it to complete successfully.
**** Step 1: Determine the needed kernel type
Please use the following command to find the kernel type that is
installed on your system:
rpm -qf /boot/vmlinuz
Following are the possible kernel types (disregard the version and
build number following the name separated by the "-" character)
kernel-64k-pagesize
kernel-bigsmp
kernel-default
kernel-smp
**** Step 2: Download the package for your system
Please download the kernel RPM package for your distribution with the
name as indicated by Step 1. The list of all kernel rpm packages is
appended below. Note: The kernel-source package does not
contain a binary kernel in bootable form. Instead, it contains the
sources that the binary kernel rpm packages are created from. It can be
used by administrators who have decided to build their own kernel.
Since the kernel-source.rpm is an installable (compiled) package that
contains sources for the linux kernel, it is not the source RPM for
the kernel RPM binary packages.
The kernel RPM binary packages for the distributions can be found at the
locations below ftp://ftp.suse.com/pub/suse/i386/update/.
9.1/rpm/i586
After downloading the kernel RPM package for your system, you should
verify the authenticity of the kernel rpm package using the methods as
listed in section 3) of each SUSE Security Announcement.
**** Step 3: Installing your kernel rpm package
Install the rpm package that you have downloaded in Steps 3 or 4 with
the command
rpm -Uhv --nodeps --force <K_FILE.RPM>
where <K_FILE.RPM> is the name of the rpm package that you downloaded.
Warning: After performing this step, your system will likely not be
able to boot if the following steps have not been fully
followed.
**** Step 4: configuring and creating the initrd
The initrd is a ramdisk that is loaded into the memory of your
system together with the kernel boot image by the bootloader. The
kernel uses the content of this ramdisk to execute commands that must
be run before the kernel can mount its actual root filesystem. It is
usually used to initialize SCSI drivers or NIC drivers for diskless
operation.
The variable INITRD_MODULES in /etc/sysconfig/kernel determines
which kernel modules will be loaded in the initrd before the kernel
has mounted its actual root filesystem. The variable should contain
your SCSI adapter (if any) or filesystem driver modules.
With the installation of the new kernel, the initrd has to be
re-packed with the update kernel modules. Please run the command
mk_initrd
as root to create a new init ramdisk (initrd) for your system.
On SuSE Linux 8.1 and later, this is done automatically when the
RPM is installed.
**** Step 5: bootloader
If you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there
are two options:
Depending on your software configuration, you have either the lilo
bootloader or the grub bootloader installed and initialized on your
system.
The grub bootloader does not require any further actions to be
performed after the new kernel images have been moved in place by the
rpm Update command.
If you have a lilo bootloader installed and initialized, then the lilo
program must be run as root. Use the command
grep LOADER_TYPE /etc/sysconfig/bootloader
to find out which boot loader is configured. If it is lilo, then you
must run the lilo command as root. If grub is listed, then your system
does not require any bootloader initialization.
Warning: An improperly installed bootloader may render your system
unbootable.
**** Step 6: reboot
If all of the steps above have been successfully completed on your
system, then the new kernel including the kernel modules and the
initrd should be ready to boot. The system needs to be rebooted for
the changes to become active. Please make sure that all steps have
completed, then reboot using the command
shutdown -r now
or
init 6
Your system should now shut down and reboot with the new kernel.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7…
735f99730442772d0caeb1043576da0e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.111…
8e38495a90203fdeef0167126e9699fd
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.…
54474a313ff90c5a5ded8cd3590016ee
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.…
60a46f48bbae6989a50d2b3c735cd176
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.111.…
5bc77692dc82521b83378c97d39acd72
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.1…
348c5d63b8c26c548d8b5bfcc894b805
x86-64 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6…
53ec1285f8933f79b6e53f2cb4d2094a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7…
de3bf18c94d26a2b3477cf11cf723380
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-…
3e6123bd50f2802cf6a96ccfa2af674f
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.11…
365354d9e91032e53436f949da6ae8f6
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
libtiff
- Several buffer and integer overflows have been found in the
image handling library libtiff by Chris Evans and Dmitry Levin,
recorded under CVE Ids: CAN-2004-0803,CAN-2004-0804,CAN-2004-0886.
We are working on updates and will release them within the
next days.
cyrus-sasl
- The SASL_PATH environment variable was also used to load
plugins even with setuid privileges set, which can lead to a
local root privilege escalation.
The default SUSE installation was not found to be affected
by this problem, neithertheless we are in the process of
releasing updates. The CVE ID for this issue is: CAN-2004-0884
php4
- File overwrite problems were identified in php4. We have
released updates for this issue.
However, due to problems with php4-recode in combination with
php4-mysql we had to withdraw the update from YaST2
Online Update for some SUSE Linux versions.
New packages will be available soon.
zinf
- A tempfile race condition in zinf / freeamp was fixed, packages
are available.
phpMyAdmin
- A bug in phpMyAdmin that would allow users to execute
arbitrary commands has been discovered. New packages will be
available soon.
mysql
- Several bugs in mysql have been discovered. New packages
will be available soon.
libpng
- The issues with libpng described in CAN-2004-0954 and
CAN-2004-0955 where already fixed in the last libpng update.
Fixed packages are therefore already available on our ftp
server.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQXdo13ey5gA9JdPZAQE6Hwf7Bw82jWwK890uLPv8ByWeb3V8+M4kHiUc
1b33YLWPv/Q9OL1/Shyu6axownxUtSP/xgypv81Z5qKG4ETwV1EqB/v8eAQGQjCO
ptkA5rID9EhZYxXxPb4v4jFiqBMxRM3Sp8n0q0eRMNnOgHY5edS6tfkbwR2SsWEc
i8uGPVYaXOOnkLEB83Ra9o7UsMpXXy1W711EN7G20Tu6XT8HhNwOZZu69/KzKbso
/OVY48usd6EkExrFxLSJBtWI4OU2Qn/zerd2bRmmEN+gMH+/c7pceGC+SEDGn+Bq
p/mnwsDz3e4Z3LfkMgNY3qGXc7h6fOYF4GJtLB9tkH8/gIXwSqiDuQ==
=SsBR
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: mozilla
Announcement-ID: SUSE-SA:2004:036
Date: Wednesday, Oct 6th 14:36:39 MEST 2004
Affected products: 8.1, 8.2, 9.0, 9.1
SUSE Linux Enterprise Server 8, 9
SUSE Linux Desktop 1.0
Vulnerability Type: various vulnerabilities
Severity (1-10): 5
SUSE default package: yes
Cross References: http://www.mozilla.org/security/
Content of this advisory:
1) security vulnerability resolved:
- various vulnerabilities
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- openmotif
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
During the last months a number of security problems have been fixed
in Mozilla and Mozilla based brwosers. These include:
- CAN-2004-0718: content in unrelated windows could be modified
- CAN-2004-0722: integer overflow in the SOAPParameter object constructor
- CAN-2004-0757: heap-based buffer overflow in the SendUidl of POP3 code
- CAN-2004-0758: denial-of-service with malicious SSL certificates
- CAN-2004-0759: read files via JavaScript
- CAN-2004-0760: MIME code handles %00 incorrectly
- CAN-2004-0761: spoofing of security lock icon
- CAN-2004-0762: manipulation of XPInstall Security dialog box
- CAN-2004-0763: spoofing of SSL certificates by using redirects and
JavaScript
- CAN-2004-0764: hijacking the user interface via the "chrome" flag and
XML User Interface Language (XUL) files
- CAN-2004-0765: spoofing SSL certificates due to incorrecting comparsion
of hostnames
- CAN-2004-0902: Several heap based buffer overflows in Mozilla Browsers.
- CAN-2004-0903: Stack-based buffer overflow in the writeGroup function
in vcard handling.
- CAN-2004-0904: Overflow in BMP bitmap decoding.
- CAN-2004-0905: Crossdomain scripting and possible code execution by
javascript drag and drop.
- CAN-2004-0906: XPI Installer sets insecure permissions, allowing local
users to overwrite files of the user.
- CAN-2004-0908: Allow untrusted javascript code to read and write to the
clipboard.
- CAN-2004-0909: Allow remote attackers to trick the user into performing
dangerous operations by modifying security relevant dialog boxes.
2) solution/workaround
Since there is no workaround, we recommend an update in any case
if you use the mozilla browser.
3) special instructions and notes
After successfully updating the package(s) you need to close
all instances of the web browser and restart it again.
4) package location and checksums
Due to the large amount of updated packages and dependencies we do
not provide MD5-sums this time. The updates are cryptographically
signed and are available for download via the Yast Online Update.
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
- openmotif
The XPM security problems within openmotif have been fixed. New packages
are available on our ftp servers.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQWPsxHey5gA9JdPZAQGMcwf/TCYBxw1SszOxykVCoBjSOP9/afp2f8S/
Zkf7rh+dti+C/JcqVpzNhu8C9TRsECoTWCqsV6m7+VIak1REUW0Tc6EwR43yDqUc
1G9VPbYX7+T5Wv6mE2zU7VGKqBXSYQPHqFCX5/Q+gR099QNxpWT/1QxmTefPuy/p
wKwqIaBz0OISxFs20bR3ZS9Lwr0Uu5V9SFwn9I0qiDb0fwzRxmGTzVFura8k87oH
l5ww/EKb2bgFqsu5aHanAQWsWg6S9K8l+Y6Jah72EXzPcy1QT6UBkHdj9zk2f8+f
6ENyU1qpTG2A4ZKWOWCUWl2uQ4kYZtdBX+4EP3ryM5V5xszxACQdpQ==
=S9Fr
-----END PGP SIGNATURE-----
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer(a)suse.de - SuSE Security Team
~
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: samba
Announcement-ID: SUSE-SA:2004:035
Date: Tuesday, Oct 5th 2004 16:53:01 MEST
Affected products: 8.1, 8.2, 9.0
SUSE Linux Enterprise Server 8
SUSE Linux Desktop 1.0
Vulnerability Type: remote file disclosure
Severity (1-10): 6
SUSE default package: Yes
Cross References: CAN-2004-0815
Content of this advisory:
1) security vulnerability resolved:
- Samba file access problem
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- opera
- kernel
- mozilla
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
The Samba server, which allows to share files and resources via
the SMB/CIFS protocol, contains a bug in the sanitation code of path
names which allows remote attackers to access files outside of the
defined share. In order to access these files, they must be readable
by the account used for the SMB session.
CAN-2004-0815 has been assigned to this issue.
2) solution/workaround
As a temporary workaround you can set the
wide links = no
option in smb.conf and restart the samba server. However an update
is recommended nevertheless.
3) special instructions and notes
After successfully updating the samba package, you need to issue the
following command as root:
rcsmb restart
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/samba-2.2.8a-226.i586.…
eb71869029b35d2a97d55e26514524db
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/samba-2.2.8a-226.i586.…
48bb3e455079fcfdf4ad2baa28f28557
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/samba-2.2.8a-226.src.rpm
d162ea5a39b14ee16ae1c6d5df9211bb
SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/samba-2.2.8a-225.i586.…
79b0514a827bdd782e6d3f62bb92fb85
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/samba-2.2.8a-225.i586.…
a50dd448212245d51e9ac59ae50514e8
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/samba-2.2.8a-225.src.rpm
25d488678b607b3c67612ee065abd77a
SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.8a-224.i586.…
93d0fb2502f30593548dbe2f41ec8948
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.8a-224.i586.…
da5b107fb71c5daf5972b6e0aaca4f5c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/samba-2.2.8a-224.src.rpm
e0b9f9af6c5348cb9840b5d98a1c59dc
x86-64 Platform:
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/samba-2.2.8a-226.x…
0f1c94aa23653b0cf9b318646d9153af
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/samba-2.2.8a-226.x…
569974c359702c263b0968ce8fb9810f
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/samba-2.2.8a-226.src.…
75c1a01d03af42835809691840eaa331
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
- opera
New opera packages are available on our ftp servers, fixing
CAN-2004-0691, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 and
CAN-2004-0746.
- kernel
Update kernels for the kNFSd problem for SLES 8 and SL 8.1 have been
released.
- mozilla
We are in the process of releasing updates for mozilla (and related
browsers), fixing various issues: CAN-2004-0597, CAN-2004-0718,
CAN-2004-0722, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759,
CAN-2004-0760, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763,
CAN-2004-0764 and CAN-2004-0765.
We will give you concrete details in a separate mozilla advisory when
the updates are available.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de)
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iQEVAwUBQWK1Q3ey5gA9JdPZAQG2XAf/brEQk2j1Eh3S7Q3r9jnNHM/0oJ6rfish
wS/GcWazRcIV7I8JnUqspDU9zYamS2oB8Vu977yTFc+nhTryvpWsbJDnQIjtYE52
bEMMFW6gYTzUqG2U31mWKaqtpuFJJNuA3Lu0HgsxaQJ5F7qjVcsBOwX5PqCARMFp
KIcGJi8BtLsQ36x2ZWOXKG6p8jXxx8kSVln7T6e1T0v4tVURA6BaEkE4Dh0ZoKh1
V+lYw0QipbBIByWnY/rT4T1tvZE9NUG3JSHe0olyvDekmm/WzoHLIqOe2cKfR77a
nNb+cA81JW7JJk10NWKY4hzUX9oLCN8/mAvl40nvCHX+9YHldeM3Ag==
=LbT6
-----END PGP SIGNATURE-----
1
0