-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:025
Date: Fri, 27 Oct 2006 15:00:00 +0000
Cross-References: CVE-2006-2191, CVE-2006-2941, CVE-2006-3636
CVE-2006-4197, CVE-2006-4624, CVE-2006-4980
Content of this advisory:
1) Solved Security Vulnerabilities:
- OpenPBS potential security problems
- mailman several security problems
- python overflow in repr()
- libmusicbrainz overflows
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- none this week
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- OpenPBS potential security problems
An audit of OpenPBS found some potential security vulnerabilities that
may allow the compromising of a system remotely and/or locally. An update was
released to fix these issues.
This affects SUSE Linux 9.2 up to 10.1.
- mailman several security problems
The mailing list manager mailman was updated to fix the following
security issues:
- A malicious user could visit a specially crafted URI and inject an
apparent log message into Mailman's error log which might induce an
unsuspecting administrator to visit a phishing site. This has been
blocked. Thanks to Moritz Naumann for its discovery. CVE-2006-4624.
- Fixed denial of service attack which can be caused by some
standards-breaking RFC 2231 formatted headers. CVE-2006-2941.
- Several cross-site scripting issues have been fixed. Thanks
to Moritz Naumann for their discovery. CVE-2006-3636
- Fixed an un exploitable format string vulnerability. Discovery
and fix by Karl Chen. Analysis of non-exploit-ability by Martin
'Joey' Schulze. Also thanks go to Lionel Elie
Mamane. CVE-2006-2191.
This affects all our current products containing mailman.
- python overflow in repr()
A buffer overflow within python's repr() function has been fixed.
The CVE number CVE-2006-4980 has been assigned to this issue.
This affects SUSE Linux 9.2,9.3,10.0 and 10.1, SUSE Linux Enterprise Server
9, and SUSE Linux Enterprise 10.
- libmusicbrainz overflows
The libmusicbrainz library has been updated to fix various buffer
overflows that could by exploited by malicious servers to execute
arbitrary code.
This update affects SUSE Linux 9.2, 9.3, 10.0 and 10.1, SUSE Linux
Enterprise Desktop 10, SUSE Linux Enterprise Server 9, and Novell
Linux Desktop 9.
It is tracked by the Mitre CVE ID CVE-2006-4197.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
None listed this week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEUAwUBRUIBxHey5gA9JdPZAQLK7wf47e3jERYmJ+iFJTtodBrRkcbl6nBZA8O3
RXueDb4AW2Is3XrAXR8XemFR9oUeAVFOdif3wm4XC1LvChJbrMMuot7gI0MvqHR0
Lxi9v1G5f09K9XnQMMbfvzakuXCIehfvU6wHyYKkhLilSGMRPlMF0AUc5z9HHBbI
q9t++pMnT0YwtT5IJLPe/F9+1T+m3HIoOv9npj1GZgYIVJx0z2T+LiAwELdKTsZ3
0eDP7pdvam1en2SeiPfXNhIj8z2fQf9FOAQEbmU2SyaCN6Q+mnoLzdSmM/GMzPLA
LgC3FV5MzBoZNFxMrINQkaff8T13QIYg2nQ6q5dBJ65Vh8RKOvry
=Jvgh
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: Qt
Announcement ID: SUSE-SA:2006:063
Date: Wed, 25 Oct 2006 16:00:00 +0000
Affected Products: Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
SLE SDK 10
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SUSE LINUX Retail Solution 8
SuSE Linux School Server
SuSE Linux Standard Server 8
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote denial of service
Severity (1-10): 6
SUSE Default Package: yes
Cross-References: CVE-2006-4811
Content of This Advisory:
1) Security Vulnerability Resolved:
remote denial of service in Qt image handling
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Multiple integer overflows have been found in image processing
functions within the Qt class library, used for instance by the web
browser "konqueror" and its rendering engine "khtml".
These problems could potentially lead to heap overflows and code
execution or just a browser crash (denial of service).
This problem has the Mitre CVE ID CVE-2006-4811.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of konqueror after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/qt-4.1.0-29.7.i586.rpm
e12c52bc945edd9e628d6df1e13de2d6
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/qt3-3.3.5-58.12.i586.rpm
abe3bbbee7a4b4af9cb58bda71936c00
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/qt3-static-3.3.5-58.11.i58…
1937b5e2a6c8757cccca93ffb1408d5e
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/qt-4.0.1-10.2.i586.rpm
05c82cfb84d3b54d886892a4dc63e1ec
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/qt3-3.3.4-28.7.i586.r…
6f63526c70fe7d73080dc2de5fa11fe3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/qt3-static-3.3.4-28.7…
18d16343cf35a8bb0330bb762bbf808e
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/qt3-3.3.4-11.5.i586.rpm
e169e5ee6b884b7998fa518defb6f20f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/qt3-static-3.3.4-11.4.…
014dbf4e04cd37441bf1cba412c84fef
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/qt3-3.3.3-24.2.i586.rpm
efe3a67ba78ae5b23310798d00ee14db
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/qt3-static-3.3.3-24.2.…
249c9c5e985b87d2f0bd2601e2c6eed6
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/qt-4.1.0-29.7.ppc.rpm
9c3c01f4943dfeede555f79365d1d95d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/qt3-3.3.5-58.12.ppc.rpm
91dd8f28532d3367e5d6f8884df28530
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/qt3-static-3.3.5-58.11.ppc.…
ae42fa85b6e38ba036bdbe8e77f557dd
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/qt-4.0.1-10.2.ppc.rpm
ab54cd200e6b1486b156f2cf70156314
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/qt3-3.3.4-28.7.ppc.rpm
833fdad7ce3b3e9bffaa3e4a65910195
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/qt3-static-3.3.4-28.7.…
c42c042e858cc6cc435d977ae5a4c065
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt-32bit-4.1.0-29.7.x86_…
711209a60be530a8562e54816e609a33
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt-4.1.0-29.7.x86_64.rpm
7ba57673efe68da9bf0004f842315ada
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-3.3.5-58.12.x86_64.r…
24cb3dcbb9c92943017f0e5ea401ada8
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-32bit-3.3.5-58.12.x8…
ea46d71c833c20f18085496eace559f7
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-static-3.3.5-58.11.x…
44c17f12db82e58bbf4b457eb6b66df6
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt-4.0.1-10.2.x86_6…
6c1ec2a6f0a109e749f7b534408b3b66
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-3.3.4-28.7.x86_…
aa0bbb971bb63d4e18a7f0e4464aa0c2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-32bit-3.3.4-28.…
3b3936a24b424bc7d516095a2e431d70
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-static-3.3.4-28…
0fc0adb3a0bbb3aa49b6e6985f42565f
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/qt3-3.3.4-11.5.x86_6…
46597f7dfa33b4420c6f09c93e89aa78
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/qt3-32bit-9.3-7.2.x8…
36b4efe799155111618a9cd325f20bc6
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/qt3-static-3.3.4-11.…
c237b330e43606562a4b918077257559
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/qt3-3.3.3-24.2.x86_6…
912f789b47bfe446185bccd0455f9455
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/qt3-32bit-9.2-200610…
f87ba1142036ff3f31d7566a99d9e74a
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/qt3-static-3.3.3-24.…
4abfb7a5ba2254595b04896ee34695b6
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/qt-4.1.0-29.7.src.rpm
6330e726a2200327e311fd04ca1826f1
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/qt3-3.3.5-58.12.src.rpm
57ed729399ac1296be632b7dbd3be636
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/qt3-static-3.3.5-58.11.src.…
03fd50682d7fc2bbc598bdcd09f87006
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/qt-4.0.1-10.2.src.rpm
be60f21b5cec25fdb0ad3ba7726a6704
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/qt3-3.3.4-28.7.src.rpm
cd76c0551e1c66be5f1949621f3e88b4
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/qt3-static-3.3.4-28.7.…
d0479a8b6ac835b72faaa233647c3501
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/qt3-3.3.4-11.5.src.rpm
25b4693967b6078f809ec457ac126cf2
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/qt3-static-3.3.4-11.4.s…
6d2c6d1bf4ed434cfc1438e8c49b2a06
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/qt3-3.3.3-24.2.src.rpm
5c828039b8775b31a61fcc550bb74020
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/qt3-static-3.3.3-24.2.s…
15bdf0fac96eabc026079fd95ee24ede
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLED 10
http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.…
SUSE SLES 10
http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.…http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.…
SLE SDK 10
http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.…http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.…
Open Enterprise Server
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.…
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.…
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.…
SUSE SLES 9
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.…
UnitedLinux 1.0
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
SuSE Linux Openexchange Server 4
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
SuSE Linux Enterprise Server 8
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
SuSE Linux Standard Server 8
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
SuSE Linux School Server
http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.…http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
SUSE LINUX Retail Solution 8
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
SuSE Linux Desktop 1.0
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRT9/zHey5gA9JdPZAQJAVQgAmupwQ+mIzDuk0PupQjy3TruXZpbYb90O
QqpD7e/5mmUDNbEtHXqXQ01CkrSkorFFkxKk8oIe6ja64GFuLoVCqLOhMy1mSlEJ
w8Tre2mpqRYVbiri4+Kzpv8wbGdJajuksFI0Sok7SzV1DQWID7ErdeYVno9eq8S4
aHCZG2RgW9TuZfgEeQGP4Y1rJmM/pRJ+IBfLrDEUVEUIRo1H8AtiSGMx024HDk2F
EsZLAef2SoV/d2q5haNBY6dlL3H+K8EWPuNTFCKhgkTxXy+nEc3NnWhDRz/7X8EP
1BP2FmiueC1WIWpv492RQdGn30wwFaJpYe3wL9I7lgnfD1ckgICncw==
=uZ6v
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: openssh
Announcement ID: SUSE-SA:2006:062
Date: Fri, 20 Oct 2006 17:00:00 +0000
Affected Products: Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SUSE LINUX Retail Solution 8
SuSE Linux School Server
SuSE Linux Standard Server 8
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote denial of service
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: CVE-2006-4924, CVE-2006-4925, CVE-2006-5051
CVE-2006-5052
Content of This Advisory:
1) Security Vulnerability Resolved:
various openssh security problems fixed in openssh 4.4
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Several security problems were fixed in OpenSSH 4.4 and the bug fixes were
back ported to the openssh versions in our products.
- CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could
be used to cause lots of CPU consumption on a remote openssh server.
- CVE-2006-4925: If a remote attacker is able to inject network traffic this could
be used to cause a client connection to close.
- CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited to perform a
pre-authentication denial of service. This vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication is enabled,
but the likelihood of successful exploitation appears remote.
- CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine
the validity of user names on some platforms.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
On SUSE Linux Enterprise Server 8, please close and restart the sshd service after
installing this update.
All other products do this automatically during installation, there
is no action necessary.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssh-4.2p1-18.9.i586.rpm
255c99f43b24995a085ac869082d0f32
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssh-askpass-4.2p1-18.9…
ab68460091ac8995290a3476b5b8dbeb
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssh-4.1p1-10.9.i5…
dd3d6f3700e9e84294cf157c3a3141c1
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssh-askpass-4.1p1…
89c7e004bb73629eac71ad642e8826d2
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssh-3.9p1-12.8.i58…
dc57b898b4f43645c2fe18b58195de90
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssh-askpass-3.9p1-…
cf7b7c04fc9e27684aa97206cd3ae0e0
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssh-3.9p1-3.10.i58…
e54678b3168c214400c30001c33f3d2d
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssh-askpass-3.9p1-…
200b096a9a37b183c7ef75ae0b5b0b0c
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssh-4.2p1-18.9.ppc.rpm
f02d12d3ce4e303676efb1cf37d26b11
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssh-askpass-4.2p1-18.9.…
b577d22c8914b0cd36eb6187e9de6dfc
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssh-4.1p1-10.9.ppc…
3bd330de35c5e59775883e541af6aa91
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssh-askpass-4.1p1-…
04ea40beed9130fb5f11eda80b248f31
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssh-4.2p1-18.9.x86_6…
55f9631c5a7a10f3a7d56016cabe3908
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssh-askpass-4.2p1-18…
f6c77143b56d82e78701db5b56a481d1
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssh-4.1p1-10.9.…
32a2412b4f35461f530f73c95b5e85c2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssh-askpass-4.1…
0d89fa02d44e4ca99e237e3812fd4577
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssh-3.9p1-12.8.x…
cf96c984dffb0c10ac339d917e8ef97d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssh-askpass-3.9p…
9012087ea4c163b784178a3a7b22d44c
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssh-3.9p1-3.10.x…
7e004fedc5ff48a3c13a22d5cc1c2ab4
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssh-askpass-3.9p…
78278ce560a5ea87e1a4cf80126712c3
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/openssh-4.2p1-18.9.src.rpm
79f1eb2463e7638789c79ca62d158bea
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/openssh-4.1p1-10.9.src…
023b6d8056ad3dfec1357548d7b8a5ed
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/openssh-3.9p1-12.8.src.…
fb5bd0e14208b1434313669fe01e8f07
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/openssh-3.9p1-3.10.src.…
c2bc3328b87cc77172b1185d364a8116
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
UnitedLinux 1.0
SuSE Linux Openexchange Server 4
Open Enterprise Server
Novell Linux POS 9
Novell Linux Desktop 9
SuSE Linux Enterprise Server 8
SuSE Linux Standard Server 8
SuSE Linux School Server
SUSE LINUX Retail Solution 8
SuSE Linux Desktop 1.0
SUSE SLES 10
SUSE SLED 10
SUSE SLES 9
http://support.novell.com/techcenter/psdb/05412985c36daeff0c33b88942b68c2c.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRTjdOney5gA9JdPZAQKtOwf+IEQpQduAmfZGGqI+wK8CzWN+nl+rkh6i
4mX4tfzXAqRVzI5R3CF52pnm/PwBms40qFPqCxgpxkJ3Jbpkowc8tRLBdlnR2NC6
YX6j6qgsEiFzsWFHrqc/YMgTMDr3jeuLLVh23CBEL1/o0zjDZn56b+gX8EwD6etk
bCfnyYsdlR9UNqH50otEeI1NBMbGMZXpXQsL27IhGNYIlhlmg6VZ+2jbO3FL5K+S
xhz15tITBnWogtnsceeNRJNyAgv5+MgyG9Wosj1BtZj2jmzgeq9vyztOA2CBN3Ru
ANnf4cY97yLWLlTxRMLdH66WoWZXj+jRfnFW/SEPLR9uNJsRFXjm/w==
=c5nU
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: opera
Announcement ID: SUSE-SA:2006:061
Date: Thu, 19 Oct 2006 15:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-4339, CVE-2006-4819
Content of This Advisory:
1) Security Vulnerability Resolved:
opera 9.02 security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The web browser Opera has been updated to fix 2 security problems.
CVE-2006-4339: Opera was affected by the RSA signature checking problem found in
openssl, since it is statically linked against openssl.
CVE-2006-4819: A URL tag parsing heap overflow in Opera could be used to
potentially execute code.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please restart opera after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/opera-9.02-4.1.i586.rpm
bbe5562b99cffe3a119bde51790b1df2
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/opera-9.02-4.1.i586.r…
cc729c73ad71905a459a7edc96800650
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/opera-9.02-4.1.i586.rpm
b260206533c37162f109dfbda92ff3f0
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/opera-9.02-4.1.i586.rpm
2a31bb95736260317f7477e9b8931335
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/opera-9.02-4.1.ppc.rpm
18b38416f249013a2f59347544ac2014
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/opera-9.02-4.1.x86_64.rpm
172d73602edb94383433e5e94aa98199
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/opera-9.02-4.1.x86_…
6ce6083ff6e048a234ee7fcb80e6959d
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/opera-9.02-4.1.x86_6…
a361e2fed980e34ecabead4611a4e77e
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/opera-9.02-4.1.x86_6…
c19e7b64b6178e60c16e1ca13987e51a
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/opera-9.02-4.1.nosrc.rpm
0dea4c75b3ca67aa1f58bf8e01839940
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/opera-9.02-4.1.nosrc.r…
3ad94cd2f274dcb715aa2b2a793a1c9f
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/opera-9.02-4.1.nosrc.rpm
0a087988fd89c9110c36a442aa082e55
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/opera-9.02-4.1.nosrc.rpm
c5623509df2496d6da42cce781f555ab
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRTd433ey5gA9JdPZAQK7Uwf/Y5e4m3tlSkLshtL1iRgUEP+5yWi/3ppO
DDAUBTcZm/5aWVHEtqoB4zpGxLth8j6KxQZJ2Nhpv13GZ4LB2Tq22QJ1Vu8QDaD2
EIf5iiuWxYrRj0Tzp1M0raweLzgQB5Fr4VEqGjm5eJb/9ynY+pkz2Lgz/wO4DhSp
M67aqFOrIcjRS7IioxaTi2o6zPK/NEUwYYYuH1rMR6mulERPdthHE7oSLsMquizV
c9Gn0Je2vI7Esxg0+KGdyrsATSqyVaaxLxhhyD/LR/J3nwDgGpM0wNfU3/oac7LE
M/Pi/I+ySyyoTpRAM5bVlaInQEjSEi6dx8/M8sBu5Ncs0HyB1KvePQ==
=q0P8
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: clamav
Announcement ID: SUSE-SA:2006:060
Date: Wed, 18 Oct 2006 18:00:00 +0000
Affected Products: Novell Linux POS 9
Open Enterprise Server
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE SLES 10
SUSE SLES 9
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-4182, CVE-2006-5295
Content of This Advisory:
1) Security Vulnerability Resolved:
two clamav security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Two security problems have been found and fixed in the anti virus
scan engine "clamav", which could be used by remote attackers
sending prepared E-Mails containing special crafted infected files
to potentially execute code.
CVE-2006-4182: A problem in dealing with PE (Portable Executables aka
Windows .EXE) files could result in an integer overflow, causing a heap
overflow, which could be used by attackers to potentially execute code.
CVE-2006-5295: A problem in dealing with CHM (compressed help file)
exists that could cause an invalid memory read, causing the clamav
engine to crash.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/clamav-0.88.5-0.2.i586.rpm
964cf3a6dd5b0f2a6d9dc64157da8161
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/clamav-0.88.5-0.1.i58…
cb4b120a6bae0e0fbe01b4da1afe8a8d
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/clamav-0.88.5-0.1.i586…
80983b2e847814bf520353d2323096a8
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/clamav-0.88.5-0.1.i586…
9906e32e0d30e1ca635cb3cf24ded93e
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/clamav-0.88.5-0.2.ppc.rpm
8444302c83bde8c05ad0b364c1c44052
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/clamav-0.88.5-0.1.ppc.…
d8b9cba427fd384801fdb553f0f20fcf
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/clamav-0.88.5-0.2.x86_64…
cd8a450d769a8917e88abfec37d3e96a
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/clamav-0.88.5-0.1.x…
5a007b8d4f873499f4137fcebee86603
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/clamav-0.88.5-0.1.x8…
e6ec8962851ae738a7c964103f655d74
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/clamav-0.88.5-0.1.x8…
6a8d3f8b6be490ee0772a03f776e8198
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/clamav-0.88.5-0.2.src.rpm
afe46b41ae34d657ce2cc0c311e9efd9
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/clamav-0.88.5-0.1.src.…
623389716f793a3c477e8abe2cd4bdd9
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/clamav-0.88.5-0.1.src.r…
27232143bbf2b4d030029af3a1f77b41
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/clamav-0.88.5-0.1.src.r…
da36e3d0a72dabcc16d17fed71ee2cee
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
http://support.novell.com/techcenter/psdb/9052e142ab5cfd0891d67dee5c2e95e6.…
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/9052e142ab5cfd0891d67dee5c2e95e6.…
SUSE SLES 10
http://support.novell.com/techcenter/psdb/9052e142ab5cfd0891d67dee5c2e95e6.…
SUSE SLES 9
http://support.novell.com/techcenter/psdb/9052e142ab5cfd0891d67dee5c2e95e6.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRTZNcney5gA9JdPZAQJLqAf9G9QcCdBetb3SK5lacKH56OBhLLAxY0Eo
+hZ2xEfwGca/ngNaUk4eeaDqHwix5HURnC+QQsIeK2RovdtkW9NhSWhCOUkxHyDd
1V7haKbUU5NxbiMxWTHasumQkO5h6XdY888hStHwz9uNDoV1by5bUjCxkhNNVyIa
/LMSfgwRfHGJ6slPAfzRxqILnuo0/5Ng1SUKKIh+AfZ1HhXZbE/m/pb0N6cDKwak
Swd8e4ZRkCJW4JRVvEPaTVosx4BiInSreQJoecXz2IBo6CywhHHa9zrfOkNbx/Z2
M6LA9r7Zud9mEh/BzbpD+FLcn9caFcOkY6D9WfTtHKqIdVT9m8dhqg==
=uKPI
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:024
Date: Fri, 06 Oct 2006 14:00:00 +0000
Cross-References: CVE-2006-4924,CVE-2006-4925
CVE-2006-2937,CVE-2006-2940
CVE-2006-3738,CVE-2006-4343
CVE-2006-4095,CVE-2006-4096
Content of this advisory:
1) Solved Security Vulnerabilities:
- openssh: remote denial of service (CVE-2006-4924,CVE-2006-4925)
- openssl: remote denial of service (CVE-2006-2937,CVE-2006-2940,
CVE-2006-3738,CVE-2006-4343)
- bind9: remote denial of service (CVE-2006-4095,CVE-2006-4096)
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- mono
- openssl
- compat-openssl
- php 4 and 5
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- openssh: remote denial of service
Some denial of service problems have been fixed in OpenSSH which could
be used to cause lots of CPU consumption on a remote openssh server.
(CVE-2006-4924)
Additionaly a remote attacker that is able to inject network traffic
could cause a client connection to close. (CVE-2006-4925)
- openssl: remote denial of service
A buffer overflow within the SSL_get_shared_ciphers() function and
a DoS condition known as "parasitic public keys" have been fixed. The
later problem allowed attackers to trick the OpenSSL engine to spend an
extraordinary amount of time to process public keys.
The following CAN numbers have been assigned: CVE-2006-2937,
CVE-2006-2940, CVE-2006-3738 and CVE-2006-4343.
- bind9: rmote denial of service
This update fixes two vulnerabilities in bind that allow a remote
attacker to trigger a denial-of-service attack.i
All packages have been released now.
(VU#697164/CVE-2006-4096, VU#915404/CVE-2006-4095)
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- mono
Sebastian Krahmer of the SuSE Security-Team found a local privilege
escalation bug in a Mono class. New packages will be released as soon
as QA testing finished successfully.
- compat-openssl*
The compat-openssl packages are vulnerable to CVE-2006-4343, CVE-2006-
3738, CVE-2006-2937, CVE-2006-2940, CVE-2006-4339. New packages will
be released soon.
- openssl
The patch for CVE-2006-2940 introduced another denial of service
condition. New packages will be available very soon.
- php 4 and 5
Updates for various vulnerabilities in php 4 and 5 will be released
soon.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iQEVAwUBRSZYhXey5gA9JdPZAQEZmgf/SEhKcH/aNLFSEwG4hGGcV8DpqA1dcgO/
gnpg6J8HDFxi0/tNp6lRkWom22RoRkT5cqwlRRBgaxf/4FjSi5IAGqtyHmlOMCpu
/mv10h7i6lutExvtQHWkKyEcOxB5ssZ+/FZ2lsoVdsG6on4d/tzV8UQiYvRt6MQE
keIb/7AsLTz+yMdEC8TcxrFGPev2C2ti+c1GTxpZ587RV10P6NAP0PdVHPNzMxL0
c7aaWNOHv6OvqQfdqcaufAYM1xa7wye2Gz21UZlHT+1Nk0nO4khOmrhseYmaT04v
Ue9E2AViz8VZFjvqB99nItb179gbPbUreU4HftcDH/JzSD32rfWeyw==
=XoeY
-----END PGP SIGNATURE-----