October 2004 - openSUSE Security Announce

SUSE Security Announcement: xpdf, gpdf, kpdf, pdftohtml, cups (SUSE-SA:2004:039)
by Thomas Biege 26 Oct '04

26 Oct '04

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups Announcement-ID: SUSE-SA:2004:039 Date: Tuesday, Oct 26th 2004 10:30 MEST Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0 Vulnerability Type: remote system compromise Severity (1-10): 5 SUSE default package: yes Cross References: CAN-2004-0888 CAN-2004-0889 Content of this advisory: 1) security vulnerability resolved: - integer overflows - arithmetic errors problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - freeradius denial of service problems - mpg123 - squid 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion Xpdf is a widely used fast PDF file viewer. Various other PDF viewer and PDF conversion tools use xpdf code to accomplish their tasks. Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. These bugs can be exploited by tricking an user to open a malformated PDF file. As a result the PDF viewer can be crashed or may be even code can be executed. 2) solution/workaround Due to the wide usage of xpdf-based code we do not recommend switching to another PDF viewer as a workaround. You have to install the updates. 3) special instructions and notes Please restart all running instances of xpdf, gpdf, kpdf, pdftohtml, cups after updating successfully. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Cups packages and all 9.2 packages will be available later. x86 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i… f17866987c9099ed8b0395d184adfffc ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.r… d648d6e96013cc339dd424041f8bc973 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586… 16864a7b7652a3183f9f8cac034cf70e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1… 8f09aa7927d9cdcfc52ab06e520b2441 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i… 2d3da1271fc9e072186fca6aa1de8c5c ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.p… 093d0aaa7f4fbe24afc722057cbe334e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586… 3af8141ddfbdf558afdf4f2f8f94a9f8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1… 0d765c907e89a91186e03d8c8de87857 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/pdftohtml-0.36-112.3.sr… d4892578f2d84c1bdbc36b0df9341607 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/xpdf-3.00-64.21.src.rpm d4c06775143e5e6fec7bc544d248daee ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/gpdf-0.112.1-26.3.src.r… cfda8ff6f352e1bc4f827a3118521b25 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdegraphics3-3.2.1-67.6… bb4d96dd72f0ee94315afd7b4c81e16b SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i58… dc822cef09e27e169acd94cda1fb622a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.… c99912bc5656546b028a8c4fe0473a75 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i58… 58b8a44ae02482d19c73959bfd85e85e ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.… 8055fbed4ac1e664706701e3b7d3e1bc source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/pdftohtml-0.36-118.src.… 35e37ded2db7d772d854748e606f42d0 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/xpdf-2.02pl1-141.src.rpm d42fe2976009b8ab44d6c166caf0840c SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/xpdf-2.01-137.i586.rpm e198f2fc43f1f455676a9dc1ee42af5e patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/xpdf-2.01-137.i586.pat… acb5181c10c7b365cca71ae307b11553 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/xpdf-2.01-137.src.rpm aada3bee6ac1517f50468777c49d8d91 SUSE Linux 8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xpdf-1.01-255.i586.rpm c0d7beba46d02e1090e9b6c7795a10c3 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xpdf-1.01-255.i586.pat… ac395b4518a4c83d2af7805f35626a22 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/xpdf-1.01-255.src.rpm 5ec84289ef8ca520e78cc80360d05665 x86-64 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pdftohtml-0.36-112… 2b0b08249164043db0e3a5b080b03f1d ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.21.x8… c10bbbb43b8af6bc4da4922ce2afaede ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.3.… 7021ae8a2e9bc809240c8e953ef74fab ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3… 94200c51e06e9f31bc13139ea66c1626 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pdftohtml-0.36-112… e0d057eeb94492d62be6794dfde196c9 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.21.x8… ae9382a68c4d424cdee65324208f9e84 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.3.… 33a0a7fd7b0758175f465f8f1fa6ce36 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3… c4629d75d822cf47b243cf34bd8cbacb source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/pdftohtml-0.36-112.3.… f2acee920bd51b347e072463edc8f6bc ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/xpdf-3.00-64.21.src.r… 5b5c9c5d9aa1ddff06f56f83cf0365d9 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/gpdf-0.112.1-26.3.src… 2e2b8e6903b724462f30c07db1e76755 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdegraphics3-3.2.1-67… e6988ea49a337ebd49f42d15afdeb188 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/pdftohtml-0.36-118… 942676168c21ac7253637dd3312e35d1 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-141.x… 7a5076aec7aae7e6e05bf8d0f6b5e523 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/pdftohtml-0.36-118… b14da314a640e3afd3e72f417937c461 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-141.x… fd4047d3c5392d63040e576effb32df5 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/pdftohtml-0.36-118.sr… 5300f04533ee5b490e1f7de0a29fd705 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/xpdf-2.02pl1-141.src.… dd9b695199beaea8122037705eb1a581 ______________________________________________________________________________ 5) pending vulnerabilities in SUSE Distributions and Workarounds: - freeradius Several bugs that can be abused to remotely crash freeradius have been discovered (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961). New packages will be available soon. - mpg123 A buffer overflow in mpg123 has been discovered. New packages will be available soon. - squid A bug in the ASN.1 parser of the SNMP module has been fixed which would have allowed an attacker to crash squid (CAN-2004-0918). Updates will be available soon. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQEVAwUBQX4pgXey5gA9JdPZAQHb0wf+P6dH8VFUyh7nVV8xd6tb/ccBFtpMOaCa Wq1i0754TcOpk6RKpVpzNEjB2bSh51aWvRykVEguQdo1MlpNZdlE5Zc/T38S+B3U H2hzK9o2d9FAUxHFEpjSRRQxFdDEP7Hx3JV/OnVIqZfycVij0MaTSN6j9c7GSUZP SQ97CdbMTgRe25lL2k1FofNaYpDKyng/yF78pxD8dI79abbupcJo7BokPtZ6yEGZ AL2PT3OhyYX3HJphNJ+4wcRIS71IWhB54kA0igB1Qp83ltROgbz1rr9OgUwf3fDi zvYGxNX4Eu0rxiaU6U81z+m5dScUoNMSM8CK+uZK/dn3iSHHNzjaLA== =j7Hh -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: libtiff (SUSE-SA:2004:038)
by Marcus Meissner 22 Oct '04

22 Oct '04

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: libtiff Announcement-ID: SUSE-SA:2004:038 Date: Friday, Oct 22nd 2004 18:00 MEST Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0 Vulnerability Type: local privilege escalation Severity (1-10): 9 SUSE default package: yes Cross References: CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 CAN-2004-0929 Content of this advisory: 1) security vulnerability resolved: - several buffer overflows and related problems in libtiff were fixed. problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - security problems in PDF viewers - freeradius denial of service problems - mpg123 buffer overflow 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion libtiff is used by image viewers and web browser to view "TIFF" images. These usually open and display those images without querying the user, making a normal system by default vulnerable to exploits of image library bugs. Chris Evans found several security related problems during an audit of the image handling library libtiff, some related to buffer overflows, some related to integer overflows and similar. This issue is being tracked by the CVE ID CAN-2004-0803. Matthias Claasen found a division by zero in libtiff. This is tracked by the CVE ID CAN-2004-0804. Further auditing by Dmitry Levin exposed several additional integer overflows. These are tracked by the CVE ID CAN-2004-0886. Additionally, iDEFENSE Security located a buffer overflow in the OJPEG (old JPEG) handling in the SUSE libtiff package. This was fixed by disabling the old JPEG support and is tracked by the CVE ID CAN-2004-0929. SUSE wishes to thank all the reporters, auditors, and programmers for helping to fix these problems. 2) solution/workaround There is no workaround. Update the libtiff packages. 3) special instructions and notes Make sure that you restart your web browser after updating. 4) package location and checksums Download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. You can also use the YaST Online Update tool to install the security updates. Our maintenance customers are being notified individually. The packages are being offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libtiff-3.6.1-38.12.i5… cd373c181599ebbf3be0f021b811c7da patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libtiff-3.6.1-38.12.i5… a45416ea1ac9628b9e4e7e6f09653cb5 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/tiff-3.6.1-38.12.src.rpm 2387abe21eebb97f319b6ddf1a982314 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libtiff-3.5.7-376.i586… db8b4d23eb887b3c391f5262f766ff86 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libtiff-3.5.7-376.i586… 58112fc9e5c6395bc316f3b46ffeb0ca source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/tiff-3.5.7-376.src.rpm 0810ea6ffe77b7a450698386a6238e61 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libtiff-3.5.7-376.i586… 339e0ce21cceadb883d2022ec01c1219 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libtiff-3.5.7-376.i586… 608c1b39e6d67c9da02e02d2176b7a97 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/tiff-3.5.7-376.src.rpm 8891d3c8ff0dd0f283f63d4b3021b894 SUSE Linux 8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/libtiff-3.5.7-376.i586… ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: - security problems in pdf viewers Chris Evans, Dmitry Levin and others found several buffer and integer overflow problems in xpdf and xpdf clones. These are being tracked under the CVE Ids CAN-2004-0888 and CAN-2004-0889. New packages will be available soon. - freeradius Several bugs that can be abused to remotely crash freeradius have been discovered (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961). New packages will be available soon. - mpg123 A buffer overflow in mpg123 has been discovered. New packages will be available soon. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We recommend against subscribing to security lists that cause the e-mail message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the file name of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQXkecney5gA9JdPZAQF/GwgAntBKf1MLJmRS+UHtYZsUqLr+7AJDKG2/ 4P8pVw/YlCJxUtboIIy5Mc1FVDsz5oq94YvqKssUkQFEiD8IpkeWQIckmClKiw5f CL46LQqDFocJrhU10+aTgh69eULZ3GL0XWi/7QXHZ/8Dq+Yttrwy6dSu5UiBC4Fu kRGLzNge09hraai4wY0OH/28Dp6NeziXpGx7RYf2heNfewo6gD/rDlAI1mQMAXYI lhbDBfYTMipRmx4Lk4y+ZJJ9HuU6w1ACFNQ0GtiaBoNl1+EoZJqht6WpyN350Rul Mf97jAjfGjbe0h31JgD7dAybY1nsl1o8bYOmnIZTZs3Nf5YEm9+wUA== =c8DY -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: kernel (SUSE-SA:2004:037)
by Marcus Meissner 21 Oct '04

21 Oct '04

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement-ID: SUSE-SA:2004:037 Date: Wednesday, Oct 20th 2004 18:00 MEST Affected products: 9.1 SUSE Linux Enterprise Server 9 Vulnerability Type: remote denial of service Severity (1-10): 9 SUSE default package: yes Cross References: CAN-2004-0816 CAN-2004-0887 Content of this advisory: 1) security vulnerability resolved: - remote system crash with enabled firewall - local root exploit on the S/390 platform - minor /proc information leaks problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - libtiff - cyrus-sasl - php4 - zinf ______________________________________________________________________________ 1) problem description, brief discussion An integer underflow problem in the iptables firewall logging rules can allow a remote attacker to crash the machine by using a handcrafted IP packet. This attack is only possible with firewalling enabled. We would like to thank Richard Hart for reporting the problem. This problem has already been fixed in the 2.6.8 upstream Linux kernel, this update contains a backport of the fix. Products running a 2.4 kernel are not affected. Mitre has assigned the CVE ID CAN-2004-0816 for this problem. Additionaly Martin Schwidefsky of IBM found an incorrectly handled privileged instruction which can lead to a local user gaining root user privileges. This only affects the SUSE Linux Enterprise Server 9 on the S/390 platform and has been assigned CVE ID CAN-2004-0887. Additionaly the following non-security bugs were fixed: - Two CD burning problems. - USB 2.0 stability problems under high load on SMP systems. - Several SUSE Linux Enterprise Server issues. (see the Maintenance Information Mail for more informations). 2) solution/workaround If you are not using an iptables based firewall (like SUSEfirewall2) on your system, you are not affected. If you are using a firewall, a workaround is to disable firewall logging of IP and TCP options. We recommend to update the kernel. 3) special instructions and notes SPECIAL INSTALL INSTRUCTIONS: ============================== The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, please make sure to read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before it to complete successfully. **** Step 1: Determine the needed kernel type Please use the following command to find the kernel type that is installed on your system: rpm -qf /boot/vmlinuz Following are the possible kernel types (disregard the version and build number following the name separated by the "-" character) kernel-64k-pagesize kernel-bigsmp kernel-default kernel-smp **** Step 2: Download the package for your system Please download the kernel RPM package for your distribution with the name as indicated by Step 1. The list of all kernel rpm packages is appended below. Note: The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that the binary kernel rpm packages are created from. It can be used by administrators who have decided to build their own kernel. Since the kernel-source.rpm is an installable (compiled) package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. The kernel RPM binary packages for the distributions can be found at the locations below ftp://ftp.suse.com/pub/suse/i386/update/. 9.1/rpm/i586 After downloading the kernel RPM package for your system, you should verify the authenticity of the kernel rpm package using the methods as listed in section 3) of each SUSE Security Announcement. **** Step 3: Installing your kernel rpm package Install the rpm package that you have downloaded in Steps 3 or 4 with the command rpm -Uhv --nodeps --force <K_FILE.RPM> where <K_FILE.RPM> is the name of the rpm package that you downloaded. Warning: After performing this step, your system will likely not be able to boot if the following steps have not been fully followed. **** Step 4: configuring and creating the initrd The initrd is a ramdisk that is loaded into the memory of your system together with the kernel boot image by the bootloader. The kernel uses the content of this ramdisk to execute commands that must be run before the kernel can mount its actual root filesystem. It is usually used to initialize SCSI drivers or NIC drivers for diskless operation. The variable INITRD_MODULES in /etc/sysconfig/kernel determines which kernel modules will be loaded in the initrd before the kernel has mounted its actual root filesystem. The variable should contain your SCSI adapter (if any) or filesystem driver modules. With the installation of the new kernel, the initrd has to be re-packed with the update kernel modules. Please run the command mk_initrd as root to create a new init ramdisk (initrd) for your system. On SuSE Linux 8.1 and later, this is done automatically when the RPM is installed. **** Step 5: bootloader If you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there are two options: Depending on your software configuration, you have either the lilo bootloader or the grub bootloader installed and initialized on your system. The grub bootloader does not require any further actions to be performed after the new kernel images have been moved in place by the rpm Update command. If you have a lilo bootloader installed and initialized, then the lilo program must be run as root. Use the command grep LOADER_TYPE /etc/sysconfig/bootloader to find out which boot loader is configured. If it is lilo, then you must run the lilo command as root. If grub is listed, then your system does not require any bootloader initialization. Warning: An improperly installed bootloader may render your system unbootable. **** Step 6: reboot If all of the steps above have been successfully completed on your system, then the new kernel including the kernel modules and the initrd should be ready to boot. The system needs to be rebooted for the changes to become active. Please make sure that all steps have completed, then reboot using the command shutdown -r now or init 6 Your system should now shut down and reboot with the new kernel. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7… 735f99730442772d0caeb1043576da0e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.111… 8e38495a90203fdeef0167126e9699fd ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.… 54474a313ff90c5a5ded8cd3590016ee source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.… 60a46f48bbae6989a50d2b3c735cd176 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.111.… 5bc77692dc82521b83378c97d39acd72 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.1… 348c5d63b8c26c548d8b5bfcc894b805 x86-64 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6… 53ec1285f8933f79b6e53f2cb4d2094a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7… de3bf18c94d26a2b3477cf11cf723380 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-… 3e6123bd50f2802cf6a96ccfa2af674f ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.11… 365354d9e91032e53436f949da6ae8f6 ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: libtiff - Several buffer and integer overflows have been found in the image handling library libtiff by Chris Evans and Dmitry Levin, recorded under CVE Ids: CAN-2004-0803,CAN-2004-0804,CAN-2004-0886. We are working on updates and will release them within the next days. cyrus-sasl - The SASL_PATH environment variable was also used to load plugins even with setuid privileges set, which can lead to a local root privilege escalation. The default SUSE installation was not found to be affected by this problem, neithertheless we are in the process of releasing updates. The CVE ID for this issue is: CAN-2004-0884 php4 - File overwrite problems were identified in php4. We have released updates for this issue. However, due to problems with php4-recode in combination with php4-mysql we had to withdraw the update from YaST2 Online Update for some SUSE Linux versions. New packages will be available soon. zinf - A tempfile race condition in zinf / freeamp was fixed, packages are available. phpMyAdmin - A bug in phpMyAdmin that would allow users to execute arbitrary commands has been discovered. New packages will be available soon. mysql - Several bugs in mysql have been discovered. New packages will be available soon. libpng - The issues with libpng described in CAN-2004-0954 and CAN-2004-0955 where already fixed in the last libpng update. Fixed packages are therefore already available on our ftp server. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQXdo13ey5gA9JdPZAQE6Hwf7Bw82jWwK890uLPv8ByWeb3V8+M4kHiUc 1b33YLWPv/Q9OL1/Shyu6axownxUtSP/xgypv81Z5qKG4ETwV1EqB/v8eAQGQjCO ptkA5rID9EhZYxXxPb4v4jFiqBMxRM3Sp8n0q0eRMNnOgHY5edS6tfkbwR2SsWEc i8uGPVYaXOOnkLEB83Ra9o7UsMpXXy1W711EN7G20Tu6XT8HhNwOZZu69/KzKbso /OVY48usd6EkExrFxLSJBtWI4OU2Qn/zerd2bRmmEN+gMH+/c7pceGC+SEDGn+Bq p/mnwsDz3e4Z3LfkMgNY3qGXc7h6fOYF4GJtLB9tkH8/gIXwSqiDuQ== =SsBR -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: mozilla (SUSE-SA:2004:036)
by Sebastian Krahmer 06 Oct '04

06 Oct '04

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: mozilla Announcement-ID: SUSE-SA:2004:036 Date: Wednesday, Oct 6th 14:36:39 MEST 2004 Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0 Vulnerability Type: various vulnerabilities Severity (1-10): 5 SUSE default package: yes Cross References: http://www.mozilla.org/security/ Content of this advisory: 1) security vulnerability resolved: - various vulnerabilities problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - openmotif 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion During the last months a number of security problems have been fixed in Mozilla and Mozilla based brwosers. These include: - CAN-2004-0718: content in unrelated windows could be modified - CAN-2004-0722: integer overflow in the SOAPParameter object constructor - CAN-2004-0757: heap-based buffer overflow in the SendUidl of POP3 code - CAN-2004-0758: denial-of-service with malicious SSL certificates - CAN-2004-0759: read files via JavaScript - CAN-2004-0760: MIME code handles %00 incorrectly - CAN-2004-0761: spoofing of security lock icon - CAN-2004-0762: manipulation of XPInstall Security dialog box - CAN-2004-0763: spoofing of SSL certificates by using redirects and JavaScript - CAN-2004-0764: hijacking the user interface via the "chrome" flag and XML User Interface Language (XUL) files - CAN-2004-0765: spoofing SSL certificates due to incorrecting comparsion of hostnames - CAN-2004-0902: Several heap based buffer overflows in Mozilla Browsers. - CAN-2004-0903: Stack-based buffer overflow in the writeGroup function in vcard handling. - CAN-2004-0904: Overflow in BMP bitmap decoding. - CAN-2004-0905: Crossdomain scripting and possible code execution by javascript drag and drop. - CAN-2004-0906: XPI Installer sets insecure permissions, allowing local users to overwrite files of the user. - CAN-2004-0908: Allow untrusted javascript code to read and write to the clipboard. - CAN-2004-0909: Allow remote attackers to trick the user into performing dangerous operations by modifying security relevant dialog boxes. 2) solution/workaround Since there is no workaround, we recommend an update in any case if you use the mozilla browser. 3) special instructions and notes After successfully updating the package(s) you need to close all instances of the web browser and restart it again. 4) package location and checksums Due to the large amount of updated packages and dependencies we do not provide MD5-sums this time. The updates are cryptographically signed and are available for download via the Yast Online Update. ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: - openmotif The XPM security problems within openmotif have been fixed. New packages are available on our ftp servers. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQWPsxHey5gA9JdPZAQGMcwf/TCYBxw1SszOxykVCoBjSOP9/afp2f8S/ Zkf7rh+dti+C/JcqVpzNhu8C9TRsECoTWCqsV6m7+VIak1REUW0Tc6EwR43yDqUc 1G9VPbYX7+T5Wv6mE2zU7VGKqBXSYQPHqFCX5/Q+gR099QNxpWT/1QxmTefPuy/p wKwqIaBz0OISxFs20bR3ZS9Lwr0Uu5V9SFwn9I0qiDb0fwzRxmGTzVFura8k87oH l5ww/EKb2bgFqsu5aHanAQWsWg6S9K8l+Y6Jah72EXzPcy1QT6UBkHdj9zk2f8+f 6ENyU1qpTG2A4ZKWOWCUWl2uQ4kYZtdBX+4EP3ryM5V5xszxACQdpQ== =S9Fr -----END PGP SIGNATURE----- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer(a)suse.de - SuSE Security Team ~

1 0

SUSE Security Announcement: samba (SUSE-SA:2004:035)
by Thomas Biege 05 Oct '04

05 Oct '04

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: samba Announcement-ID: SUSE-SA:2004:035 Date: Tuesday, Oct 5th 2004 16:53:01 MEST Affected products: 8.1, 8.2, 9.0 SUSE Linux Enterprise Server 8 SUSE Linux Desktop 1.0 Vulnerability Type: remote file disclosure Severity (1-10): 6 SUSE default package: Yes Cross References: CAN-2004-0815 Content of this advisory: 1) security vulnerability resolved: - Samba file access problem problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - opera - kernel - mozilla 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion The Samba server, which allows to share files and resources via the SMB/CIFS protocol, contains a bug in the sanitation code of path names which allows remote attackers to access files outside of the defined share. In order to access these files, they must be readable by the account used for the SMB session. CAN-2004-0815 has been assigned to this issue. 2) solution/workaround As a temporary workaround you can set the wide links = no option in smb.conf and restart the samba server. However an update is recommended nevertheless. 3) special instructions and notes After successfully updating the samba package, you need to issue the following command as root: rcsmb restart 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/samba-2.2.8a-226.i586.… eb71869029b35d2a97d55e26514524db patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/samba-2.2.8a-226.i586.… 48bb3e455079fcfdf4ad2baa28f28557 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/samba-2.2.8a-226.src.rpm d162ea5a39b14ee16ae1c6d5df9211bb SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/samba-2.2.8a-225.i586.… 79b0514a827bdd782e6d3f62bb92fb85 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/samba-2.2.8a-225.i586.… a50dd448212245d51e9ac59ae50514e8 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/samba-2.2.8a-225.src.rpm 25d488678b607b3c67612ee065abd77a SUSE Linux 8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.8a-224.i586.… 93d0fb2502f30593548dbe2f41ec8948 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.8a-224.i586.… da5b107fb71c5daf5972b6e0aaca4f5c source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/samba-2.2.8a-224.src.rpm e0b9f9af6c5348cb9840b5d98a1c59dc x86-64 Platform: SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/samba-2.2.8a-226.x… 0f1c94aa23653b0cf9b318646d9153af patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/samba-2.2.8a-226.x… 569974c359702c263b0968ce8fb9810f source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/samba-2.2.8a-226.src.… 75c1a01d03af42835809691840eaa331 ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: - opera New opera packages are available on our ftp servers, fixing CAN-2004-0691, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 and CAN-2004-0746. - kernel Update kernels for the kNFSd problem for SLES 8 and SL 8.1 have been released. - mozilla We are in the process of releasing updates for mozilla (and related browsers), fixing various issues: CAN-2004-0597, CAN-2004-0718, CAN-2004-0722, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759, CAN-2004-0760, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763, CAN-2004-0764 and CAN-2004-0765. We will give you concrete details in a separate mozilla advisory when the updates are available. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iQEVAwUBQWK1Q3ey5gA9JdPZAQG2XAf/brEQk2j1Eh3S7Q3r9jnNHM/0oJ6rfish wS/GcWazRcIV7I8JnUqspDU9zYamS2oB8Vu977yTFc+nhTryvpWsbJDnQIjtYE52 bEMMFW6gYTzUqG2U31mWKaqtpuFJJNuA3Lu0HgsxaQJ5F7qjVcsBOwX5PqCARMFp KIcGJi8BtLsQ36x2ZWOXKG6p8jXxx8kSVln7T6e1T0v4tVURA6BaEkE4Dh0ZoKh1 V+lYw0QipbBIByWnY/rT4T1tvZE9NUG3JSHe0olyvDekmm/WzoHLIqOe2cKfR77a nNb+cA81JW7JJk10NWKY4hzUX9oLCN8/mAvl40nvCHX+9YHldeM3Ag== =LbT6 -----END PGP SIGNATURE-----

1 0