June 2005 - openSUSE Security Announce

Discontinued SUSE Linux Distribution: 8.2
by Roman Drahtmueller 29 Jun '05

29 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------- Wed Jun 29 17:00:00 MEST 2005 Dear suse-security-announce subscribers and SUSE LINUX users, With the release of the SUSE Linux 9.3 FTP edition this week, SUSE Security announces that the SUSE Linux 8.2 version of our home user product will be discontinued soon. Having provided security-relevant fixes for more than two years, vulnerabilities found in SUSE Linux 8.2 after July 14th 2005 will not be fixed any more for this product. As a consequence, the SUSE Linux 8.2 distribution directory on our ftp server ftp.suse.com has been moved from /pub/suse/i386/8.2/ to the /pub/suse/discontinued/ directory tree structure to free space on our mirror sites for the SUSE Linux 9.3 FTP edition; the 8.2 directory in the update tree /pub/suse/i386/update/8.2 will follow later in July 2005, as soon as all updates have been published. The discontinuation of SUSE Linux 8.2 enables us to focus on the SUSE LINUX distributions of a newer release date to ensure that our customers can continuously take advantage of the quality that they are used to with SUSE LINUX products. This announcement holds true for SUSE Linux 8.2 only. As usual, SUSE will continue to provide update packages for the following home users distributions: SUSE LINUX 9.0 SUSE LINUX 9.1 SUSE LINUX 9.2 and SUSE LINUX 9.3 for a two-year period after the release of the respective distribution. Please note that the maintenance cycles of SUSE LINUX Enterprise Server products and products based on the SUSE LINUX Enterprise Server operating system are not affected by this announcement. To learn more about SUSE LINUX business products, please visit http://www.novell.com/linux/suse/. If you have any questions regarding this announcement, please do not hesitate to contact SUSE Security at <security(a)suse.de>. Best regards, Roman Drahtmüller, SUSE Security. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBQsK7yney5gA9JdPZAQGZ4Af/aXyoJzrkoiIe8PkysAlAbjCmbQWHnNWJ eLpk5xgtu/TTX2/zT6LrSg6t1uV4bgxg/x5026CShTXLJRpjMgRrlfZCZpSMUW3o DB5kLs2SSWWV8Ep7L2faiU5yMf4CD1LZ4HWq9wNxk/1vpbDilZL5Ni713D8r/Mcv WE5r3amyU0TkXO2peYNj4z8lk2rwiaJFUwMZzG6MRCn1CtgDXCIdwqe1gPn0tpdq r3tkRpLJrQltpPHcjO3N6MXo8OUlzThg4nm+C5WY0tbSn5eDo+DYdWH2s03fp20W M/9IKaoxACOtpgJhuljxA8OVtJ/7ybNaTfKquvfhMaoUuTiZtcBENA== =rNzC -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: clamav: multiple security and other bugfixes (SUSE-SA:2005:038)
by Marcus Meissner 29 Jun '05

29 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: clamav Announcement ID: SUSE-SA:2005:038 Date: Wed, 29 Jun 2005 13:00:00 +0000 Affected Products: 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 9 Vulnerability Type: remote denial of service Severity (1-10): 5 SUSE Default Package: no Cross-References: CAN-2005-2070 CAN-2005-2056 Content of This Advisory: 1) Security Vulnerability Resolved: clamav various security and bug fixes Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion This security update upgrades the Clamav virus scan engine to the version 0.68.1. Among other bugfixes and improvements, this update fixes a bug in the Quantum decompressor routines that can be used for a remote denial of service attack against clamd. This bug is tracked by the Mitre CVE ID CAN-2005-2056. Also the Clam AV Mail Filter (clamav-milter) Plugin when used in sendmail could be used for a remote denial of service attack. This bug is tracked by the Mitre CVE ID CAN-2005-2070. 2) Solution or Work-Around Please install the upgraded packages. 3) Special Instructions and Notes Make sure you restart all services using clamav. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/clamav-0.86.1-0.1.i586… 38e12ca1dce7b58b849850ad7f211391 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/clamav-db-0.86.1-0.1.i… 21d73753323d5c5766d532e123b38704 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/clamav-0.86.1-0.1.i586… 159c4c2763dd901c4dfe100ae92aad24 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/clamav-db-0.86.1-0.1.i… ce2ecb1fa77d8ec5b18d08a79c50a835 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/clamav-0.86.1-0.2.i586… d5c0f87913be6d566deb949512494219 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/clamav-0.86.1-0.2.src.r… 04a1f51626c34212289ecd78cfa86ffb x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/clamav-0.86.1-0.1.x8… d7a12619a5b7ff6f4e64a98cbe15a5b2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/clamav-db-0.86.1-0.1… 078ab644d16fff2e74826c56971f035f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/clamav-0.86.1-0.1.src.r… a48c8535c90ad21b386e0578249bbe6e SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/clamav-0.86.1-0.1.x8… 7b8d28ad51f9070af368e1fda08058df ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/clamav-db-0.86.1-0.1… 3f07c2f15a2c911e6d1656788ffd14d3 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/clamav-0.86.1-0.1.src.r… e9651a93e9afc7e6a21da7a719ca3067 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/clamav-0.86.1-0.2.… 311638776159430b8fb2dd2893615892 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/clamav-0.86.1-0.2.src… 6c0653449afaf744459e80b1131d889b ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQsKrh3ey5gA9JdPZAQKEAgf+P0UHmEvF6rKIOkTifvZHwCX6NkfIkeu9 6+X/uNUr16z2t0pYCakV+wWiFV5FRJipXS70lqjgcM9NeG9LATQAjbllsJCVTsPu V2T51TOu8ogzX6la/thLj6d5D2U6BHfJUlYAFQyfLO4qPi2fNi5FyEyyUj1euCFe A8cd2T/yWifb7i9J4R0J+4WtSeOXI4mzjwjXrkhAsZkBF/DmaYf7PDM769Bw0mmp P3FGjhky/eC+IvCbhX2FtIhKVt5xD8sj8OeaisKC4FEK7vDC2L5MtcifeNbPQYcM 0oyJCWAOttIKGaJjJX1Epq969PdM6BkEgxnd7uvba1U0p8zyEPys/w== =INLw -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: RealPlayer remote buffer overflow (SUSE-SA:2005:037)
by Marcus Meissner 27 Jun '05

27 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: RealPlayer Announcement ID: SUSE-SA:2005:037 Date: Mon, 27 Jun 2005 12:00:00 +0000 Affected Products: SUSE LINUX 9.2, 9.3 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CAN-2005-1766 CAN-2005-1277 Content of This Advisory: 1) Security Vulnerability Resolved: remote buffer overflow in RealPlayer Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Various security problems were found in RealPlayer that allow a remote attacker to execute code in the local player by providing handcrafted files. See http://service.real.com/help/faq/security/050623_player/EN/ too. The following security bugs are listed: - To fashion a malicious MP3 file to allow the overwriting of a local file or execution of an ActiveX control on a customer's machine. - To fashion a malicious RealMedia file which uses RealText to cause a heap overflow to allow an attacker to execute arbitrary code on a customer's machine. - To fashion a malicious AVI file to cause a buffer overflow to allow an attacker to execute arbitrary code on a customer's machine. - Using default settings of earlier Internet Explorer browsers, a malicious website could cause a local HTML file to be created and then trigger an RM file to play which would then reference this local HTML file. (Not applicable to Linux.) The updated package fixes these problems. These are tracked by the Mitre CVE IDs CAN-2005-1766 and CAN-2005-1277. This bug affects all SUSE Linux versions including RealPlayer. However, due to the binary only nature of RealPlayer we are only able to provide fixed packages for SUSE Linux 9.2, 9.3 and Novell Linux Desktop 9. For the SUSE Linux versions containing RealPlayer 8 we are no longer able to offer security updates (as announced in SUSE-SA:2005:04). 2) Solution or Work-Around Please install the upgraded packages. 3) Special Instructions and Notes Please restart web browser which have Real Media content open. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.5-0.1.… 0e61a92f6867ebc94283a734381d0ad5 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.5-0.1.… d5c0cef03bef44c91971f41195d91afb ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQr/3ZXey5gA9JdPZAQJKmAf+Ni3FbypNbn+tIqyHkMXxBxSIoeGrPrBw IkdxQvURLTKRCM7K2YtmQpPUZiXLbdVQw2xC5p7U1jIXSC11Jw+VtQbF6mCCniY4 0/wJDS9s4bZtjeVHMRBBSltzO6j2WOCjcZBjnJ/IAG9V3Ist5eg6C++aOvFl4Zod 22n542gd1awXCyIuhydytnHcmzmBomQqL50puarjWt9XnyBB1r4gt8r7M8QpHsxh aSrtPZ4GEVRCDnyGiPEWUNjy3mfqycOtyH447jvAZvIT71vDnmU0NN6wbxssPPqs yOR8alQ04BrRN3UNsVrCJDJrdz62iGHvygYNT3Ccq7ZdlxwxTAJWAw== =7COm -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: sudo (SUSE-SA:2005:036)
by Thomas Biege 24 Jun '05

24 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: sudo Announcement ID: SUSE-SA:2005:036 Date: Fri, 24 Jun 2005 12:01:00 Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 Vulnerability Type: race condition, arbitrary code execution Severity (1-10): 5 SUSE Default Package: yes Cross-References: CAN-2005-1993 Content of This Advisory: 1) Security Vulnerability Resolved: race condition in pathname handling Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - cacti - gaim - gedit - evolution - postgresql - quanta - kdewebdev3 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Sudo(8) allows the execution of commands as another user and gives the administrator more flexibility than su(1). A race condition in the pathname handling of sudo may allow a local user to execute arbitrary commands. To exploit this bug some conditions need to be fulfilled. The attacking user needs to be listed in the sudoers file, he is able to create symbolic links in the filesystem, and a ALL alias- command needs to follow the attackers entry. 2) Solution or Work-Around It is recommended to install the updated packages. 3) Special Instructions and Notes none 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/sudo-1.6.8p7-3.2.i586.… b66d5d132049853629a3bcac6ccab485 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/sudo-1.6.8p7-3.2.i586.… 0be64a8e4904a4d291d8829f6b6041c6 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/sudo-1.6.8p7-3.2.src.rpm a069125224a78bc300fcd4dcb96e40d3 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/sudo-1.6.7p5-118.2.i58… 33bc6c32f618d10f577dab89ea99ece6 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/sudo-1.6.7p5-118.2.i58… 760a5affabbaa042f4415bbefd6e368e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/sudo-1.6.7p5-118.2.src.… e9e3038d21f011fadc8699edd3eeb8cc SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/sudo-1.6.7p5-117.4.i58… a38b0526a497306827d0c80c944cbb29 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/sudo-1.6.7p5-117.4.i58… 22199f86b112264ca314089bebedfac7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/sudo-1.6.7p5-117.4.src.… ad22ffaf4a001e9a5de6a9c619098b15 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/sudo-1.6.7p5-120.i586.… d6f2c65abb6ac1ffc869427a261e1c35 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/sudo-1.6.7p5-120.i586.… cad88b3e9619781af28f2505ac398722 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/sudo-1.6.7p5-120.src.rpm 1fa8cd28e9c07bbd88674656b8847939 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sudo-1.6.6-192.i586.rpm aa1a93a017259335bbf87eda21b5e45b patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sudo-1.6.6-192.i586.pa… b507d49bc18be0f2c3c70f41f15f1849 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/sudo-1.6.6-192.src.rpm cb3baefafd723842bd9b549762bf68a9 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/x86_64/sudo-1.6.8p7-3.2.x… f4cad71e54f0f56b9fd5257228d3e94d patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/x86_64/sudo-1.6.8p7-3.2.x… ac400e62fe3ce21ac7aa6a5e0da79977 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/src/sudo-1.6.8p7-3.2.src.… a069125224a78bc300fcd4dcb96e40d3 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/sudo-1.6.7p5-118.2… 1dea5ee72634fae4c9124fe5926874f4 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/sudo-1.6.7p5-118.2… eb9db1ea2a1cd7bb3923c4d59774b965 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/src/sudo-1.6.7p5-118.2.sr… e9e3038d21f011fadc8699edd3eeb8cc SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/sudo-1.6.7p5-117.4… d3890913e3fb16ef2899aa681d645de0 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/sudo-1.6.7p5-117.4… fee49fd93b75174c7229fde365fbed74 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/sudo-1.6.7p5-117.4.sr… b0b4cdd3765249f8f4f80ed17f182259 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/sudo-1.6.7p5-120.x… f110cef5bb1fba01340235e035d56294 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/sudo-1.6.7p5-120.x… 1bfecf26f55a8297d75ff8123ee48f59 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/sudo-1.6.7p5-120.src.… 89a5bcdc68a459b54be612c26bcd1250 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - cacti New cacti packages are available soon to fix a SQL injection bug a two bugs that can lead to remote command execution. - gaim New gaim packages are available for download. This update fixes the following security problems which allowed malicious users to crash other users' gaim client: * crashes via malformed MSN malformed message (CAN-2005-1934, CAN-2005-1262) * crash via specially named file sent via Yahoo (CAN-2005-1269) * crash via invalid Jabber file transfer request (CAN-2005-0967) * crash via special IRC messages (CAN-2005-0966) * crashes via malformed HTML tags (CAN-2005-0965, CAN-2005-0208, CAN-2005-0473) * crash via malformed SNAC packet sent via AIM/ICQ (CAN-2005-0472) - gedit Gedit had a format string bug in the filename handling, potentially allowing an attacker to execute arbitrary code. This bug has been fixed and packages are available on our FTP servers (CAN-2005-1686). - evolution A denial-of-service bug has been fixed in evolution. New packages can be found on our FTP servers. - postgresql* Updated packages are available on our FTP server. This update fixes the following security issues: * load arbitrary shared libraries and execute code via the LOAD extension (CAN-2005-0227) * bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command (CAN-2005-0244) * a heap based buffer overflow (CAN-2005-0245) * denial of service through intagg contrib module (CAN-2005-0246) * execute arbitrary code due to bugs in several SQL commands (CAN-2005-0247, CAN-2005-1409, CAN-2005-1410) This update also fixes the following non-security issues: * A race condition that allowed a transaction to be seen as committed for some purposes (eg SELECT FOR UPDATE) slightly sooner than for other purposes. - quanta/kdewebdev3 Kommander executed scripts from untrusted sources without further checking. This has been disabled now. New packages are available. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iQEVAwUBQrv/iney5gA9JdPZAQE4Zwf7Bz1edCsTDiHJNotS9yp5/p+/YMDv4h5F FXYDs7tdfEt1FIBwY1HaHlk7s1FpvqnDnl0uEyluHzeo+oNT9Z3Flp0EX9mJWW5r QiSidYmyEJ/BoOwaIx5imO6Oojz1Z39VgQ/DP4aKcwYqFwwrT4vEiE8csMD7NUGl kBlTAQP9EupyJUezkWMDPwK9xtKsDwqO15yoTP1rQgWc63XQqaMMG5oXXHYWiW6l jMdi093AUVE7kLpQODLR2MoG0D6cg4BqajqRFNwML/HOBZq3k9paODWZlN49O+AD dteuovw2MTeEGvHl+NKBROaDFmW6mz0P9yEl7qlHpCsdRavReSdMAQ== =ShIJ -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: razor-agents denial of service attack (SUSE-SA:2005:035)
by Marcus Meissner 23 Jun '05

23 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: razor-agents Announcement ID: SUSE-SA:2005:035 Date: Tue, 23 Jun 2005 09:00:00 +0000 Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 Vulnerability Type: remote denial of service Severity (1-10): 4 SUSE Default Package: no Cross-References: None. Content of This Advisory: 1) Security Vulnerability Resolved: denial of service attack against Vipuls razor Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Several bugs were fixed in Vipuls Razor spam detection framework. These bugs could lead to remote denial-of-service conditions due to processing malformed messages and possible stepping into infinite loops. 2) Solution or Work-Around Please install the updated packages. 3) Special Instructions and Notes Please restart any service using razor-agents. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/razor-agents-2.67-3.2.… 676b7c6d977f0ed2b92ba313fa269689 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/razor-agents-2.61-3.2.… fc88751db9c4a14e5fbf6221d4ec5ad9 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/razor-agents-2.36-59.4… 889f8c37bbc80d520d6c4ecbfeff1913 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/razor-agents-2.36-59.4.… a49208f7438160852e1dff387a70beea SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/razor-agents-2.34-54.i… 7d831ac330b9ca512722ac1754ec3236 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/razor-agents-2.34-54.sr… db088de6b5cb8a5b67dfa485fdd22991 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/razor-agents-2.126-122… d96fc57ad82f716dd421f0bca1c45b57 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/razor-agents-2.126-122.… 982a7860c698f1ea9a554128ce34b45b x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/razor-agents-2.67-3.… a1cd46cabd6e45c8f9d5ad7405085d04 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/razor-agents-2.67-3.2.s… 5f9642b047be597bfbed8229d3098e76 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/razor-agents-2.61-3.… 18157e6d2a2582b9a45b3a62be18ddb5 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/razor-agents-2.61-3.2.s… 7f9d70373765389ab8284bd274af6d2d SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/razor-agents-2.36-… a4824f88fcb85f610ca738b6c729744c source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/razor-agents-2.36-59.… 5b064357f7db0574e7b89add57a3738f SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/razor-agents-2.34-… 6ecca2f0cd15f7804d04dac04ad22ce6 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/razor-agents-2.34-54.… 7765df46f6b332e835da33ab04784d6e ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQrph83ey5gA9JdPZAQLEaAf9FajM8nMsrSZUSUEBjGL8dsbSa93/KaCi RHTq2Mpfg947AgyWzEHY0FiFb+fSxhXFpYkKjiPdRKxXlIEekJ6iA7WnWpcGinDA kO1tnU6/KJ407GkINgV5R2tUWr97tQ6W7pupnvEPjKQNpOZUyGzu1cDREOEj+LFs 5GPiutDxTJCO2UdBJv3g1P79Zn1vYA02QoO+XZ3DMUY6ErQ+GQThvmgS3wqhsM4k W3/Z5Hc9hZVhXJAnIG1gJFcTh3Z7cxudldBkdrHPXsdiuTPFTG8vZXplKvTcrUX7 mKj92nGNAKz9DprMFPMeYE8LgTLUn/RypotQcfSMmtP2Vtw3xqqe8Q== =g5p3 -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: opera various problems (SUSE-SA:2005:034)
by Marcus Meissner 22 Jun '05

22 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: opera Announcement ID: SUSE-SA:2005:034 Date: Wed, 22 Jun 2005 16:00:00 +0000 Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 Vulnerability Type: remote code execution Severity (1-10): 7 SUSE Default Package: no Cross-References: CAN-2005-1475 CAN-2005-1669 CAN-2004-1157 Content of This Advisory: 1) Security Vulnerability Resolved: various security problems in Opera Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The web browser Opera has been updated to version 8.01 to fix various security-related bugs. * Fixed XMLHttpRequest redirect vulnerability reported in Secunia Advisory 15008. * Fixed cross-site scripting vulnerability reported in Secunia Advisory 15411. * Fixed cross-site scripting vulnerability in location header when automatic redirection is disabled. Vulnerability reported in Secunia Advisory 15423. * Fix for variant of window injection vulnerability reported in Secunia Advisory 13253 * Fixed information disclosure weakness causing file path information to be sent when using the GET form method. Security Focus Bugtraq ID #12723. * Improved accuracy of security bar and modified security icon behavior: when a certificate is accepted manually after a warning, the security level of the connection is set to 1. * Fixed issue with wrong referrers being sent to sites in browsing history. * Fixed erroneous display of certificate names containing ampersands. * Solved problem with collapsed address bars for some pop-ups missing indication of security level. These issues are tracked by the Mitre CVE IDs CAN-2005-1475, CAN-2005-1669 and CAN-2004-1157. 2) Solution or Work-Around Please install the upgraded package. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/opera-8.01-1.1.i586.rpm b735a0e3e238cded7db42018d371dc10 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/opera-8.01-1.1.i586.rpm f6a6c2d1562db07c21f69176b3b873c3 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/opera-8.01-1.1.i586.rpm 3f4bdc3f1fa6a4895b099e1b517acb0f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/opera-8.01-1.1.nosrc.rpm 853832a3070d6fdd4b55337381e54ab5 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/opera-8.01-4.i586.rpm 2ab574cae977d4594c90f7f24fe3a35e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/opera-8.01-4.nosrc.rpm 1f9e06245625f1b7bac0359ef5e42617 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/opera-8.01-4.i586.rpm 64321e073068dba4a08ad655671bb0de source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/opera-8.01-4.nosrc.rpm ce9c2795a066856899de3a3cd3f5ae3f x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/opera-8.01-1.1.x86_6… 1748a5fa7a49dcaee5e46e7eca799bc3 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/opera-8.01-1.1.nosrc.rpm 2f6ea5cb149704ad0ea7248a5fa41b6f SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/opera-8.01-1.1.x86_6… b8e11857750ee82fe0b2b96c548e88bd source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/opera-8.01-1.1.nosrc.rpm 6b20c173d980ce5c2c10c83cf722ff8e SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/opera-8.01-1.1.x86… 94f5e8bf7ab08d3c79f391a14648afa2 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/opera-8.01-1.1.nosrc.… 38c284a3241c2e4a25d56f65c20df16e SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/opera-8.01-4.x86_6… 4f04f1df035b03857915dbad665d9477 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/opera-8.01-4.nosrc.rpm 4d318c94bd2ba7ee3ac258d8803153af ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQrmLG3ey5gA9JdPZAQJTwwgAjjRGIwnamrpnK5GwUPnT1m0eg3Mgor4F Jpy7AYjJoQYIbO4QdhdwG+DrFyu6Os2lQt/c1b0gYIN+CvLijxbjV14u0VQztPpP jYT7LV/1L9Qdzutd7YbXBt0/G0f64hksp0FFI+JWSy+oDLcz5/3nuWEMfl7uhqDO tTcgdjKzKthGN7/BC+KrBuDErwVdOxcsZHla6yP+LBoCK1wtAGSyg+uY5HS5A6vX 5FCvn60huQNype1sfsgSMW4yaWHVwm4ZJMjZcDSpt8gRvGrAGNnRf9BUIv+liH9F 7IYKJd/E8QU7IHygCW/CoyV5FvALgt6f6kkOyey6Vy1YzhnivAcwVA== =68Gi -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: spamassassin remote denial of service (SUSE-SA:2005:033)
by Marcus Meissner 22 Jun '05

22 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: spamassassin Announcement ID: SUSE-SA:2005:033 Date: Wed, 22 Jun 2005 16:00:00 +0000 Affected Products: SUSE Linux 9.2, 9.3 Vulnerability Type: remote denial of service Severity (1-10): 4 SUSE Default Package: no Cross-References: CAN-2005-1266 Content of This Advisory: 1) Security Vulnerability Resolved: denial of service attack against spamassassin Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The anti spam tool SpamAssassin was prone to a denial-of-service attack. A remote attacker could craft a MIME E-Mail message that would waste a lot of CPU cycles parsing the Content-Type header. This is tracked by the Mitre CVE ID CAN-2005-1266. Only SUSE Linux 9.2 and 9.3 are affected, since they include the 3.x version of spamassassin. Older versions are not affected. 2) Solution or Work-Around Please install the upgraded packages. 3) Special Instructions and Notes Please restart running daemons that are using spamassassin (spamd, amavisd). 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/perl-spamassassin-3.0.… ffff26505ae36f59c2e4a3baba36a6e1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/spamassassin-3.0.4-1.1… 3c0c41b5261fe1b55539f722b6963de9 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/perl-spamassassin-3.0.… ff3a80d96577e4e5e295a9b2eabb2601 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/spamassassin-3.0.4-1.1… 290ee4193359dc8931d5c9ef0bbea0a5 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/perl-spamassassin-3.… 93e7f3a7c8a40b945277a65a04eb44df ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/spamassassin-3.0.4-1… 2d243affea763f1b3073be86fb7f8d08 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/spamassassin-3.0.4-1.1.… e3592564bb01536c50948811293bad7b SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/perl-spamassassin-3.… 077e1e604de9953898040d7fb2192b46 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/spamassassin-3.0.4-1… 26ffd80d45e83a6931eaf86a8c85ff1b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/spamassassin-3.0.4-1.1.… 9dfd203b10a593b5f28dc7cbae7fe550 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQrl+HXey5gA9JdPZAQIEnAf9FCwaS4f2I127IF1acxlwiIUfNgtgaOrJ axTkHGKPDVNM1Si7HsWhFNjPGOvEWgYqUb/KlJBjboCyBL76DAQEdf9gsfUlZM8r 9G56ZUZTkLPJxCu/2UIGzqDj+OgmimwAA29jhOB6VngUJo+e2+Sb/GhUP9yYXHpw sFZfzu5SjUF1cg/63ilY+kjDmKkFFrNDFVHRhj1gXSQkTNkTfFCgXnsFPT0sbk8e R1vzf7Bf3F9T51ywfU0T+/MXbx8CJdnxctRI/beoqqZGe0fJCdUzAyOUfa7EaXnD 3OHKz6SBs/Z3vJJAnlTA3lHGFob+qODKmPjkQheBnW5c5/doqleDZA== =RJ1i -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: SUN Java security problems (SUSE-SA:2005:032)
by Marcus Meissner 22 Jun '05

22 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: java2 Announcement ID: SUSE-SA:2005:032 Date: Wed, 22 Jun 2005 13:00:00 +0000 Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 9 Open Enterprise Server 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CAN-2005-0836 CAN-2005-1974 Content of This Advisory: 1) Security Vulnerability Resolved: java applet and java webstart security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Two security bugs in the SUN Java implementation have been fixed. Java Web Start can be exploited remotely due to an error in input validation of tags in JNLP files, so an attacker can pass arbitrary command-line options to the virtual machine to disable the sandbox and get access to files. This is tracked by the Mitre CVE ID CAN-2005-0836. The second bug is equal to the first one but can also triggered by untrusted applets. This is tracked by the Mitre CVE ID CAN-2005-1974. 2) Solution or Work-Around Install the updated packages. A possible workaround is to disable Java Applets in your web browser. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the file name of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-1.4.2.0… fbc21570966da99cd3bb7f1c1fd636c8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-alsa-1.… 82f310e66597d11099f61364945b48ce ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-demo-1.… f7bb684e9fe2aaa5a683957afc8b6517 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-devel-1… 76f6a5edc2c3994548c2ddcbe3a4484f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-jdbc-1.… 729c184ea79b88bdc5a63b08160d7315 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-plugin-… 34656e90494245d8d024ce4c62a9514d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-src-1.4… 5435cecd1ac5b765a0be01548af7d718 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-1.4.2.0… 2441a70049233806e65f2628ef43d8e7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-alsa-1.… 794e45b4c1ee93d7afcfcc764699cce0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-demo-1.… 4fb798a547e358259da3cc9eb4e3a787 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-devel-1… 7ac2e1fdb86be84452f43fe7d0226ba7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-jdbc-1.… 29f7be94acb971a69037a8816baec070 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-plugin-… 72d6c05a072e85f23d8a0ba2a8d44bab ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-src-1.4… a4c9c005e71e95a5badf98d0cfcdbf27 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.14.i58… 258293f19eb8d7abf6909651711dfa7d ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-jre-1.4.2-129.14… 48bb99e7d8dd272b1f49d5d65bf036e7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/java2-1.4.2-129.14.src.… 0316bc3bfaef1261fdb7a1a7c880ff34 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/java2-1.4.2-144.i586.r… 1560a3e8be7d9864443d68a1ece7ac5a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/java2-jre-1.4.2-144.i5… 9c516cde514e8d851abbd6ec0419ac7a source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/java2-1.4.2-144.src.rpm 0b541e9798ef1f228b421fa1f0d53c95 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/java2-1.4.2-144.i586.r… 7ac58793edd29e2aa4279dd3de3d0546 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/java2-jre-1.4.2-144.i5… ad7221fed4a7b9331b0acf74f4d718ca source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/java2-1.4.2-144.src.rpm 8369799cf74b347d7eff109cd1aa1e2e x86-64 Platform: SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-1.4.2… 5535a1d570e5f5b5876a3855ce7c0cd1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-alsa-… fbfb7f90e6a069a3f87d30ac12f32456 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-demo-… c2f6ce7ed3163c03543d9ef1b5144e43 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-devel… aefcbe8faf1ccb5f8484f7a22567a612 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-jdbc-… 3cc3c8e8abe89894f5424c113213c754 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-plugi… 0d919e446ba1867344cc1c4c49279520 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/java-1_4_2-sun-src-1… 2a0e661ba41ac15889b44a943042660f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/java-1_4_2-sun-1.4.2.08… 00fcd6dceed29ab0c76b8124ae1879f3 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/java2-1.4.2-129.14… d0952fab911d27d6d471a703f871835a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/java2-jre-1.4.2-12… 1d69b379938d15e7ebd193caf84c85d7 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/java2-1.4.2-129.14.sr… d135ff25b45cd7d788b6500ec67b29d9 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/java2-1.4.2-144.x8… 74ed54181741b8a573be44e0f194b796 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/java2-jre-1.4.2-14… 91550144e9bda42c9694b21ec217de19 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/java2-1.4.2-144.src.r… 036cdd6520123345a3a32617c227bc27 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQrlVGHey5gA9JdPZAQKyGQf+OUDREMkN7YNudKOzqxjIX6P0EJ4QyYwf lz8jeGsDsAPOYHuCAuj04U72f7gaFLDp1xFxJBZ1OwpjoyR4AfmBGvhxfPQK6gYO othrpA457RaRzHznRukFDrHzHbh0ya9w3miMFTo99AQ4Ac6WjDa8o2W/OPtViu8w t9WP2Vw1PZAx4zTg6vo1ROQSt4Y+U+4vjfgT/tX8WlC2Mud/UK0O/nuI3gGQkNjp NUREWIP0PAg07sAkz7+9/6wdOyNQmagKNXb3kw2El0YHrmhp/7egwvgAv4TPYCqB Dfkzbf7C27m5Zaxd5xMJz2Ymq6gDi2+eEuD6lCMry+m3s1gjxY2NOw== =0NBu -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2005:016
by Marcus Meissner 17 Jun '05

17 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2005:016 Date: Fri, 17 Jun 2005 14:00:00 +0000 Cross-References: CAN-2005-0160 CAN-2005-0161 CAN-2005-0961 Content of this advisory: 1) Solved Security Vulnerabilities: - gpg2 broken S/MIME signing - telnet environment option disclosure - unace buffer overflows - horde cross site scripting 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - postgresql various fixes - gaim denial of service attack - perl-Net-Server denial of service attack - Sun Java applet privilege problems 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - gpg2 The S/MIME signing using gpg2 was broken in SUSE Linux 9.3. Updated packages were released to fix this problem. - telnet The telnet client protocol can be abused by a malicious server to read the environment of the client site. This information in turn can be used as preparation for further attacks. This bug was reported by iDEFENSE [IDEF0865] and is tracked by the Mitre CVE ID Note that this patch changes the behavior of the telnet client regarding the rule of exported environment variables. Please consult the man page for further details. All SUSE Linux products are affected. - unace The unpacker "unace" had several buffer overflows while extracting, testing, or listing an archive file (CAN-2005-0160) as well as a buffer overflow while handling long command-line options (CAN-2005-0161). This affects all SUSE Linux versions including unace (8.2 up to 9.3). - horde cross site scripting A cross site scripting problem was fixed in horde application framework. This issue is tracked by the Mitre CVE ID CAN-2005-0961. All SUSE Linux 9.2 and SUSE Linux Enterprise Server 9 were affected. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - postgresql Two security problems in PostgreSQL may allow an unprivileged database user to crash the backend process or allow an unprivileged user to gain the privileges of a database superuser. To fix those problems please carefully read the instructions on http://www.postgresql.org/about/news.315 This is tracked by the Mitre CVE IDs CAN-2005-1409 and CAN-2005-1410 All SUSE LINUX based products except for SLES8 are affected. - gaim Several new denial of service problems were found in the gaim Instant Messenger, affecting all SUSE Linux based distributions including gaim. Updates are being prepared. - perl-Net-Server We earlier reported a format string problem in the perl-Net-Server perl modules. Against earlier suspicions this cannot be used to execute code, but just to crash (denial of service) the respective service. This is tracked by the Mitre CVE ID CAN-2005-1127. - java applet privilege problems A critical flaw was found in the Sun Java run time environment which allows untrusted applets or JLNP (webstartable) files to circumvent access restrictions and read/write files on the system and start applications. We are currently preparing updates for this problem. All SUSE Linux products containing Sun Java are affected. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQrLdJney5gA9JdPZAQLeQgf/eWmxBol68XmaTsGKz2KAvTVLI4taF5nQ Wy2IyCMvZ5AmL1MuNc3LGeexQeJTqDMEEkUXrL5e1rFb60c1Y62KIyCOiAMtAivj iVJsnJ0zPFLsmqTXR2cUhEbSy97ePmsO8D6fuoZoiI7ZXoMvkeUMT9wQ3vPhDBop TPJ8/6IYMgFqGQedST7mOryJxj094D7Ho922oCSY988D9bO+zl7a3gkXIj5qfXJ7 IE/KLa2atnUPHCQnaMYi3a7aK7Lxxi/EU8xGCauME8pBHCVkXO3m5RIGt2qqzSeT hNPx7mdWXJv0uDrsVjGzrtxnebPR1HOKM2XMXiwxcFhcs4k6VZQZqA== =BgdW -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: Opera various problems (SUSE-SA:2005:031)
by Marcus Meissner 15 Jun '05

15 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: opera Announcement ID: SUSE-SA:2005:031 Date: Wed, 15 Jun 2005 12:00:00 +0000 Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 Vulnerability Type: phishing problems Severity (1-10): 5 SUSE Default Package: no Cross-References: CAN-2005-0235 CAN-2005-0456 CAN-2005-1139 Content of This Advisory: 1) Security Vulnerability Resolved: various problems in Opera Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The commercial web browser Opera has been updated to the 8.0 version, fixing all currently known security problems, including: - CAN-2005-0235: IDN cloaking / homograph attack allows easy spoofing of domain names. - CAN-2005-0456: Opera did not validate base64 encoded binary in data: URLs correctly. - CAN-2005-1139: Opera showed the Organizational Information of SSL certificates which could be easily spoofed and be used for phishing attacks. A full Changelog can be found on: http://www.opera.com/linux/changelogs/800/ 2) Solution or Work-Around Install the upgraded package. 3) Special Instructions and Notes Please restart Opera after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the file name of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/opera-8.0-1.1.i586.rpm a40ceec9a6772cce634f71b29b7662e3 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/opera-8.0-1.1.i586.rpm f98b646f453a74ddba61ed96f91436ca SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/opera-8.0-1.1.i586.rpm 26b3ec794d410a602dde7a29faf030a2 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/opera-8.0-1.1.nosrc.rpm b47bf4581a2a3c2872c6eb6fb673ccb4 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/opera-8.0-4.i586.rpm 508aaa40dc941a4ddb72db32157aa085 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/opera-8.0-4.src.rpm 5b5bc67f61bffdf2898dbf8f5115a6e5 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/opera-8.0-4.i586.rpm 37bfb1ef0c97c37c5e333c24989222af source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/opera-8.0-4.nosrc.rpm 50b835400caba7938160ace7c4a07680 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/opera-8.0-1.1.x86_64… 7ab3f0794de27b6e8d1ec1195eca6f7e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/opera-8.0-1.1.nosrc.rpm fafb0ebee70a9479e7611074a687650e SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/opera-8.0-1.1.x86_64… afecc0d9d633d73537057641ec8496ee source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/opera-8.0-1.1.nosrc.rpm baa386aa97a05661ab4f3120e8b5b207 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/opera-8.0-1.1.x86_… 91a52710d7555fd98ebb021e523e6e78 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/opera-8.0-1.1.nosrc.r… c32e1512c575725e9d8b33251649f691 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/opera-8.0-4.x86_64… 8f7a5a4c669a552383418ef7a8bd8d19 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/opera-8.0-4.src.rpm 891bd2022d4d487c0008e9f57ab45779 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQrAcSHey5gA9JdPZAQLHNQf/TdljoHqPjW36l47acftrXCx5bGZOsWzV SDUc9luIHkV1GlwyaiG58bk5EoRlIS4fMTV4V8P8/ccCCS2zndorqUpoMBdB3ja7 AsjXnOdcWpvVLbdpYh7aqFehpRFCWAqSA0QLMwYT0a9sT6WtRytOCbHY95Eqk5g6 7yjkPwpcIqv1uwrMT40cNnnvPWx2JhyMU+SwuOkIwJ+doj9ZwrxSc+BfuHWeOt/H ILMfF2iI5t5nRzoj75CFkIbVv/Uq8wrzGRFi9q2b7LIZx6eQqA7ZqZZwnO7HcGBM e4HaUdt+1BQ8AWDZdz6lU7jFC8Y1waB5ZpdJhdVMvA3oQtKLuqOg6w== =xzi+ -----END PGP SIGNATURE-----

1 0