openSUSE Security Announce
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
December 2006
- 1 participants
- 10 discussions
SUSE Security Announcement: Mozilla Firefox, Thunderbird (SUSE-SA:2006:080)
by Marcus Meissner 29 Dec '06
by Marcus Meissner 29 Dec '06
29 Dec '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: MozillaFirefox,MozillaThunderbird
Announcement ID: SUSE-SA:2006:080
Date: Fri, 29 Dec 2006 15:00:00 +0000
Affected Products: Novell Linux Desktop 9
openSUSE 10.2
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE SLED 10
SUSE SLES 10
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: CVE-2006-6497, CVE-2006-6498, CVE-2006-6499
CVE-2006-6500, CVE-2006-6501, CVE-2006-6502
CVE-2006-6503, CVE-2006-6504, CVE-2006-6505
CVE-2006-6506, CVE-2006-6507
Content of This Advisory:
1) Security Vulnerability Resolved:
various security problem in Mozilla programs
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This security update brings the current set of Mozilla security updates, with
following versions:
- Mozilla Firefox to version 1.5.0.9 for Novell Linux Desktop 9,
SUSE Linux Enterprise 10 and SUSE Linux 9.3 up to 10.1.
- Mozilla Firefox to version 2.0.0.1 for openSUSE 10.2.
- Mozilla Thunderbird to version 1.5.0.9 for SUSE Linux 9.3 up to
10.1 and openSUSE 10.2.
These updates were released on December 22nd but due to Christmas
holidays got announced today.
Updated Seamonkey packages will be released soon.
More Details regarding the problems can be found on this page:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
The updated packages includes fixes to the following security problems:
CVE-2006-6497/MFSA-2006-68: Crashes with evidence of memory corruption were fixed in the layout engine.
CVE-2006-6498/MFSA-2006-68: Crashes with evidence of memory corruption were fixed in the javascript engine.
CVE-2006-6499/MFSA-2006-68: Crashes regarding floating point usage were fixed.
CVE-2006-6500/MFSA-2006-69: This issue only affects Windows systems, Linux is not affected.
CVE-2006-6501/MFSA-2006-70: A privilege escalation using a watch point was fixed.
CVE-2006-6502/MFSA-2006-71: A LiveConnect crash finalizing JS objects was fixed.
CVE-2006-6503/MFSA-2006-72: A XSS problem caused by setting img.src to javascript: URI was fixed.
CVE-2006-6504/MFSA-2006-73: A Mozilla SVG Processing Remote Code Execution was fixed.
CVE-2006-6505/MFSA-2006-74: Some Mail header processing heap overflows were fixed.
CVE-2006-6506/MFSA-2006-75: The RSS Feed-preview referrer leak was fixed.
CVE-2006-6507/MFSA-2006-76: A XSS problem using outer window's Function object was fixed.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of Mozilla Firefox and Thunderbird after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-2.0.0.1-0.1…
eea9f40b409823d691ad0e1b3daf5a82
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-translation…
dc5e760f067b2d1ea41be90c92517a5d
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaThunderbird-1.5.0.9…
0b3638d9bfccfca0cf149df1200e6c47
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaThunderbird-transla…
d51cb9ff1cb3f5875cb4fa60b58f159b
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-1.5.0.9-0.2…
fa3a6d10cb1a6dd801668e8881424036
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-translation…
a40dc8d7e29aa8bb21ecb3c348e0cc05
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaThunderbird-1.5.0.9…
3bbfce9a8abf9394959348e449b35b95
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaThunderbird-transla…
869cac360c49cc15358b205923f2ee1d
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-1.5.0.…
f0b6bd1b56b874eb0003752cd112d6db
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-transl…
1722380cad796cc29d15374f7c471f09
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaThunderbird-1.…
82d7d8847f363a9e46fc9d22aa44f0c8
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0.9…
06b3af42ed8f528a306650691558301f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-transla…
be42160ef33ead2625b20043267c2ce2
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaThunderbird-1.5…
239aa22605bbd7c89a8489fb49c51f5d
Power PC Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-2.0.0.1-0.1.…
c9611899a9bed84f006f8451dfcc44ae
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-translations…
e539db36e921505166e238a5aa853750
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaThunderbird-1.5.0.9-…
0d0b60cf410588c59003d04ab0ce0b33
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaThunderbird-translat…
0445e6652c8862691426ed623db2b362
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-1.5.0.9-0.2.…
3d399bf2bab2611809add386b63c085a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-translations…
4a0223d379107cc45ef13d59369914dd
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaThunderbird-1.5.0.9-…
a795cd195043826ab0c9227251058905
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaThunderbird-translat…
a2c70ba35f54ff5cf7970d05940f00ee
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-1.5.0.9…
72520bda4b0156991ce85e34eeef90a9
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-transla…
9d7f48fdce0092b7e00920ead4db56dc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaThunderbird-1.5…
aea7d9cfe7b9b95ddd0761bf4fce7fc1
x86-64 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-2.0.0.1-0…
941d4d0e8a4332e3d585b67347d3bfaf
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-translati…
21cbeb89fcad730aecb715d92bdc9521
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaThunderbird-1.5.0…
edc263e07b53d019e0d686c2134dddf5
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaThunderbird-trans…
f4f8dedac060cbd33f4b480aacb05bef
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/MozillaThunderbird-1.5.0…
37f2af41fa077600d68df74547da4339
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/MozillaThunderbird-trans…
094c3157d83486a2fb10f0e3bb365a0a
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/MozillaThunderbird-…
f78215541f3b1f1af4aeba8b7414e907
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/MozillaThunderbird-1…
dff09a04cd253fdcf830f93aa10edf49
Sources:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/MozillaFirefox-2.0.0.1-0.1.…
8bdf86d5275d649f546a22c63a4b8cfb
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/MozillaThunderbird-1.5.0.9-…
223fff785e9e86fd5cbe0106ab1a5ddf
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaFirefox-1.5.0.9-0.2.…
38373d35abf94ec8c0a2008dd1b6fc0d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaThunderbird-1.5.0.9-…
184a16b5b80bd056a9526873756b75a5
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaFirefox-1.5.0.9…
62ade9bd59c8da0e9b739e59a8247708
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaThunderbird-1.5…
2ec8f62cf812e2ea756e618c941fbdb5
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/MozillaFirefox-1.5.0.9-…
c4444ff036405a4baa37c33b975941fa
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/MozillaThunderbird-1.5.…
14f7289ab7a5a2fcfd6cedf2acda628b
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Novell Linux Desktop 9
SUSE SLES 10
SUSE SLED 10
http://support.novell.com/techcenter/psdb/5f62b1276a8877510b3124f13b3c3b27.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRZUaBHey5gA9JdPZAQKpeAgAm4waKLsVtJEE94qzAVescCq7YWv87g9u
GPJyFBVQEX8GReBxul19z/cXQejqtXdF468a1CXwiITDdnn9DaHFI4g0qnx7auR1
qP37/4IlfokTYao7o6KL4R0liF4v40UtA1Cz867o43Y807An93ES3ow70fxsCpd+
SZcuujkJMBMBm3A+n2RpMUkkikVG8baDZvC4fK5RBU9Trj3LPTeNWa32JNRfXh36
P94enzR6fj/XglUlqh/c2UncKBxL4uUE7oqiOwnmM57Ds/PDsq3qF++YjYeLzYag
gFWO+iP7npDiF+tIpd4MIKabV1BsC4lRP83x+NlDOu3deefSRrdeQg==
=zNEl
-----END PGP SIGNATURE-----
1
0
21 Dec '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement ID: SUSE-SA:2006:079
Date: Thu, 21 Dec 2006 14:00:00 +0000
Affected Products: Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
Vulnerability Type: remote denial of service
local denial of service
local privilege escalation
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: CVE-2006-3741, CVE-2006-4145, CVE-2006-4538
CVE-2006-4572, CVE-2006-4623, CVE-2006-4813
CVE-2006-4997, CVE-2006-5173, CVE-2006-5174
CVE-2006-5619, CVE-2006-5648, CVE-2006-5649
CVE-2006-5751, CVE-2006-5757, CVE-2006-5823
CVE-2006-6053, CVE-2006-6054, CVE-2006-6056
CVE-2006-6060
Content of This Advisory:
1) Security Vulnerability Resolved:
various kernel security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Linux 2.6 kernel has been updated to fix various security issues.
On SUSE Linux Enterprise Server 9 and SUSE Linux Enterprise 10 and
their derived products this update also contains various bugfixes.
- CVE-2006-4145: A bug within the UDF filesystem that caused machine
hangs when truncating files on the filesystem
was fixed.
- CVE-2006-4623: A problem in DVB packet handling could be used
to crash the machine when receiving DVB net packages
is active.
- CVE-2006-3741: A struct file leak was fixed in the perfmon(2) system
call on the Itanium architecture.
- CVE-2006-4538: A malformed ELF image can be used on the Itanium
architecture to trigger a kernel crash (denial of
service) when a local attacker can supply it to
be started.
- CVE-2006-4997: A problem in the ATM protocol handling clip_mkip
function could be used by remote attackers to
potentially crash the machine.
- CVE-2006-5757/ CVE-2006-6060: A problem in the grow_buffers function
could be used to crash or hang the machine using a
corrupted filesystem. This affects filesystem types
ISO9660 and NTFS.
- CVE-2006-5173: On the i386 architecture the EFLAGS content was not
correctly saved, which could be used by local
attackers to crash other programs using the AC and
NT flag or to escalate privileges by waiting for
iopl privileges to be leaked.
- CVE-2006-5174: On the S/390 architecture copy_from_user() could be
used by local attackers to read kernel memory.
- CVE-2006-5619: A problem in IPv6 flow label handling can be used by
local attackers to hang the machine.
- CVE-2006-5648: On the PowerPC architecture a syscall has been wired
without the proper futex implementation that can be
exploited by a local attacker to hang the machine.
- CVE-2006-5649: On the PowerPC architecture the proper futex
implementation was missing a fix for alignment check
which could be used by a local attacker to crash
the machine.
- CVE-2006-5823: A problem in cramfs could be used to crash the machine
during mounting a crafted cramfs image. This requires
an attacker to supply such a crafted image and have
a user mount it.
- CVE-2006-6053: A problem in the ext3 filesystem could be used by
attackers able to supply a crafted ext3 image to
cause a denial of service or further data corruption
if a user mounts this image.
- CVE-2006-6054: A problem in the ext2 filesystem could be used by
attackers supplying crafted ext2 images to users
could crash the machine during mount.
- CVE-2006-6056: Missing return code checking in the HFS could be used
to crash machine when a user complicit attacker is
able to supply a specially crafted HFS image.
- CVE-2006-4572: Multiple unspecified vulnerabilities in netfilter for
IPv6 code allow remote attackers to bypass intended
restrictions via fragmentation attack vectors,
aka (1) "ip6_tables protocol bypass bug" and (2)
"ip6_tables extension header bypass bug".
- CVE-2006-5751: An integer overflow in the networking bridge ioctl
starting with Kernel 2.6.7 could be used by local
attackers to overflow kernel memory buffers and
potentially escalate privileges.
- CVE-2006-4813: A information leak in __block_prepare_write was fixed,
which could disclose private information of previously
unlinked files.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Reboot the machine after installing this update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-bigsmp-2.6.16.27-0.…
20362ce00889e9eac688faa59ad0f301
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-debug-2.6.16.27-0.6…
eb33b9f8581bc89d3a4a3feecf197ef5
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-default-2.6.16.27-0…
1879d07a3b908ff8b87c507860070118
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-kdump-2.6.16.27-0.6…
04f60041ee278134b38e7fd9e56ef102
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-smp-2.6.16.27-0.6.i…
bc1d9c70715b5dd3495558f175abd1bf
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-source-2.6.16.27-0.…
720a9e6cbf2f3594a718db1d74b0e901
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-syms-2.6.16.27-0.6.…
fca30f1add27cb21d32eac318279f3f9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-um-2.6.16.27-0.6.i5…
1af0a0a78a6cf463b04f77b52e63b57c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-xen-2.6.16.27-0.6.i…
2f0499125c0aa167a2391e654c5b043b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-xenpae-2.6.16.27-0.…
3865d785615cf7dbbe7cae8dc5c2445e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kexec-tools-1.101-32.20.i5…
c6a2bbd256a70b7cd2e4bb25f04b2771
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mkinitrd-1.2-106.25.i586.r…
9a26035aa882c88c7dbda60bed64e729
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/multipath-tools-0.4.6-25.1…
a4405ddbca3a81a15811a385760d135b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/open-iscsi-0.5.545-9.16.i5…
738e1ad997da16145fa6392dff59dbd2
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/udev-085-30.16.i586.rpm
e5ca4700bcbce7f4e247a04552554c52
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/Intel-536ep-4.69-14.8…
779716bea2ce468f73b5e7be2c36cf97
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-2.6.13-…
b95098cd1879df7c3a0bdcbe1e206e64
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-nongpl-…
70cf8aaeca7af078edc0907d934cf16a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-2.6.13…
c0aee85951759f60f10031034a0710ea
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-nongpl…
5081580d742671f6a1c1654e682b0b3c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-2.6.13-15.…
fcd605a287b8ab5af504f50f7a5cd04d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-nongpl-2.6…
5ccb28594c3bbfd3f0d55057321f0dd3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-source-2.6.13-…
9e59562a1131efca6852d4679256236a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-syms-2.6.13-15…
3fad95aae4eeba413f61304941171628
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-2.6.13-15.1…
05622beea615d8b312b4953b61b90021
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-nongpl-2.6.…
2a59f92c159da861adcb5f7e278a3e02
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-2.6.13-15.…
e630316df432d5523b00edd66a7cfcd6
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-nongpl-2.6…
0894832e10d0b58235d2578e67cc928c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/um-host-kernel-2.6.13…
be464dab1cbc94dbb67ee7f84f8c9aa9
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/Intel-536ep-4.69-10.9.…
1d3ad978025b9d97bb7a90db61356da8
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-2.6.11.4…
f225c96f36550606ea68f4ac3bfe74dc
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-nongpl-2…
f35b5c66a2ba4437eec2b8b810eb5c6b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-2.6.11.…
f444923fb3756410f2830dfa19b9774d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-nongpl-…
2e07056e10890ffbd50c59abb40befe1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-2.6.11.4-21…
096868f28a76e95f1ebc9338b110a5f0
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-nongpl-2.6.…
a84bf62f441f32f09884c07693c5aa18
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-source-2.6.11.4…
3544a5b183926981b591f89626033781
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-syms-2.6.11.4-2…
d46db3e4da45262de1bf61c5b9e6a9a3
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-2.6.11.4-21.…
f7d32fd8d0d38f0b9ac1f0cf98ab1a1c
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-nongpl-2.6.1…
a862ec208be9e31dcff7dbf7c540d5a4
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-2.6.11.4-21…
5323a6c912bf2ea3aecfe01f1f25029f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-nongpl-2.6.…
f6ec0b9626fed9f54919415fa5d262a5
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ltmodem-8.31a10-7.9.i5…
116853b601518db7e3f081a38cd7e448
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-install-initrd…
4c566b558056292cbc8730c6a8275e19
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-kernel-2.6.11.…
8082e95baeadd7527787d7ef960fea3b
Platform Independent:
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/noarch/kernel-docs-2.6.11.4…
b010aa9454cc8b1631fc271148bfc99e
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-default-2.6.16.27-0.…
f7cf4448592556658428a4d6c1f80a26
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-iseries64-2.6.16.27-…
00d04e7cfbc9b27dc5dca9dcd9c715d2
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-kdump-2.6.16.27-0.6.…
98faf70272be4b6abd887f4d04fc6284
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-ppc64-2.6.16.27-0.6.…
1411437f7005f90d7083d8fb5cad99ce
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-source-2.6.16.27-0.6…
edbbb370525bfb9caefe22c563b73b7a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-syms-2.6.16.27-0.6.p…
d15067647e646c65245934dc21cf6d13
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mkinitrd-1.2-106.25.ppc.rpm
5b244ec190ab5e8432d04b286fd595c3
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/multipath-tools-0.4.6-25.14…
2592ff0cebfee11a54163a86354e9c40
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/open-iscsi-0.5.545-9.16.ppc…
5c6faf58161ef7607c29eafb995698d9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/udev-085-30.16.ppc.rpm
40b7b338af66872ba3ab5cf4b2f0e792
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-default-2.6.13-…
3f99986f3194d8a6b1dcfa9bc737387a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-iseries64-2.6.1…
44273fe733fb0f6227fddcc3d93bf723
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-ppc64-2.6.13-15…
880f61aa27d2cf85f687b63536f9b76a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-source-2.6.13-1…
78995147e37e08ce50e06d9f4b6bdd43
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-syms-2.6.13-15.…
b38cf17b95ffefe1177c5e50b0fb7f5f
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-debug-2.6.16.27-0…
36d4798029d37d58e04d4e088c857d05
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-default-2.6.16.27…
8f8d92d0d3bd28abab96593619f7e110
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-kdump-2.6.16.27-0…
422a4e7a8330bbefc616acf90cde155c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-smp-2.6.16.27-0.6…
b49a2612377a09dcda55bfc7b077559b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-source-2.6.16.27-…
0da3b45f9e5c7f679fbb5633baaf0370
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-syms-2.6.16.27-0.…
78de774b4943c716f071e15843c061b7
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-xen-2.6.16.27-0.6…
3d68e95abd041b2131118b1cff963703
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kexec-tools-1.101-32.20.…
50b692b9662c0308cd3fb83573a1d10c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mkinitrd-1.2-106.25.x86_…
f48e546e789c3590e617484c38cab9ac
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/multipath-tools-0.4.6-25…
9cf969cf4bb76b77ae13ebc287908cc9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/open-iscsi-0.5.545-9.16.…
42c6343b258e4363ccb510f429555857
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/udev-085-30.16.x86_64.rpm
c28d409a7cb6edbc077e0edd5fccf91a
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-2.6.…
194e64a59862dcebba2b7e58818747b4
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-nong…
3fa5ca85656cb037a72a1d1855d38d7f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-2.6.13-1…
ddb5c45b75d967a52ee39dbd71ffc52e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-nongpl-2…
ca21f69550373f05fbff08b2c4505203
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-source-2.6.1…
a1143a950fe7f50f5664f7a009a0b796
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-syms-2.6.13-…
b6bf0d933792855235b6fe848328f05b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-2.6.13-1…
be16a4f55e8e5b69f9677ed9ebee29e9
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-nongpl-2…
0466ac6e4d01edaf3cd702859e4d0f0e
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-2.6.1…
e3ccbf0a746cbc8f91a53864c7cc44f4
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-nongp…
df750c05231346c502f54c23a60c67e2
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-2.6.11.4-…
09e22d0a4b0826687ce68ba535b53d40
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-nongpl-2.…
7163a5cc8545db178688d3d23817c375
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-source-2.6.11…
6457587a33198b4fcd04b3ed2c99b589
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-syms-2.6.11.4…
23a663cd7658a95e02b8fd46b8b3e810
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-bigsmp-2.6.16.27-0.6…
b35b46b9331de972842e5869a4944d3f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-debug-2.6.16.27-0.6.…
e657caa01e2c07019f8cc889777f11b7
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-default-2.6.16.27-0.…
eebf35ce636a741f9bc47a2fa382ce76
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-iseries64-2.6.16.27-…
d09b683ab819709aadf9ece6b3f3e707
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-kdump-2.6.16.27-0.6.…
617e45734469b9dd49cd44e1a9e024bc
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-ppc64-2.6.16.27-0.6.…
197bf280a2b992f24d1827c0d081d8e0
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-smp-2.6.16.27-0.6.no…
0d164685b97350f60bb13b2408b3e0f6
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-source-2.6.16.27-0.6…
948af0a9a23e466e00102d1412ca6aea
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-syms-2.6.16.27-0.6.s…
5ab46df57270adabab766f3f08f04f3f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-um-2.6.16.27-0.6.nos…
8a8d3d518e01d9477d4bb11680239d3b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-xen-2.6.16.27-0.6.no…
ef135de71f6434a981bed66f01f3a606
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-xenpae-2.6.16.27-0.6…
d2145a8c27a2324e0a6bf048c27c8a7e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kexec-tools-1.101-32.20.src…
07a7cf8799deffdd0f5606ba4c6e6fe7
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mkinitrd-1.2-106.25.src.rpm
8ac081406c2636d27412aa2c41d6cfe8
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/multipath-tools-0.4.6-25.14…
642fb05f65f4629b60b98d72a3333efe
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/open-iscsi-0.5.545-9.16.src…
f52ea025e7ea1a9e131c13e5a6018775
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/udev-085-30.16.src.rpm
cbd7aa05bc56bbbfed68ea4611ac16dc
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/Intel-536ep-4.69-14.8.…
cea6899a95d45178d21168b6aa4dd922
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-bigsmp-2.6.13-1…
98260538fb3afb196a0fb1f52edc00c5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-default-2.6.13-…
f0a9e177557eb196adba8d19c6e06f4e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-iseries64-2.6.1…
bc5365eda00fd8db053b4dbe16e168c3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-ppc64-2.6.13-15…
72c601464252532948d3ab8ea73b872a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-smp-2.6.13-15.1…
9576c07ca12e6f50e86d0d063cd16df2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1…
47b3c7e171c000824e42aa594e7681d3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1…
003debda7e60a61eaf01f2798bb1fa65
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-syms-2.6.13-15.…
9cba4d63d45f4d4c908b137c5e069bb7
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-um-2.6.13-15.13…
2cfa5afc504eda54df8116c5ce42c23e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-xen-2.6.13-15.1…
16c0f03172d069271f515dbeb24eb19b
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/Intel-536ep-4.69-10.9.s…
f3f522d91ffba19568e1d0fe6142deb9
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-bigsmp-2.6.11.4-…
24fb636744affbe2f7c96a9140b2def1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-default-2.6.11.4…
a68261d68dec7866b7b3f2d3b9d6f1f0
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-docs-2.6.11.4-21…
4fa98524a2dbb11d5e8f38f161c79c94
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-smp-2.6.11.4-21.…
59936703da3fa4c3f06d709d91a4f05a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-source-2.6.11.4-…
a1862d7ee039c35b9dfd2bf61a3396e5
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-syms-2.6.11.4-21…
a0caf67ace3014157e0c0bfcbd1143b6
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-um-2.6.11.4-21.1…
c64e46fd270b095a1d57ac9cf1c895ed
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-xen-2.6.11.4-21.…
574b65b39dfe4f65fa7d18cdd1b8f2ba
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/ltmodem-8.31a10-7.9.src…
ebe62382458daba958312b5cde956883
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/um-host-install-initrd-…
4ec6d9d84c4f7d606ef699fb3b2ddb23
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Novell Linux Desktop 9 for x86
http://support.novell.com/techcenter/psdb/15107fb406dee9a6d661cedc4a7bd068.…
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/15107fb406dee9a6d661cedc4a7bd068.…
http://support.novell.com/techcenter/psdb/06a879ef6bcde6c750e9ee4e43ccc446.…
Novell Linux Desktop 9 for x86_64
http://support.novell.com/techcenter/psdb/06a879ef6bcde6c750e9ee4e43ccc446.…
SUSE SLED 10 for AMD64 and Intel EM64T
http://support.novell.com/techcenter/psdb/aa32c28c0e5ddf716b0e61d93331f86d.…
SUSE SLES 10
http://support.novell.com/techcenter/psdb/aa32c28c0e5ddf716b0e61d93331f86d.…
http://support.novell.com/techcenter/psdb/8d1bb2f1def9904433821604ff90783e.…
http://support.novell.com/techcenter/psdb/dd622f88b5acaa6cb876b101236a952e.…
http://support.novell.com/techcenter/psdb/87e2c4f32a1d32427f4f6a08a52ff58e.…
http://support.novell.com/techcenter/psdb/9b70db20ae4e8d5034a104f1305d437c.…
SUSE SLED 10
http://support.novell.com/techcenter/psdb/aa32c28c0e5ddf716b0e61d93331f86d.…
http://support.novell.com/techcenter/psdb/9b70db20ae4e8d5034a104f1305d437c.…
SUSE SLED 10 for x86
http://support.novell.com/techcenter/psdb/9b70db20ae4e8d5034a104f1305d437c.…
SUSE CORE 9 for AMD64 and Intel EM64T
http://support.novell.com/techcenter/psdb/8256ebb61cc00811a06c0fd252c18d5a.…
SUSE CORE 9 for IBM zSeries 64bit
http://support.novell.com/techcenter/psdb/dc588035c8569c0fba9c9e33685f698c.…
SUSE CORE 9 for IBM S/390 31bit
http://support.novell.com/techcenter/psdb/36b4bba8bf8a44877f22acb24254f105.…
SUSE CORE 9 for IBM POWER
http://support.novell.com/techcenter/psdb/f74c89856bd24e4e5b10b44a1b7fb438.…
SUSE CORE 9 for Itanium Processor Family
http://support.novell.com/techcenter/psdb/7ac58979c59cf50840e70f4bc277e4f8.…
SUSE SLES 9
http://support.novell.com/techcenter/psdb/8256ebb61cc00811a06c0fd252c18d5a.…
http://support.novell.com/techcenter/psdb/dc588035c8569c0fba9c9e33685f698c.…
http://support.novell.com/techcenter/psdb/36b4bba8bf8a44877f22acb24254f105.…
http://support.novell.com/techcenter/psdb/f74c89856bd24e4e5b10b44a1b7fb438.…
http://support.novell.com/techcenter/psdb/7ac58979c59cf50840e70f4bc277e4f8.…
http://support.novell.com/techcenter/psdb/4ea26fcc1ac12ca4ae3124c429ea7994.…
Open Enterprise Server
http://support.novell.com/techcenter/psdb/15107fb406dee9a6d661cedc4a7bd068.…
http://support.novell.com/techcenter/psdb/d9aec765cc3bc34382a96bfc703b9ff2.…
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/4ea26fcc1ac12ca4ae3124c429ea7994.…
http://support.novell.com/techcenter/psdb/d9aec765cc3bc34382a96bfc703b9ff2.…
SUSE CORE 9 for x86
http://support.novell.com/techcenter/psdb/4ea26fcc1ac12ca4ae3124c429ea7994.…
http://support.novell.com/techcenter/psdb/d9aec765cc3bc34382a96bfc703b9ff2.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRYqESney5gA9JdPZAQLNsQf+PjfXteMrCIgsJUqPmLADG3dCNSa88QFh
OICkFqglISmNDNSK6/cM94HlFAE+8HQChKvCdUNiwuK2YZ1yTylI6NTnIuGQDHOZ
OTkWS4Afbor6s3KlsNPCuGvVTu4o1hZj/flYsvPF98nC22Kljllop/oyqJMFhWcK
g8N0jGqiIqzuwCqOivpnAIt9Q37Z+q1NxRnNvz4TKs4rinCzp533zmf/kXUbM4p7
mppmJYmHWtvhVOLehfvZXCOS7CNp3FVhPBl80d1n4XObrmaqQoGUgsi/vAUueI3x
4ma8T/HyfgEXFSa2jGfdBUvFtGC/8FUCdwBbsohn5aAbb0HNsufMjw==
=4I/U
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:029
Date: Tue, 19 Dec 2006 15:00:00 +0000
Cross-References: CVE-2006-5864, CVE-2006-6105, CVE-2006-6120
CVE-2006-6142
Content of this advisory:
1) Solved Security Vulnerabilities:
- koffice OLE import filter problem
- squirrelmail XSS problem
- evince code execution
- novell-lum empty password
- gdm format string problem
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- current kernel update
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- koffice OLE import filter problem
A security problem in the OLE import handling for PPT files of
Koffice was fixed, where attackers with crafted documents could
crash kpresenter and potentially execute code. (CVE-2006-6120)
This has been fixed for all SUSE Linux based distributions containing
koffice.
- squirrelmail XSS problem
Multiple cross site scripting bugs in squirrelmail have been fixed
(CVE-2006-6142)
- evince code execution
The PDF and Postscript viewer evince could be exploited to execute
code by supplying a specially crafted Postscript file that causes
a buffer overflow when being rendered (CVE-2006-5864).
All SUSE Linux products containing evince were affected by this
problem.
- novell-lum empty password
A security problem was fixed in "novell-lum", the eDirectory based
"Linux User Management". Under certain circumstances it was possible
to login to the console without any password. (ssh is not affected,
since it rejects empty passwords).
This problem affects SUSE Linux Enterprise Desktop 10 and Open
Enterprise Server 9.
- gdm format string problem
A format string bug in the program 'gdmchooser' could potentially be
exploited to execute code under a different user id. (CVE-2006-6105)
Since the desktop user has to enter this format string it is unlikely
that this can be exploited.
Only openSUSE 10.2 was affected by this problem, the code did not
exist in this form in older distributions.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- current kernel update
We are currently preparing the next kernel update round of our 2.6
kernels, scheduled to be delivered before Christmas.
There are no outstanding critical security problems, the release
target is mostly rolling in local denial of service problems and
other bugfixes.
The update kernels for SUSE Linux 9.3 and 10.0 have been released
already and will be included in the full advisory once all kernels
have been released.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRYf1tney5gA9JdPZAQKmkggAlMI3dZVrP1ROor9nOX3SlXxhZVBmEoPX
Erom8bCyqdUGn3YP0eq6IxAwHW7zAJz1vZu/Bx1IuiOjOX0wapo4wCWgeP1SZk8z
VfyM39W4icbXM+Z2ktf81OFCKicWQm0E/V8JPgQ47XkflGHnbomaEM+E/xz350c5
+kT1E3ywjCE7cskDiv0pSMa08+26bWfnJk12I5J9iIA0ZaPq8GYXMRHTkO21duNW
pFX+Lkp0VYX0Zly+CNU1+TXjKSax2cQGiKDcHFxxeCaCyCdyBpHTGSzQbvZ6IYmk
WUrVYX3bEqzCzD3qqKk869ukNCMiLPHVf/bZd7qU/oyjnxaZgc8R+Q==
=5OAy
-----END PGP SIGNATURE-----
1
0
18 Dec '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: clamav
Announcement ID: SUSE-SA:2006:078
Date: Mon, 18 Dec 2006 12:00:00 +0000
Affected Products: Novell Linux POS 9
Open Enterprise Server
openSUSE 10.2
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE SLES 10
SUSE SLES 9
Vulnerability Type: remote denial of service
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-5874, CVE-2006-6406, CVE-2006-6481
Content of This Advisory:
1) Security Vulnerability Resolved:
clamav 0.88.7 security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The anti virus scan engine ClamAV has been updated to version 0.88.7
to fix various security problems:
CVE-2006-5874: Clam AntiVirus (ClamAV) allows remote attackers to
cause a denial of service (crash) via a malformed base64-encoded MIME
attachment that triggers a null pointer dereference.
CVE-2006-6481: Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers
to cause a denial of service (stack overflow and application crash)
by wrapping many layers of multipart/mixed content around a document,
a different vulnerability than CVE-2006-5874 and CVE-2006-6406.
CVE-2006-6406: Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers
to bypass virus detection by inserting invalid characters into base64
encoded content in a multipart/mixed MIME file, as demonstrated with
the EICAR test file.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/clamav-0.88.7-1.1.i586.rpm
31ff4c80173352b7be840a668e99660f
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/clamav-0.88.7-1.2.i586.rpm
7010d42a842404deefa694b51bc1edf2
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/clamav-0.88.7-1.1.i58…
90f817d3807328756f0f2b4f69aeffe4
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/clamav-0.88.7-1.1.i586…
4e4bf1fdac1d07521c115eee4878a120
Power PC Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/clamav-0.88.7-1.1.ppc.rpm
e97f82da161d797977de64eec6e56f88
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/clamav-0.88.7-1.2.ppc.rpm
4f90832ce1d606a10933078cf44b4400
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/clamav-0.88.7-1.1.ppc.…
51fffc7036edcbd012b8836ff2e7a08c
x86-64 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/clamav-0.88.7-1.1.x86_64…
2b9e9c53855e579d62029255ce9c315f
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/clamav-0.88.7-1.2.x86_64…
099247a53aa4314993f182f68f74b06a
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/clamav-0.88.7-1.1.x…
18f02e5330a8bec20b0c845ce5a9d653
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/clamav-0.88.7-1.1.x8…
9244e87aab197f63f420dd356ef89b83
Sources:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/clamav-0.88.7-1.1.src.rpm
69c2a992bc1243ba0b03cef1054caa67
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/clamav-0.88.7-1.2.src.rpm
01f7d2e67b5d171337e9fb3141205a6d
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/clamav-0.88.7-1.1.src.…
84ec713db7da8c22943e14f34f68161c
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/clamav-0.88.7-1.1.src.r…
6ee8c0c87cb87db1f331cf46dc087a8c
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
Novell Linux POS 9
SUSE SLES 10
SUSE SLES 9
http://support.novell.com/techcenter/psdb/99ff98254c77739e0c421ee90228d262.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRYZzVHey5gA9JdPZAQKjewf+J+36kDMgMP62l2SXVwFGdo/vpTv+KMCw
9c0a3qO5xsimhn3HusNsJg06e3HrWyuWGWLX5i3MAf34yxumevPoyqdryZM3UXSS
tnXwSAZ74jCF70uMkA2mLrghFTqGLwWhbUBv0CO6OpovwF4mbt3kdc2YlUDcvE14
AuZhlTnb+RkRuWOlF+RY+Zjc1agPkjes1ckyGsE779DGhfMyNgO7/HO8IzZQNzXR
VwI8/L7mSLo68GCbmuhcIW0Xf/x5uJkhjGk+NHn+AJRzauwL452EDxSo2toSDKqh
vdKu6V56eEbPwLB3ngd3odkGVKkFdbnK3yVjcKBtMBZzDJWpFVnXkw==
=8Yh8
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: flash-player CRLF injection (SUSE-SA:2006:077)
by Marcus Meissner 14 Dec '06
by Marcus Meissner 14 Dec '06
14 Dec '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2006:077
Date: Thu, 14 Dec 2006 12:00:00 +0000
Affected Products: Novell Linux Desktop 9
openSUSE 10.2
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE SLED 10
Vulnerability Type: HTTP header splitting
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: CVE-2006-5330
Content of This Advisory:
1) Security Vulnerability Resolved:
flash-player HTTP request CRLF injection problem
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This security update brings the Adobe Flash Player to version 7.0.69.
The update fixes the following security problem:
CVE-2006-5330: CRLF injection vulnerabilities in Adobe Flash Player
allows remote attackers to modify HTTP headers of client requests
and conduct HTTP Request Splitting attacks via CRLF sequences in
arguments to the ActionScript functions (1) XML.addRequestHeader and
(2) XML.contentType.
The flexibility of the attack varies depending on the type of web
browser being used.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of applications currently
running flash applets after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/flash-player-7.0.69.0-1.1.…
582b9df68410047288fdd679be14cc43
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/flash-player-7.0.69.0-1.2.…
028b959cc57e8a158963722886961915
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/flash-player-7.0.69.0…
8a9ad6700dc9509ee4554d01c45c39cb
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/flash-player-7.0.69.0-…
66b36fc7384c7bffdbe1a1e38d6b65b8
Sources:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/flash-player-7.0.69.0-1.1.s…
550f2dc5b50cd2d66ddf6c66cc2cf35a
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/flash-player-7.0.69.0-1.2.s…
c684b5c2e4c4ad3bdd51ee50f59f2e36
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/flash-player-7.0.69.0-…
eb5174d91333353daaf183e7a26b70d0
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/flash-player-7.0.69.0-1…
2f4ff5f9c0953790241512a76a13bdc8
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/e0b1939107e149b2e2c750dae6331938.…
SUSE SLED 10
http://support.novell.com/techcenter/psdb/e0b1939107e149b2e2c750dae6331938.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRYE7lHey5gA9JdPZAQJgbQf/cTtW0MqZmGGE6Z4sIQNWx3VE3dlfHTkd
iZKIXf/TURNNGhROg6p32CKkSC/HLQfINyk5LHG9P6ioiqzrsGReHoitRK8Gq2u0
WAbKvgyMlpERQhZ18NScUpXWRumPOGZFSmiWgi8v3ej6E1cEo23ZnztlIrUPDBx0
0aNi3WCXcbmYNCWcWq6Hs3vbHNc5IX4DsZaE9SC3oqoi0dDIOPwYMYEVt4Sg3JGX
ZbEamgONNbxkJC31ZagpK4g8rhqAYyU5bqahWAgLQ04BemSMJSYq68gFYKOF6k3L
y2srzLzvYmjwoYVZ53qx48DXc1etTM3V9uW8UvUK+eryspMyiS1AlA==
=b08M
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: libgsf buffer overflows (SUSE-SA:2006:076)
by Marcus Meissner 14 Dec '06
by Marcus Meissner 14 Dec '06
14 Dec '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: libgsf
Announcement ID: SUSE-SA:2006:076
Date: Thu, 14 Dec 2006 12:00:00 +0000
Affected Products: Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SuSE Linux Desktop 1.0
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE Default Package: yes
Cross-References: CVE-2006-4514
Content of This Advisory:
1) Security Vulnerability Resolved:
libgsf buffer overflow
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The libgsf library is used by various GNOME programs to handle for
instance OLE2 data streams.
Specially crafted OLE documents enabled attackers to use a heap buffer
overflow for potentially executing code.
This issue is tracked by the Mitre CVE ID CVE-2006-4514.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart applications using libgsf.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/libgsf-1.13.99-13.7.i586.r…
91b1e160b88a4da68781ca4391a0aa7b
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/libgsf-1.12.1-3.2.i58…
6b4e5b5ed0e564769a0bb3d0e288b8be
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/libgsf-1.11.1-4.2.i586…
48555a9c645cae527bdc5315251d662f
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/libgsf-1.13.99-13.7.ppc.rpm
d8c05b0415c9e196c2d1a8cc42ac0402
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/libgsf-1.12.1-3.2.ppc.…
24e8d5c92f635db2ef3049339ba1754b
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/libgsf-1.13.99-13.7.x86_…
6f8ebb0842088a321a15192480a5388d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/libgsf-32bit-1.13.99-13.…
bab0e91a620413c92e403bcfdd6d7147
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/libgsf-1.12.1-3.2.x…
f9992beea6a3fe27204ebee475ba8234
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/libgsf-32bit-1.12.1…
b1369a901898a1bfb9fd5ba643dd7291
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/libgsf-1.11.1-4.2.x8…
02e536160da1597a38153d1643de00b4
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/libgsf-32bit-9.3-7.1…
abb66f3f4f3b3cd34382612805878466
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/libgsf-1.13.99-13.7.src.rpm
0b386df6f643991c71d61dbf07d448fe
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/libgsf-1.12.1-3.2.src.…
455b6c354c40ac3157a158b8902238c2
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/libgsf-1.11.1-4.2.src.r…
7b6bb054f79babd4893be99c331eab2f
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
SuSE Linux Desktop 1.0
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
SUSE SLES 10
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
SUSE SLED 10
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
SUSE SLES 9
http://support.novell.com/techcenter/psdb/8925f151052752a744fcfe7924249f34.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRYE7Nney5gA9JdPZAQJiLQf/Q1aAWNJ2vjpHDwllOKi2Yp2FOsE/A3n7
HDorM9lU7AYY2YHDEjXnYApA3K/RYYnQKxSMJyqD0FtutP9kTo+RpEQ1PnrvpbSQ
n3JeSZ21nJS58dBfe9n67uqqtFe20R/6gOY6NxmyCAKqJFrxV5yg9AWwXk/s2D+A
DUGRYArz0d+kcShr/fVrtPZ7y5Sb4JPN1TDL8jfGZXqjT42vW0IZvY7R8HaUHVuL
mhUPyW1eVQCM0kLmO1ZNingo2usOMhcElebLw4WNDRBpd5EIjsRD5u4a8TWtkDPV
LytCckHTVLw/LkSXgbn6sB+4E6fPzwTNPediQD9vtE/DTqxEguSaNw==
=XZxZ
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: gpg,gpg2
Announcement ID: SUSE-SA:2006:075
Date: Wed, 13 Dec 2006 12:00:00 +0000
Affected Products: Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
openSUSE 10.2
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SUSE LINUX Retail Solution 8
SuSE Linux School Server
SuSE Linux Standard Server 8
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE Default Package: yes
Cross-References: CVE-2006-6169, CVE-2006-6235
Content of This Advisory:
1) Security Vulnerability Resolved:
two security problems in GPG
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Two security problems were fixed in the GNU Privacy Guard (GPG).
- Specially crafted files could overflow a buffer when gpg was used
in interactive mode (CVE-2006-6169).
- Specially crafted files could modify a function pointer and
could potentially execute code this way. (CVE-2006-6235).
Update for all SUSE Linux based products have been released.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/gpg-1.4.5-24.2.i586.rpm
0032014cef28fd9d575ca9d56886dc9a
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/gpg2-1.9.22-20.2.i586.rpm
8cdf17f4928497c703df0986012bd924
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/gpg-1.4.2-23.12.i586.rpm
714ad111277495f85fb4d75c07a436e1
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/gpg2-1.9.18-17.13.i586.rpm
df328ffaa0b0fa34e70932dd8eafd399
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg-1.4.2-5.11.i586.r…
bbdac2ac9cf42f2e0744f93c7a27bd64
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg2-1.9.18-2.11.i586…
6b96bf0aa835b5c5a6d38f3fe9baa020
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg-1.4.0-4.11.i586.rpm
1f188d6e98593753dbf0115758c60700
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg2-1.9.14-6.13.i586.…
493bb161ab9a0ee7e8b687da49fc874f
Power PC Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/gpg-1.4.5-24.2.ppc.rpm
8ba71e773c0ed4bfad10017d4f0ad769
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/gpg2-1.9.22-20.2.ppc.rpm
04e4aa189832a2834ac843d3d216b560
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/gpg-1.4.2-23.12.ppc.rpm
87d3e2efab5fda6d0c0fb0228e8089eb
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/gpg2-1.9.18-17.13.ppc.rpm
9ecd1af3d67515388dc5f9c797d33fde
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gpg-1.4.2-5.11.ppc.rpm
36dd086f17d69a2344387249f4f59828
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gpg2-1.9.18-2.11.ppc.r…
0b0a3f42511f722f1113ceb2ddb1fe42
x86-64 Platform:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/gpg-1.4.5-24.2.x86_64.rpm
178ec43c6b057b055e64fd8ce3b370f3
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/gpg2-1.9.22-20.2.x86_64.…
a480e34bc72c13902b060774a8c93614
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/gpg-1.4.2-23.12.x86_64.r…
424104d7e79aa13997a9cd5bf48daaed
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/gpg2-1.9.18-17.13.x86_64…
f9813d58d65585d3216ce4a514288e60
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gpg-1.4.2-5.11.x86_…
542621ad20461324061e95d757f062a9
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gpg2-1.9.18-2.11.x8…
6e40568843721500e6e7a01e49478be5
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gpg-1.4.0-4.11.x86_6…
d0857cd1ef3d71961e866f56c565b32d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gpg2-1.9.14-6.13.x86…
20eb29a34cd71e5d1fa86bb53522a5ca
Sources:
openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/gpg-1.4.5-24.2.src.rpm
8b319a4138cc1ff4304dc45c369936c6
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/gpg2-1.9.22-20.2.src.rpm
6ea5c120e635118233a97c5877ca10c0
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/gpg-1.4.2-23.12.src.rpm
551331ff3994d1e0a6a1c893f9d99c84
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/gpg2-1.9.18-17.13.src.rpm
4dcf00273942790ccc8945f1badb441d
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.11.src.rpm
47425c0af8df3d11100bc938db0d9141
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg2-1.9.18-2.11.src.r…
d76d488c78aa5c047f9d0d3a72bb1509
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpg-1.4.0-4.11.src.rpm
86c9afba71507f0d4f3f7e88fa599ea1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpg2-1.9.14-6.13.src.rpm
a911124ed914970d7c458caf03ddd709
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
UnitedLinux 1.0
SuSE Linux Openexchange Server 4
Open Enterprise Server
Novell Linux POS 9
SuSE Linux Enterprise Server 8
SuSE Linux Standard Server 8
SuSE Linux School Server
SUSE LINUX Retail Solution 8
SuSE Linux Desktop 1.0
SUSE SLES 9
http://support.novell.com/techcenter/psdb/440643b5b7f99c513f043f911ca9d906.…
Novell Linux Desktop 9
SUSE SLES 10
SUSE SLED 10
http://support.novell.com/techcenter/psdb/440643b5b7f99c513f043f911ca9d906.…
http://support.novell.com/techcenter/psdb/d29d6e06422f5a6d9e87580b666bbb83.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRX/ZUHey5gA9JdPZAQIOtAgAhfTRKFz8N8OVIgeSs4QoP9KwUO3dTRiu
EWk70Nh0T+NzXCeybmfHde1B5wqzQzvF1Z0SpwOUd44yRVQFeMlsijwaiIVpAb3f
FAMCD5hjx2Q9kgMMq0H6sGWep2llC1fF1KPdwjS28mc9th7LYh18Gya5nT6dLLy5
A4OE5gKPnAxVd/JjV/hlMZLsEgYyXxwqa9s1L88IvMyOvu2RqmDBBEQYyC4PXGAW
1VA1OGy9479Hp58bLK7m49g0oHArW0QNJvJU2n7I9A9WLDVC5uq9UwMjvV16yek5
CaZLjfJAe6ojd+eTf7aKuo7cuBA7iZUXhDaeUH/khMoezLfZuc51Qw==
=X3GI
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: Madwifi remote root exploit (SUSE-SA:2006:074)
by Marcus Meissner 11 Dec '06
by Marcus Meissner 11 Dec '06
11 Dec '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: madwifi
Announcement ID: SUSE-SA:2006:074
Date: Mon, 11 Dec 2006 18:00:00 +0000
Affected Products: SUSE SLED 10
SUSE Linux 9.3
SUSE Linux 10.0
Vulnerability Type: remote code execution
Severity (1-10): 10
SUSE Default Package: yes
Cross-References: CVE-2006-6332
Content of This Advisory:
1) Security Vulnerability Resolved:
Atheros WLAN driver remote root exploit
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The madwifi-ng Atheros Wireless LAN card driver is subject to
a remotely exploitable stack buffer overflow, which either code
execution possibility or at least a denial of service (kernel crash).
A physical local attacker (within WLAN range) has to provide an
malicious access point which the card tries to associate with to be
able to effect this attack.
This issue is tracked by the Mitre CVE ID CVE-2006-6332.
This update also brings the madwifi driver to version 0.9.2.1.
Affected SUSE Linux products:
SUSE Linux Desktop 10 - Code execution is possible when this problem
is exploited. Fixed madwifi-kmp-* packages are available and linked
from this advisory.
SUSE Linux 9.3 and 10.0 - These distributions use an older madwifi
driver version, where an attacker can only overflow the buffer with
hex characters, making code execution nearly impossible but a denial
of service (crash) still likely. Updates for 9.3 and 10.0 are in
preparation and will be in the next kernel security update.
Other SUSE Linux versions do not ship the madwifi driver or are not
vulnerable to this problem.
For SUSE Linux 10.1 and openSUSE 10.2 the Madwifi community
provides fixed driver modules and a new driver module layout on
http://madwifi.org/wiki/news/20061208/suse-repository-updated-layout-changed
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
It is sufficient to rmmod and then modprobe the "ath_pci" kernel
module after installing the update.
The recommended way to get a known good state is to reboot the machine.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLED 10
http://support.novell.com/techcenter/psdb/3416396e4a9f8f1824b11dc72bbdce3e.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRX2Mg3ey5gA9JdPZAQKGZQf+I2xJDBSD0TlV2IkxAncE0m+abZbiRBH8
jFEEPHquzlR5Ea1IQ9PWiPbjZHQ/LrHliyv65JvNrZQAS2RYwxSQCtQfNI4AyIK/
whah8HwbMgzb7BIaBqj9Hq6jEw0gb8eS0ZQRNhUuw5GC4ctzqkt0UD101Py57eRL
q9xpYti55fh0hUq9B/0PCqrvF6LtPDfj5mklQGnGs6CHTq2vEprnGBy7QddEkZWi
h6RcTTrkYDlTtsPMRyQPgo+fvu23NeAL+lpk7Sn9qiXEyKAYuBc9re+ztvfbgFhr
ln6Ly+B4qyBBW9Hx/dwLpUmuchf4TLMgWxt9gqXkVGisaM7ansz91w==
=cv50
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:028
Date: Fri, 08 Dec 2006 17:00:00 +0000
Cross-References: CVE-2006-3334, CVE-2006-4513, CVE-2006-4810
CVE-2006-5793, CVE-2006-5864, CVE-2006-6172
CVE-2006-6235, CVE-2006-6332
Content of this advisory:
1) Solved Security Vulnerabilities:
- xine-lib realmedia overflow problem
- texinfo buffer overflows
- wv overflows
- libpng 2 denial of service
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- madwifi remote exploit
- next kernel update
- gpg stack corruption
- evince code execution
- koffice PPT document denial of service
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- xine-lib realmedia overflow problem
A bug in the XINE libraries that could have caused a buffer overflow
in the real media plugin has been fixed. (CVE-2006-6172)
It is not clear to us how exploitable this problem is.
All SUSE Linux based products including xine-lib were affected.
- texinfo buffer overflows
Specially crafted texinfo files could crash the texinfo
utilities. (CVE-2006-4810)
This problem affected all SUSE Linux based distributions.
- wv overflows
Two integer overflows were found in the Microsoft Word converter
library "wv", which could potentially be used to crash programs
using this library or to even execute code.
- A LVL Count Integer Overflow Vulnerability was fixed.
- A LFO Count Integer Overflow Vulnerability was fixed.
Both problems have been assigned the Mitre CVE ID CVE-2006-4513
and affect all SUSE Linux based products containing the "wv" package.
- libpng 2 denial of service
The sPLT chunk handling in libpng was incorrect and a handcrafted
PNG file could be use to cause an out-of-bounds read, effectively
crashing the PNG viewer or web browser. (CVE-2006-5793)
Additionally a 2 byte stack overflow was fixed which we do not
believe to be exploitable. It will cause an abort of the viewer
or web browser in SUSE Linux 10.0 and newer due to string overflow
checking. (CVE-2006-3334)
These problems were fixed for all SUSE Linux based distributions.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- madwifi remote exploit
A remote exploitable vulnerability was found in the Atheros madwifi
driver.
On the version on SUSE Linux Enterprise Desktop 10 it is possible
for a attacker physically close (WLAN range) to the machine to
overflow a kernel stack buffer and execute code.
On SUSE Linux 9.3 and 10.0 it is possible for a physically close
attacker to cause a kernel crash, but no code execution.
SUSE Linux Enterprise Server 9 contains the Atheros driver, but is
not vulnerable to the problem due to the age of the driver.
Other SUSE Linux and openSUSE versions do not contain the Atheros
driver.
This issue is tracked by the Mitre CVE ID CVE-2006-6332.
We are currently preparing fixed packages.
- Next kernel update
We are currently preparing the next kernel update round of our 2.6
kernels, scheduled to be delivered before Christmas.
There are no outstanding critical security problems, the release
target is mostly rolling in local denial of service problems and
other bugfixes.
- gpg stack corruption
A stack corruption which potentially can lead to code execution
was found in the GNU Privacy Guard, versions 1 and 2. This issue
is tracked by the Mitre CVE ID CVE-2006-6235.
Updates are currently in QA.
- evince code execution
The PDF and Postscript viewer evince is also affected by the
postscript triggered stack overflow found in "gv", tracked by the
Mitre CVE ID CVE-2006-5864.
Updated packages for this problem are currently in QA.
- koffice PPT document denial of service
A denial of service (crash) with PPT documents was reported in the
Laola import filters of koffice.
QA found that those problems are not fully fixed yet and we are
currently reviewing and fixing the rest of them.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBRXmHVXey5gA9JdPZAQI1zAgAiAnrG3HNKRN7uMF7qKf2ZAKStp5Fe93v
24e2VByrqh6nhoXbjMf1R7HQZ3GFKs/Hty0/NsFN1ZEMwivTEwfxHFu23sAkvcly
3CPFlgefTfvJ4P/q+CtwQ1a0GyGCUVfr8tZmTALCPc10zubqOMMfpmdJlg1zyTeT
SH3bdeA4eMNq0kXlHWvW8a8xZQ4+cZ/YMSTyFFavms1e2aVieMABwJ28X1DrgcVy
tVCXbO7XwsAD8wAoucQMXRF5J8sIzg2frpYTZMC0pB9K3YSBQ4EcwOPuGo7wfr3x
SvONkDodRTYmjBFwftLzConEeXSddhJMYL7eZhXj9UBHhN1ebTslvQ==
=qvAb
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: mono-core
Announcement ID: SUSE-SA:2006:073
Date: Fri, 01 Dec 2006 16:00:00 +0000
Affected Products: Novell Linux Desktop 9
Open Enterprise Server
SLE SDK 10
SLES SDK 9
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE SLED 10
SUSE SLES 10
Vulnerability Type: local privilege escalation
Severity (1-10): 5
SUSE Default Package: yes
Cross-References: CVE-2006-4799, CVE-2006-4800, CVE-2006-5072
CVE-2006-5973
Content of This Advisory:
1) Security Vulnerability Resolved:
Mono tempfile race might lead to privilege escalation
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
- dovecot off by one overflow
- xine-lib several overflows
- kdegraphics3 kfile_jpeg EXIF crashes
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Sebastian Krahmer of SUSE Security found that the Mono
System.Xml.Serialization class contained a /tmp race which potentially
allows local attackers to execute code as the user using the
Serialization method.
This is tracked by the Mitre CVE ID CVE-2006-5072.
Packages for all affected distributions were released on November 10th,
and for SLE 10 on November 27th.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of beagle (one user
of C# serialization) after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bytefx-data-mysql-1.1.13.8…
7b4abac64336eb30d5937b25aabe7494
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ibm-data-db2-1.1.13.8-2.10…
66859d556f70601ca9b73d7b401f6985
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-basic-1.1.13.8-2.10.i…
02b60b74291d274e763f90d34db1541f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-core-1.1.13.8-2.10.i5…
9036159cfa23d2d87434c053cf7d8999
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-data-1.1.13.8-2.10.i5…
eb618bb94e3fe4ffedb155cb2c213624
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-data-firebird-1.1.13.…
d02343e65f86dbbe12b29196bb5fdf2c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-data-oracle-1.1.13.8-…
d64bc8dd2687a516aadd13b3c554ea95
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-data-postgresql-1.1.1…
a80d59f87ec8c37f339014485e4a39d4
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-data-sqlite-1.1.13.8-…
dceba155389e2427ae71fa0997142842
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-data-sybase-1.1.13.8-…
09d51fa450bacc0eea814c32c5dcbec5
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-devel-1.1.13.8-2.10.i…
3f57ef06657bac839837fefeef45b0ec
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-extras-1.1.13.8-2.10.…
83b41f4bdfb04e8ee7afd0ef0796aa17
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-jscript-1.1.13.8-2.10…
aeb8b0d7490918bfb4777f1d472529e9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-locale-extras-1.1.13.…
6715990b4674d06897929e892758d656
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-nunit-1.1.13.8-2.10.i…
eb37fcf30228a1e3a4be1030f02d163d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-web-1.1.13.8-2.10.i58…
cf507f8fb0d351ee109acfbcf742af2f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mono-winforms-1.1.13.8-2.1…
36e253dceff26c6d8665842d2092d2a8
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bytefx-data-mysql-1.1…
8723e97076ed998aedb5c149745a4240
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/ibm-data-db2-1.1.8.3-…
82a201ed72c8ccf6e564063b036756f6
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-basic-1.1.8.3-6.…
e6b5ea2f15319e9bbf7f06bbdd564af5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-core-1.1.8.3-6.3…
a2cb5556848cd0dfa9ad8eae3f4c4eb2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-data-1.1.8.3-6.3…
e96d50f8c57e97f01b09bf45df6d5caa
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-data-oracle-1.1.…
ec79d94d2c77199fcda0e0a1b345e79e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-data-postgresql-…
1725efd5f7231007cbafde6dbb17d6d3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-data-sqlite-1.1.…
defe0b0095be00f5db4ce6a68e0768da
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-data-sybase-1.1.…
0935ede50fd97451dceca2429a94b69c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-devel-1.1.8.3-6.…
f64733249eaa4cfdcb5bc18da199136b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-extras-1.1.8.3-6…
f85c62aca21da3c246487e7acaa46279
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-ikvm-1.1.8.3-6.3…
6297e9c7666b6982b8f2fe681b65eeb5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-locale-extras-1.…
f81c3d2f2e4cb78923fe97c476f51f8e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-nunit-1.1.8.3-6.…
f5364d8503d3b0224a02602db6fd3ac2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-web-1.1.8.3-6.3.…
ecda8771dd681ea6b59c5299e0feaf02
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mono-winforms-1.1.8.3…
ea5b6cf547461a7dd0acbabd6f1c6e5f
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/bytefx-data-mysql-1.1.…
1a547c3c0ab97e5055ceaf3d31dbdb3a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ibm-data-db2-1.1.4-15.…
087cdd86b5f7b5d9cbbda2a2f9d27bd1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-basic-1.1.4-15.2.…
3b423876c8143c012431810d56d5efbc
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-core-1.1.4-15.2.i…
58345dff171b360a90ff551e9d41af8b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-data-1.1.4-15.2.i…
c2f4a478f0b6e928b1ceaec1be0b9471
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-data-oracle-1.1.4…
44470ab6051edcd175463cdd891729ce
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-data-postgresql-1…
01df17ef51f4dd2ca09720ddfabc2479
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-data-sqlite-1.1.4…
412e9c9b7e1c1a34484242cab4cad458
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-data-sybase-1.1.4…
19e03e53d58589369fdebb168d7a73f1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-devel-1.1.4-15.2.…
c310e0e401f7c6e199c8da324b9ffd9d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-extras-1.1.4-15.2…
3a21f822e56267d0b9f4401430e96abb
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-ikvm-1.1.4-15.2.i…
4f5667eacc74fda44bd90d4f3e9c337e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-locale-extras-1.1…
8a53abf982e0d1b0ca85bba71ec65635
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-web-1.1.4-15.2.i5…
c458032d6863a1f1eab9a020031e735a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mono-winforms-1.1.4-15…
308768cbcf198fa1ec3172e26e9d67d1
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bytefx-data-mysql-1.1.13.8-…
9313cea2c9dec8f52cdfe4441248ee54
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/ibm-data-db2-1.1.13.8-2.10.…
a9e6e92384d55db7ab84498997ff95b5
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-basic-1.1.13.8-2.10.pp…
c5d31bd0f0897a093d058efb3e9d36ee
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-core-1.1.13.8-2.10.ppc…
5f08a5f5ceed82e3a2029af9fe44243e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-data-1.1.13.8-2.10.ppc…
c77b18deac849e205a686140dc577077
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-data-firebird-1.1.13.8…
096347d6190bbd6952f34a06191c0b5b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-data-oracle-1.1.13.8-2…
068132b00bf66578afd0f57a02fbc0f3
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-data-postgresql-1.1.13…
a7633423935807d8ec63af34c140126f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-data-sqlite-1.1.13.8-2…
7d679cd2374a89c3def920368bbcd689
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-data-sybase-1.1.13.8-2…
19ebb43356078a17b7e962db58ac8058
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-devel-1.1.13.8-2.10.pp…
8274b40f614ab66d8e588f284a1e654b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-extras-1.1.13.8-2.10.p…
abd9e49ffaaabb50d9e9dfdc7c02bf2a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-jscript-1.1.13.8-2.10.…
70f9d55dd1078ac976431bd2b3246368
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-locale-extras-1.1.13.8…
918878cbbe1e0a9a59058f6d81433751
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-nunit-1.1.13.8-2.10.pp…
a5a3de007da4558073bc00a2019ba5aa
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-web-1.1.13.8-2.10.ppc.…
e2208039b64330e34aac9ec7020a063c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mono-winforms-1.1.13.8-2.10…
ec89803672bb0d000f238009927343e7
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bytefx-data-mysql-1.1.…
89141c520781244c275ff2e2d8b4c1b5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/ibm-data-db2-1.1.8.3-6…
968f25f3c344929b2f1754f4f9f5a0fc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-basic-1.1.8.3-6.3…
8dcb79d36fda7785124038240bb40df0
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-core-1.1.8.3-6.3.…
50675e0b79610192a8f38fdaf4b655a3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-data-1.1.8.3-6.3.…
d13657008290fc055958fac933b15beb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-data-oracle-1.1.8…
0829dd512ffe36216eba935288a37aff
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-data-postgresql-1…
71a78c27a97f620774c23b4a5ae9e1ac
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-data-sqlite-1.1.8…
b4709e8c29aea15d130cd3df58e198f2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-data-sybase-1.1.8…
1b84a559b9c91895187707e08df7bb81
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-devel-1.1.8.3-6.3…
dbf8dc82c1b56af047402424fa36e889
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-extras-1.1.8.3-6.…
52dc5bd08e8d0838a190d32abe6d9360
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-ikvm-1.1.8.3-6.3.…
006f73bc4a0376aa6dcdb476773fac7f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-locale-extras-1.1…
f4e37b49b4cd0cba088d1cbce4b6a106
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-nunit-1.1.8.3-6.3…
d0d846db02bdfd31225fbceeb99a83d9
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-web-1.1.8.3-6.3.p…
25e0ce59ffc1cc50eab7381029d9f37b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mono-winforms-1.1.8.3-…
12c2317e35c03901605d35828ad97559
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bytefx-data-mysql-1.1.13…
2f9b1e124a86cd8d9434dc34ae704e34
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ibm-data-db2-1.1.13.8-2.…
eb35e4758f2367f14e63f93653d93929
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-basic-1.1.13.8-2.10…
e45fc3b3d4f6e6738e1be4a7756b3b87
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-core-1.1.13.8-2.10.…
022fcc53335d2521eef17fd2d9d5d65e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-core-32bit-1.1.13.8…
14aa868bfeeb53ccd484c542db37ca8f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-data-1.1.13.8-2.10.…
3bc6667d6f053b9d737feee86548187a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-data-firebird-1.1.1…
0c5701fe6cb9689876d81edaa85376f1
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-data-oracle-1.1.13.…
c8c1f41f8dfd7053c20e831a4ef0dab9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-data-postgresql-1.1…
ebd0e9c450d432e9d0330d535cf49e5f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-data-sqlite-1.1.13.…
a13b9d5c42edcaf106fff4fa5518a25a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-data-sybase-1.1.13.…
e3906044737c10c7703908171adf3f57
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-devel-1.1.13.8-2.10…
f467c3939b354ed578f7157d8ef31ba7
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-extras-1.1.13.8-2.1…
d2f67c4278dff46c6467a5aa5d5ae21a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-jscript-1.1.13.8-2.…
02e8931e0c337c91d7659ad6a6411f3e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-locale-extras-1.1.1…
bc6f46f246e4a04db7ce73c4a9a8e14a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-nunit-1.1.13.8-2.10…
0c8256c4fb7cf7260871e260051e9cb8
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-web-1.1.13.8-2.10.x…
44662d4d9dcbe2dcfdaed5aadf0d3280
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mono-winforms-1.1.13.8-2…
3f1f16b27a5e82d4ec21813ff6d20de6
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bytefx-data-mysql-1…
faaafa4a6b2697b64002a0e54d966fb5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/ibm-data-db2-1.1.8.…
9bc2cc6f76d3ab0a3fa40e432ce8a5a5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-basic-1.1.8.3-…
b34db12ed5a82a0e421024924b8c9d35
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-core-1.1.8.3-6…
9012ea42ee4342f5f33d0441d343dfbc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-core-32bit-1.1…
44a8e61f033f307894649a5f426a0201
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-data-1.1.8.3-6…
8368c48caf6f752b5b95eb4eba3fd328
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-data-oracle-1.…
8ac64af18626a2a781ad07dd94c06d98
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-data-postgresq…
569cf2d488ceb8c75ce24509255db131
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-data-sqlite-1.…
aa45bd963f675134c562cf337656a431
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-data-sybase-1.…
d27ef73513e09f0e13198ac917de4f5a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-devel-1.1.8.3-…
a9a6390486569dd2a30404c2a1c720d1
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-extras-1.1.8.3…
952679113589f9568203b0f65e353be7
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-ikvm-1.1.8.3-6…
8e8477d1f0dbf6c58372655b94b2e763
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-locale-extras-…
b24ef527a716c2828bcbde7c64554f55
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-nunit-1.1.8.3-…
18b311d2694fec20cb8e91cace644b7a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-web-1.1.8.3-6.…
58e7313cc4497968024c97bf9d0391e1
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mono-winforms-1.1.8…
92ba868cfa14ec498100e5dd65ed907d
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/bytefx-data-mysql-1.…
b0826412e85bbff760b5779fdc80ec94
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/ibm-data-db2-1.1.4-1…
98bd39be148e960ad27d8069c2adf8d1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-basic-1.1.4-15.…
156ae0023277a6160e87acc6ca8900d9
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-core-1.1.4-15.2…
4fb514b18b529705623f7e6a0a215f19
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-data-1.1.4-15.2…
db7ae6e63b7723c9f098c1e1ae8b4fd2
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-data-oracle-1.1…
5b703b05cd53c20425ef68705c9373f8
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-data-postgresql…
a29f36a0cac395178ac22be57821862e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-data-sqlite-1.1…
31a71ffbd976fb28c9d68d69faa8bcfd
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-data-sybase-1.1…
241c1862886fd0a36afb17113a72858a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-devel-1.1.4-15.…
b884e230f98ed60c5e75da726a498349
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-extras-1.1.4-15…
bd0a1137352eec2f3a8bc0d02f779a57
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-ikvm-1.1.4-15.2…
32f13ab54aafbd90ab70813c81bc4bb7
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-locale-extras-1…
776af4929c99c7c5169baa9c9e114b91
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-web-1.1.4-15.2.…
d96f093d040a9f4b8d778a86a7b816e7
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mono-winforms-1.1.4-…
3e542aca65ef4dfbe9e395c3427f93c4
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mono-core-1.1.13.8-2.10.src…
331cc1e61190283b14483c43a542b249
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mono-core-1.1.8.3-6.3.…
3d571d3a89e8b002b5adf330eb77fabc
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/mono-core-1.1.4-15.2.sr…
bef98a4d3e3ecc2ce308b65b3614c701
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLES 10
http://support.novell.com/techcenter/psdb/d0045f4fdf109a52c8482692f86759ac.…
SLE SDK 10
http://support.novell.com/techcenter/psdb/d0045f4fdf109a52c8482692f86759ac.…
SUSE SLED 10
http://support.novell.com/techcenter/psdb/d0045f4fdf109a52c8482692f86759ac.…
SLES SDK 9
http://support.novell.com/techcenter/psdb/375ca96db35d471ce78d859b07e10e7a.…
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/375ca96db35d471ce78d859b07e10e7a.…
Open Enterprise Server
http://support.novell.com/techcenter/psdb/76c31e721b09466bd2ae950409714b5b.…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
- dovecot off by one overflow
Off-by-one buffer overflow in Dovecot 1.0 versions, when index
files are used and mmap_disable is set to "yes," allows remote
authenticated IMAP or POP3 users to cause a denial of service (crash)
via unspecified vectors involving the cache file. (CVE-2006-5973)
This update only affects SUSE Linux 10.1 and was released on
November 27th.
- xine-lib several overflows
Multiple buffer overflows were fixed in the XINE decoder libraries,
which could be used by attackers to crash players or potentially
execute code.
CVE-2006-4799: Buffer overflow in ffmpeg for xine-lib before 1.1.2
might allow context-dependent attackers to execute arbitrary code
via a crafted AVI file and "bad indexes".
CVE-2006-4800: Multiple buffer overflows in libavcodec in ffmpeg
before 0.4.9_p20060530 allow remote attackers to cause a denial of
service or possibly execute arbitrary code via multiple unspecified
vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4) sierravmd.c,
(5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)
shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c.
This update was released on 27th of November and affects all SUSE
Linux based products containing xine-lib.
- kdegraphics3 kfile_jpeg EXIF crashes
The KFILE JPEG plugin that is responsible for displaying meta-data
of JPEG files was affected by some old common vulnerabilities in
EXIF handling.
A JPEG file could be prepared with an EXIF section with endless
recursion that would overflow the stack and cause the plugin and so
the image browser (konqueror, digikam or other kfile users) to crash.
This problem can only be used for denial of service attacks.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security(a)opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe(a)opensuse.org>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRXBKdHey5gA9JdPZAQIjtgf/b9OEcg3h8ngyZWdIsOS7kokhQqof6uHR
q/J23LUsBdv0sRmRN4/xBKURTOZtBBlYE/VPKGFOrtwzf4CD3ih3qJGut4OAQovb
EDXhu0/zYfrFFwjfhZsYC4Ek+5aemvsj6t+igVULbX6FSeulDgHNtAcOyfPCviad
FlD/l75p+c3McthaLH8VLuJ+hKXRMFW42cwqGBEkkdhDz+0E0/P1HfT6o+Z3Zrql
wS+i7iM/krGHd2a30NoNO0VI/ZO5TbOiN0RXsKt1AJpvARcFHxAGBFOMm9EtU2/q
j4C4cLImTL+nvHorWUhKWlC9QHkPQvRyc2ujlgPNR92OiXoJDoM/Uw==
=wHrU
-----END PGP SIGNATURE-----
1
0