February 2006 - openSUSE Security Announce

SUSE Security Announcement: kernel various security problems (SUSE-SA:2006:012)
by Marcus Meissner 27 Feb '06

27 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2006:012 Date: Mon, 27 Feb 2006 16:00:00 +0000 Affected Products: SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: various security problems Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2004-1058, CVE-2005-2553, CVE-2005-3356 CVE-2005-3358, CVE-2005-3623, CVE-2005-3808 CVE-2005-3847, CVE-2005-3848, CVE-2005-3858 CVE-2005-4605 Content of This Advisory: 1) Security Vulnerability Resolved: various kernel security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Linux kernel has been updated to fix various security problems. All SUSE Linux versions and products are affected, the exact affected versions are listed per entry. A SUSE Linux 10.0 kernel update was released 2 weeks ago, also fixing the issues listed in here. (SUSE Linux Enterprise Server is abbreviated as SLES, Novell Linux Desktop as NLD, and Open Enterprise Server as OES). - CVE-2005-3623: Remote users could set ACLs even on read-only exported NFS filesystems and so circumvent access control. Affected: All SUSE Linux based products. - CVE-2004-1058: A race condition was fixed which could allow local users to read environment variables of another process. This is a reissue of an earlier fix in the 2.6 kernel also present in the 2.4 kernel. SUSE Linux Enterprise Server 8 and SUSE Linux Desktop 1 are affected. - CVE-2005-2553: Fixed an oops when a 64bit binary was traced with a 32bit ltrace. This problem only affects SLES 8 for x86-64. - CVE-2005-3356: A double decrement in mq_open system call could lead to local users crashing the machine. This problem affects SUSE Linux 9.1 up to 9.3, SLES 9, and NLD 9 and OES. - CVE-2005-3358: A 0 argument passed to the set_mempolicy() system call could lead to a local user crashing the machine. This problem affects SUSE Linux 9.1 up to 9.3, SLES 9, and NLD 9 and OES. - CVE-2005-3848: A dst_entry leak in the icmp_push_reply could be used to exhaust system memory. However this problem happens only on machines which are already nearly memory starved. This problem affects SUSE Linux 9.1 up to 9.3, SLES 9, and NLD 9 and OES. - CVE-2005-3858: A memory leak in the ip6_input_finish function in ip6_input.c might allow attackers to cause a denial of service via malformed IPv6 packets with unspecified parameter problems, which prevents the SKB from being freed. This problem affects SUSE Linux 9.1 up to 9.3, SLES 9, and NLD 9 and OES. - CVE-2005-4605: Kernel memory could be leaked to user space through a problem with seek() in /proc files . This problem only affects SUSE Linux 9.2 and 9.3 - CVE-2005-3847: The handle_stop_signal function in signal.c allows local users to cause a denial of service (deadlock) by sending a SIGKILL to a real-time threaded process while it is performing a core dump. This problem only affects SUSE Linux 9.3. - CVE-2005-3808: A 32 bit integer overflow on 64bit mmap calls could be used by local users to hang the machine. This problem only affects SUSE Linux 9.3. A number of additional non-security bugs were fixed, but are not listed here. Please check the separate maintenance information mails or the RPM changelogs (with rpm ---changelog -q name-of-kernel-rpm). 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes SPECIAL INSTALLATION INSTRUCTIONS ================================= The following paragraphs guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, make sure that you read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed must be run as the superuser 'root'. Each step relies on the steps before it to complete successfully. Note that usually it is sufficient to just run YaST Online Update to correctly update the kernel. Only if you are using manually changed bootloader configurations manual steps are necessary. **** Step 1: Determine the needed kernel type. Use the following command to determine which kind of kernel is installed on your system: rpm -qf --qf '%{name}\n' /boot/vmlinuz **** Step 2: Download the packages for your system. Download the kernel RPM package for your distribution with the name indicated by Step 1. Starting from SUSE LINUX 9.2, kernel modules that are not free were moved to a separate package with the suffix '-nongpl' in its name. Download that package as well if you rely on hardware that requires non-free drivers, such as some ISDN adapters. The list of all kernel RPM packages is appended below. The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that correspond with the binary kernel RPM packages. This package is required to build third party add-on modules. **** Step 3: Verify authenticity of the packages. Verify the authenticity of the kernel RPM package using the methods as listed in Section 6 of this SUSE Security Announcement. **** Step 4: Installing your kernel rpm package. Install the rpm package that you have downloaded in Step 2 with the command rpm -Uhv <FILE> replacing <FILE> with the filename of the RPM package downloaded. Warning: After performing this step, your system may not boot unless the following steps have been followed completely. **** Step 5: Configuring and creating the initrd. The initrd is a RAM disk that is loaded into the memory of your system together with the kernel boot image by the boot loader. The kernel uses the content of this RAM disk to execute commands that must be run before the kernel can mount its root file system. The initrd is typically used to load hard disk controller drivers and file system modules. The variable INITRD_MODULES in /etc/sysconfig/kernel determines which kernel modules are loaded in the initrd. After a new kernel rpm has been installed, the initrd must be recreated to include the updated kernel modules. Usually this happens automatically when installing the kernel rpm. If creating the initrd fails for some reason, manually run the command /sbin/mkinitrd **** Step 6: Update the boot loader, if necessary. Depending on your software configuration, you either have the LILO or GRUB boot loader installed and initialized on your system. Use the command grep LOADER_TYPE /etc/sysconfig/bootloader to find out which boot loader is configured. The GRUB boot loader does not require any further action after a new kernel has been installed. You may proceed to the next step if you are using GRUB. If you use the LILO boot loader, lilo must be run to reinitialize the boot sector of the hard disk. Usually this happens automatically when installing the kernel RPM. In case this step fails, run the command /sbin/lilo Warning: An improperly installed boot loader will render your system unbootable. **** Step 7: Reboot. If all of the steps above have been successfully completed on your system, the new kernel including the kernel modules and the initrd are ready to boot. The system needs to be rebooted for the changes to be active. Make sure that all steps have been completed then reboot using the command /sbin/shutdown -r now Your system will now shut down and restart with the new kernel. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/Intel-536ep-4.69-10.5.… 726987fcb2e29a3e6e8d413c1a5dfe1d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-2.6.11.4… c543d65d53d4169e734c058020d567ec ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-nongpl-2… b37dc9424cf567c7736e7ae319e73562 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-2.6.11.… de248d731063686bc283beafa031b537 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-nongpl-… 6d193d0deaf3777821849cc61802ff65 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-2.6.11.4-21… 5eb3a6dc960720d8d93cde49ec7700f8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-nongpl-2.6.… 9f6a944e6f901072d6ce48fbaa1290f0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-source-2.6.11.4… 62ab0ddbcc4e3d01090b7b5fafd38d8a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-syms-2.6.11.4-2… 7f73075bdd31464db500d644b97edc81 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-2.6.11.4-21.… 02486777b820d02b425fed71a4c5019f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-nongpl-2.6.1… 15dfaf2802842860f478f171eda39af1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-2.6.11.4-21… 1f9636bf36fddc76aaf057651a45309e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-nongpl-2.6.… 1078b4a0182fe0c4cec06c9547fb1a9e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ltmodem-8.31a10-7.5.i5… 78c81eb9d6c5779343c3e29e81030308 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-install-initrd… 61fbfde10f475ea4c0d724d87d63501f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-kernel-2.6.11.… 19a7f29a385995702ac30407be70d6d2 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/Intel-536ep-4.69-5.13.… 73fa6376eb84222b2fffa6483eab7afc ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-2.6.8-24… 6c81a75b8fec4b14fc9e4365c187f00d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-nongpl-2… aa22cc2a3d959f790ec8523e4019c747 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-2.6.8-2… 3890821a67d7d60ffff0caffc2cab778 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-nongpl-… 7511e2f0934af8eae4bb3179e7840fbd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-2.6.8-24.20… 7117c43424009f3c2eb2921e8fbc95ed ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-nongpl-2.6.… c1d885bfb6675ae69e3b1692f5fc946a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-source-2.6.8-24… 05236f7ce1b52ab54961ad527ce805e7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-syms-2.6.8-24.2… 7dc21ec2ccd8dbe4e5d87b41c836bbaf ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-2.6.8-24.20.… f8ce8a36267968fc939a0ee2599e157e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-nongpl-2.6.8… 2e9cfb9aef2447aa952f527eded19c24 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ltmodem-8.31a8-6.13.i5… 0b131a3243a8b6afd9a8e945b1af2fd4 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-install-initrd… 1f3c40dc3cf9438fefeeb5eab8d4197e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-kernel-2.6.8-2… aace00350fb0297a2f028699b4668697 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/antivir-2.1.0-20.4.i58… d6b302c940c8430fab37d9aa9a5e1214 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/drbd-0.7.14-0.6.i586.r… 785040d76717cd8083e256000b7f63d5 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.… 5a6544c2a26a3a3dc155198138eaa83f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7… 02711564583edfb898433c549b09bd7d ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.252… b5703b2f2546e67b1d0ff984a4293cd0 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.… 591e787dda803b499e6c10d25e05b770 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-syms-2.6.5-7.25… 0b55769312b026a1b9cd4bae2c391d98 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/km_antivir-2.1.0-20.4.… 266fd61aeb1861dc076d445117f66baf ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/km_drbd-0.7.14-0.6.i58… c1627d9ba295289524d174e13610f09b ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ltmodem-2.6.2-38.22.i5… 8e6287ab9fcc3992fb49afadc797da45 Platform Independent: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/noarch/kernel-docs-2.6.11.4… cb887f584a0c8f8b37638bab10407d73 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/noarch/kernel-docs-2.6.8-24… 62a62a57d97af0ee27a1d9e2f1b5477b SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/noarch/kernel-docs-2.6.5-7.… 936c10c7337f5d6bfde60066fd457989 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/noarch/kernel-docs-2.6.5-… d8ee9fb3b0423be9ced1e4c2e7de8f05 x86-64 Platform: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-2.6.1… e8bd3166ade78e0f33ba7a065add24ba ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-nongp… e6ec8fd3780b20bf49bf261d10d4423e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-2.6.11.4-… 73382acf65787d53973ca779bf0579cc ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-nongpl-2.… 27527e2d10b6b37243009d61ff2ff6f8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-source-2.6.11… 45e2b2428d73e4367f03eb9841b7074e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-syms-2.6.11.4… db2912ac4b3e7ba4cac7d5eb0e3120f5 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-2.6.8… 88ed9d91a4414f7f4e39e899ca7a7ef4 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-nongp… 5425d91d11a695b36415384be9536cf9 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-2.6.8-24.… 8670c9bc84d9a4d493e4b18aee1c29b2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-nongpl-2.… b340a89c163944042c0a214795a3ad7b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-source-2.6.8-… 66b91efb196d3461d29d90ba8e19c747 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-syms-2.6.8-24… 2f3a689fb2e5e286e15e573739828d99 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/drbd-0.7.14-0.6.x8… 7b99fc2ceef67fd5e23b22b325f2dcd4 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6… 1e7e270cbbd76e8af428f7dd7c59d2b8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7… c60de58a4feed20754aa202bc5545149 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.… 9dff984bb8294fac593591db3f5ff9df ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-syms-2.6.5-… 8cfefc4446f2fc70e5fcbae2b1c5e8b9 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/km_drbd-0.7.14-0.6… 097429f49530fddbed45f3122a66f91a Sources: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/Intel-536ep-4.69-10.5.s… 18dba7c11f866a58e39a12e79319be85 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-bigsmp-2.6.11.4-… a9374b06cca86ce9a8373c43c17ac9e4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-default-2.6.11.4… b25622507b1903ef0f3bf848839ce08d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-docs-2.6.11.4-21… c9381f3813e7af4fa9cf4cc9ce5621ff ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-smp-2.6.11.4-21.… 9b83f383688e1e2cddc5a40c3bda99d4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-source-2.6.11.4-… 4ad088fa0b6607c5d7fce5d0fad1ae52 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-syms-2.6.11.4-21… 47b05b06a6676e2b781e648e37dc69b0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-um-2.6.11.4-21.1… f551a23519fbf78341cb67ec4724982f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-xen-2.6.11.4-21.… a0885202b09e6b10e392707111f58942 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/ltmodem-8.31a10-7.5.src… dd70e4bf36e779f4b17adb1736dc8f35 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/um-host-install-initrd-… 5f7c7741a6adc9dc5100eeadbdf2f7c6 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/Intel-536ep-4.69-5.13.s… 52499e0c322a0ca5c5cf90893cf0b0d1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-bigsmp-2.6.8-24.… 9f34cf79d1700bcd0c0f1058ef247edb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-default-2.6.8-24… 840876249319d785e5cc45e5bf1490c8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-docs-2.6.8-24.20… 6cb3fc2605a81385726b77aad68e9e4a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-smp-2.6.8-24.20.… 8dacc62d42fc39a483da38fa08a1276d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-source-2.6.8-24.… 29c05920ac9106aad6d6d030ff6fca7b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-syms-2.6.8-24.20… 3af6d2ffea1c50db219e990665d81a56 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-um-2.6.8-24.20.n… 9be5e2ab15164b15e494b11f53f6118d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ltmodem-8.31a8-6.13.src… 17eea8abe7a7bb2f6fc7c029e05be7a2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/um-host-install-initrd-… 16b975dfc87624197e50d840657f8751 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/antivir-2.1.0-20.4.nosr… 4b79dc800753b16483f304a6511ce8bf ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/drbd-0.7.14-0.6.src.rpm 30182af29f0f23b90c0fe14005a730a9 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.2… bc02096441207893cf47d2be7c8b06ea ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.… 9e3601a5dbc80c014e54281709e0fe61 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-docs-2.6.5-7.252… 5f4f416be9c8a82930187001970a6d1c ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.252.… 1d3eb0c88355dab211f708e6cc8e54e0 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.2… 21e6098484c4dcec2601dd08b945b308 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-syms-2.6.5-7.252… c2008e98d134ba1566a782dd122ebd8a ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ltmodem-2.6.2-38.22.src… 4581214c4fea38c7524465361a68e57c ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/drbd-0.7.14-0.6.src.r… 72f1beb412f7e1ca417de9f1e7569304 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-… 976703d007470f12a822da6ce664d129 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-docs-2.6.5-7.2… e99e2496532756559fd5c67ee283df40 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.25… 0c4edc9be7a9fb28c0b59d6117982b0a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7… c4e2f55f248e850f1bd7ec16ce17b6a7 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-syms-2.6.5-7.2… 784c069db96b17f32b10cd0673c41a92 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/53a35f9c46a1492… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/90a639b6799bfd6… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/17f9d5ebb960b52… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/fe38820436a873d… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/91e977c7e67c3b2… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/94a974abcf7178f… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/804a98a9ce388ec… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/87c56bb926a498c… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/34f03dfffcde711… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/908e2fc1ed6e9f5… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/10563fc51e4a944… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/823abab8a4920fc… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/186f161a242ba93… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9a09b7069f90838… http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/93a74282e730b0e… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRAMLc3ey5gA9JdPZAQLGaQf+JYqgs3uUJWLHA0AYZcwnrJiVWs7y9Cj9 nZSROUqwbricdwqZ3VUBgN9AAJvLUvSTT3mbQI8vgSObG9gcd/Rn3c/jdvEfVpLh 35XhuC8Rueb4phkoO4YyL08GoWxJoTnRnyyykUN0T8gFrQgkAP3FymYMGFBZaoGM X7AgxyISg0WtbzH61og7I779MZrXJsG+m4pSK78RtKHyxi0rbybuK69f0zRJNpbp jPh204/fqcKYrtjz1wdu0OvreJjFoCf2MKzSV039UdFENFoFfrNjeDUL6RzH/r4A 2gJj3mkxwFC1LXaUyFwO4leBLJFSU4PRxqWunsPVdpXYwOBdUEeH9A== =4t6d -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: heimdal (SUSE-SA:2006:011)
by Thomas Biege 24 Feb '06

24 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: heimdal Announcement ID: SUSE-SA:2006:011 Date: Fri, 24 Feb 2006 12:00:00 +0000 Affected Products: SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10): 5 SUSE Default Package: no Cross-References: CVE-2006-0582 CVE-2006-0677 Content of This Advisory: 1) Security Vulnerability Resolved: local unauthorized file access, remote denial of service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Heimdal is a Kerberos 5 implementation from the Royal Institut of Techno- logy in Stockholm. This update fixes two bugs in heimdal. The first one occurs in the rsh daemon and allows an authenticated malicious user to gain ownership of files that belong to other users (CVE-2006-0582). The second bug affects the telnet server and can be used to crash the server before authentication happens. It is even a denial-of-service attack when the telnetd is started via inetd because inetd stops forking the daemon when it forks too fast (CVE-2006-0677). 2) Solution or Work-Around There is no work-around known. 3) Special Instructions and Notes Please make sure the affected daemons are restarted after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-0.6.2-8.6.i586… 3d3d6618cfb387ed34c324d805de0df0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-devel-0.6.2-8.… 7f885d8e091ce98a3bab1816d4165d3e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-lib-0.6.2-8.6.… 021f253a7df8d5ab3caa20b25ea67529 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-tools-0.6.2-8.… 748a213e99d7a2be08eeb4496aecb478 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-tools-devel-0.… 02b9f64f5be3822307102fb9d5842119 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/heimdal-0.6.1rc3-55.21… 235b22414f6129d744f2f62ffccc7962 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/heimdal-devel-0.6.1rc3… 5c17e233db8c0b53798cab0d78f1ede1 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/heimdal-lib-0.6.1rc3-5… 17d0afc2004af42ebbeb8d77af724fe5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/heimdal-lib-32bit-9.… 38c61584528fa24ff04ece6705d21fb3 x86-64 Platform: SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-0.6.2-8.6.x8… 1f899680ff31945963b55e49df6bcfda ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-devel-0.6.2-… 1d65e94810c65ccff51b75066569c428 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-devel-32bit-… 068244c514f752985be7c76c5a25418e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-lib-0.6.2-8.… 20b9598b6f5cfaf70de0d3a120f89182 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-lib-32bit-9.… 93dc79bdf0fc7b7b4cd82a0c3769329e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-tools-0.6.2-… 31d1a3e3da2a794850b3e03710d5263c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-tools-devel-… 71b87841750ba89979c51c3148d315a0 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/heimdal-0.6.1rc3-5… 226be123cb085fb50899ac8af82f5bda ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/heimdal-devel-0.6.… 658aa7a1969078842a0a9368402b83ff ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/heimdal-lib-0.6.1r… dafdcf2c26be6576916f5ba6cf3cd9f6 Sources: SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/heimdal-0.6.2-8.6.src.r… e7333885b6976b490164d28dbc00e905 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/heimdal-0.6.1rc3-55.21.… ab5d0a61dbfb9df34dfa200bda28d04a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/heimdal-0.6.1rc3-55.2… 0d7fc839fc86c6919931190dbdfbd88e Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e3602ff9b11cc8f… http://portal.suse.com/psdb/e3602ff9b11cc8f4a33fff923a591a18.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/f1e0fa19e4bd47f… http://portal.suse.com/psdb/f1e0fa19e4bd47f5f481fa6abb284ed4.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: Please read the weekly summary report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iQEVAwUBQ/8bR3ey5gA9JdPZAQHdlgf8CwpOpCR37uEO/sMAjPPo6Iz+phmvQRzt Jtig17wxvVRguD2ZEEsaR2HM+XPiMRLKuFIDOSHpopI5m53uNjudJf8zSsJBScOC hnsqGA1LciGrVNua9SNMNLWCKf5Vo7Z0yXnlr2kJvkmvwJeBJ7o9/O0obCZ88dsi pWrzg1GfHUSOhz4LJbPNoIi0u8PeRn1UwHCCPKt7OCq2Pe74iufXiTmTGkDPCMRj ZKiMUnaDdjvw8v1Z+o/dGzv69/QYqBeew6IRRCZ6bhvk6waR54pRphIQx3AMpoJ7 jrtu1DzrsA61t/vN+OMVd0XRXboPFw6vpNDD47QodU8WOl5VjD6NMg== =gW4T -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2006:004
by Marcus Meissner 24 Feb '06

24 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2006:004 Date: Fri, 24 Feb 2006 16:00:00 +0000 Cross-References: CVE-2005-3352, CVE-2005-3357, CVE-2005-3651 CVE-2005-4585, CVE-2006-0207, CVE-2006-0208 Content of this advisory: 1) Solved Security Vulnerabilities: - resmgr security problems - php4,php5 security problems - ethereal security problems - apache2 cross site scripting in imagemap and mod_ssl DoS 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - various kernel security issues - gpg and liby2util affected on more distributions 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - resmgr security problems The resmgr package was updated to fix following problems: - resmgrd granted access to all usb devices if access to one one usb device was granted via "usb:<bus>,<dev>" notation. - Class specific exclude rules did not match devices that set their class ID at interface level. This update also fixes the following non-security bugs: - a file descriptor leak - resmgrd often logged unnecessary ACL error messages - the init script cleared /var/run/resmgr/classes even if resmgrd was already running - php4,php5 security problems PHP4 and PHP5 were updated to fix the following security issues: - Cross-Site-Scripting (XSS) bugs (CVE-2006-0208), affecting both php4 and php5. - A problem with HTTP response splitting (CVE-2006-0207) using Set-Cookie headers allowed attackers to inject arbitrary HTTP headers. This update also fixes the following non-security issues: - crash when including more than one php script via SSI - the php5 binary is now compiled in "cli" mode instead of "gui" mode. This affects all SUSE Linux based products containing php4 or php5. - ethereal security problems This update of Ethereal fixes a stack-based buffer overflow in the dissect_ospf_v3_address_prefix function of the OSPF protocol dissector. This bug can be exploited remotely by sending crafted packets to execute arbitrary code (CVE-2005-3651). Additionally a bug in the GTP dissector was fixed to avoid a remote denial-of-service attack (CVE-2005-4585). All SUSE Linux based products are affected. This patch was released on Feb 6th. - apache2 cross site scripting in imagemap and mod_ssl DoS This update fixes the following security problems in the Apache2 web server modules: - a cross-site-scripting bug in the imagemap module mod_imap (CVE-2005-3352) - a bug in mod_ssl that allowed attackers to crash apache (CVE-2005-3357) This affects all SUSE Linux based products. This patch was released on Feb 7th. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Kernel security issues Various kernel security issues are known, for which we have prepared security updates. All the kernel patches have been released on Thursday, except the SLES 8 and SLES 9 kernels for the s390 and s390x (zSeries) platforms. When the latter ones have been released, a separate full security advisory will be published. - gpg and liby2util affected on more distributions While we have a released a security advisory for GPG signature problems in gpg and in liby2util for SUSE Linux 9.3 and 10.0 we have now found that other versions are affected too. We are preparing updates for the other affected versions and will release a separate advisory at this time. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ/8Yh3ey5gA9JdPZAQJqWQf/QMUuvUU1+9+g3hIWVp+W53jJhJ43/IjU LiC7l4FFs8bJIi8DtP48JFKP/v9GpvtRi1xZ/75rqUid7THytAiRThijXLEv2Rqb VgeMFoZJbiodxkX+2uBhV0QvUySFEgBWfXyF1KNO/JIKBeydAxenhMqvy3A4iukU rHgowDFEUDwA7QVkYpGu81Xt8d0N9pkpgNJ5APGrMY6goRPlc1Vcp40U2CmXc0nD tzmkU+J9aZhbUqkwCcLoTq9x27eY9vupElVuUnHw8D8e+JNM3wtze7eiU7MAymwd KDRS7bYBkxomzMiJG90Q4VcZbgX+1Zx8BOtze/5I922aVEStw+7ypg== =W7vn -----END PGP SIGNATURE-----

1 0

SuSE Security Announcement: heimdal (SUSE-SA:2006:010)
by Thomas Biege 24 Feb '06

24 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: heimdal Announcement ID: SUSE-SA:2006:010 Date: Fri, 24 Feb 2006 12:00:00 +0000 Affected Products: SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10): 5 SUSE Default Package: no Cross-References: CVE-2006-0582 CVE-2006-0677 Content of This Advisory: 1) Security Vulnerability Resolved: local unauthorized file access, remote denial of service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Heimdal is a Kerberos 5 implementation from the Royal Institut of Techno- logy in Stockholm. This update fixes two bugs in heimdal. The first one occurs in the rsh daemon and allows an authenticated malicious user to gain ownership of files that belong to other users (CVE-2006-0582). The second bug affects the telnet server and can be used to crash the server before authentication happens. It is even a denial-of-service attack when the telnetd is started via inetd because inetd stops forking the daemon when it forks too fast (CVE-2006-0677). 2) Solution or Work-Around There is no work-around known. 3) Special Instructions and Notes Please make sure the affected daemons are restarted after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-0.6.2-8.6.i586… 3d3d6618cfb387ed34c324d805de0df0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-devel-0.6.2-8.… 7f885d8e091ce98a3bab1816d4165d3e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-lib-0.6.2-8.6.… 021f253a7df8d5ab3caa20b25ea67529 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-tools-0.6.2-8.… 748a213e99d7a2be08eeb4496aecb478 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/heimdal-tools-devel-0.… 02b9f64f5be3822307102fb9d5842119 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/heimdal-0.6.1rc3-55.21… 235b22414f6129d744f2f62ffccc7962 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/heimdal-devel-0.6.1rc3… 5c17e233db8c0b53798cab0d78f1ede1 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/heimdal-lib-0.6.1rc3-5… 17d0afc2004af42ebbeb8d77af724fe5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/heimdal-lib-32bit-9.… 38c61584528fa24ff04ece6705d21fb3 x86-64 Platform: SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-0.6.2-8.6.x8… 1f899680ff31945963b55e49df6bcfda ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-devel-0.6.2-… 1d65e94810c65ccff51b75066569c428 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-devel-32bit-… 068244c514f752985be7c76c5a25418e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-lib-0.6.2-8.… 20b9598b6f5cfaf70de0d3a120f89182 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-lib-32bit-9.… 93dc79bdf0fc7b7b4cd82a0c3769329e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-tools-0.6.2-… 31d1a3e3da2a794850b3e03710d5263c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/heimdal-tools-devel-… 71b87841750ba89979c51c3148d315a0 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/heimdal-0.6.1rc3-5… 226be123cb085fb50899ac8af82f5bda ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/heimdal-devel-0.6.… 658aa7a1969078842a0a9368402b83ff ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/heimdal-lib-0.6.1r… dafdcf2c26be6576916f5ba6cf3cd9f6 Sources: SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/heimdal-0.6.2-8.6.src.r… e7333885b6976b490164d28dbc00e905 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/heimdal-0.6.1rc3-55.21.… ab5d0a61dbfb9df34dfa200bda28d04a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/heimdal-0.6.1rc3-55.2… 0d7fc839fc86c6919931190dbdfbd88e Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e3602ff9b11cc8f… http://portal.suse.com/psdb/e3602ff9b11cc8f4a33fff923a591a18.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/f1e0fa19e4bd47f… http://portal.suse.com/psdb/f1e0fa19e4bd47f5f481fa6abb284ed4.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: Please read the weekly summary report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iQEVAwUBQ/8QUXey5gA9JdPZAQEaCQf8DiV9hNaGbKY+/SJCeZiPREe0hPHXvzEO 1K+bQ6ufM9aw5jHRw8Ej8yr2o4gOmKYaON+wT9jnsSrPoR927y634y/JwWmrUbS7 D0+jQF0LVX7cprjRvfmaT2uuAGjuKQsmJ7CD+qAS3JgghO7dZIAbP3tH05v37vXq yxKK64Zboz2Xt9P4H8jWiricIbnUje7iDMke27hjOHJk4WMpnbVaa+mk5GWkPSET 9jSzC3HBhp5NNCRymOg6JrN30Lm6wCOqotuHt2CXDI967B/H9km7Fc98f2/uSLoR aqf2uTv/+NKSSI4W0MaAlVP2nD06qd+tqocclwKs8S8K8ZliZf7Llw== =bSuU -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: CASA remote code execution (SUSE-SA:2006:010)
by Marcus Meissner 22 Feb '06

22 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: CASA Announcement ID: SUSE-SA:2006:010 Date: Wed, 22 Feb 2006 12:00:00 +0000 Affected Products: Novell Linux Desktop 9 Open Enterprise Server 1 Vulnerability Type: remote code execution Severity (1-10): 10 SUSE Default Package: yes Cross-References: CVE-2006-0736 Content of This Advisory: 1) Security Vulnerability Resolved: remote root exploit in CASA PAM handler Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion This update fixes a remotely exploitable stack buffer overflow in the pam_micasa authentication module. Since this module is added to /etc/pam.d/sshd automatically on installation of CASA it was possible for remote attackers to gain root access to any machine with CASA installed. This is tracked by the Mitre CVE ID CVE-2006-0736. 2) Solution or Work-Around Upgrade to the fixed packages. You can also deinstall CASA by doing: rpm -e CASA CASA-gui CASA-devel 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates on Novell Linux Desktop 9 and Open Enterprise Server 1 is to use the Redcarpet frontends, either via the GUI interface or the "rug" commandline frontend. The packages are also offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/eb79800a3d8a5cb… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ/xCbXey5gA9JdPZAQK0cAgAhQ3FkPNrdVaGFeuZYd2rI+qhslVrox3e T+EXxAsT7Q7YBmb3/LzOHWRLkac+oS2DrLLoTwjPS4/6Xpp/j+CrAfsPFwsMyBtz A+N8aR+HUaYf4xVnvxRLnltk7HvL9i614PhMJJVLlXWYrfGeecbFqkGKvV4Lzc5J 0y2fEK2bf6rCD+uKgBCeekvAXIZfCW+MzdDj7FPpt9T+NoNZ0SGPiUFV5g2n0kdj Bg5phlIgoCZd4m07/l8Ie3Qy4kNaysf5QyUgoSwTVWoMWi0bA/u7KFKoiaaLs8tV IntSS8973GqaKJ42hMwjKIjSpYM1Nk2KFo1J5qtCkrmE7gGYMt8k+g== =4PpR -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:009)
by Marcus Meissner 20 Feb '06

20 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: gpg,liby2util Announcement ID: SUSE-SA:2006:009 Date: Mon, 20 Feb 2006 18:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 Vulnerability Type: remote code execution Severity (1-10): 9 SUSE Default Package: yes Cross-References: CVE-2006-0455 Content of This Advisory: 1) Security Vulnerability Resolved: gpg incorrect signature checking Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion With certain handcraftable signatures GPG was returning a 0 (valid signature) when used on command-line with option --verify. This only affects GPG version 1.4.x, so it only affects SUSE Linux 9.3 and 10.0. Other SUSE Linux versions are not affected. This could make automated checkers, like for instance the patch file verification checker of the YaST Online Update, pass malicious patch files as correct. This is tracked by the Mitre CVE ID CVE-2006-0455. Also, the YaST Online Update script signature verification had used a feature which was lost in gpg 1.4.x, making it possible to supply any kind of script which would be thought correct. This would also allow code execution. Both attacks require an attacker either manipulating a YaST Online Update mirror or manipulating the network traffic between the mirror and your machine. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg-1.4.2-5.2.i586.rpm f1422c0264ff3e270a56d03d4b47e762 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/liby2util-2.12.9-0.3.… 9a6f3ee339303f3efd92121dedf441aa ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/liby2util-devel-2.12.… b504c0cf0f84039018ae1ac90d2e5292 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg-1.4.0-4.2.i586.rpm fffa34f3034effa188cbeb942473e200 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/liby2util-2.11.7-0.3.i… a321ab146d07c50cc69a91352ac28bf7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/liby2util-devel-2.11.7… 1215bcf8f061079dbe05b93b1d611818 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/liby2util-2.12.9-0.3.p… 287ef59b3aec2b9aaaba0e17a9cbba27 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/liby2util-devel-2.12.9… f0bd4524c50c5e0a5613f70393ba4489 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/liby2util-2.12.9-0.… edcad55c6587b9322b5895f2e1ff3760 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/liby2util-devel-2.1… c6b4a827e8ab4dc6d14608ceeb3e3385 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/liby2util-2.11.7-0.3… 7cd1425a429b4637b34aa675d4eeaa85 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/liby2util-devel-2.11… 8d27157261b70a5bb51ab643d8dd1fe8 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2.src.rpm 5098f06cba2e38aa0b5181fb3f9cd7f3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/liby2util-2.12.9-0.3.s… 3107fb78311f00f01c484c1fa1ab26df SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpg-1.4.0-4.2.src.rpm 026b7d74d345815de958152305ffde09 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/liby2util-2.11.7-0.3.sr… 2663aecb5e77147aca6881bd92e570bb ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ/n0GXey5gA9JdPZAQLVQAf+MRmnetOGuZJoTtNLVYKBLMI4rkQ4KIAE iFeoPTcJb9AyK6OY/axV4S+HWKiKxXQ7NZTweCiuaBQdypAxcN8UlhF2udfsAxuW mY/44/YaGgC00x/ycgjqK8yWUWE8RPgv3NM34XabUZl5SE/VkjaeR3hRCORvCk1W X2vguq9OY4avnOd4Urm3SK/dJY/RpQAct1/bQrGcaBpqKXTjYONiqw85sxgKztrR CkOh0kDHRX8De8NlQV1429awygobukk9sQJWf8eCCSfs5OpyTyKv7+GDfgq9X0a6 /7c/3gb2s/xbsZsuH9kd4/+YxHLXAo+kZOnWoTRbgyml3BedL4ZhZg== =pV1y -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: openssh (SUSE-SA:2006:008)
by Marcus Meissner 14 Feb '06

14 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: openssh Announcement ID: SUSE-SA:2006:008 Date: Tue, 14 Feb 2006 11:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2006-0225 Content of This Advisory: 1) Security Vulnerability Resolved: scp double expansion Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion A problem in the handling of scp in openssh could be used to execute commands on remote hosts even using a scp-only configuration. This requires doing a remote-remote scp and a hostile server. (CVE-2006-0225) On SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too. The security fix changes the handling of quoting filenames which might break automated scripts using this functionality. Please check that your automated scp scripts still work after the update. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart the sshd service after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssh-4.1p1-10.4.i5… 3b4e0557d7d0a2b1d23b2c426af95df9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssh-askpass-4.1p1… ac11a5ad265e171674485961472baaaf SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssh-3.9p1-12.4.i58… 2c6d16e14134a1a4f1aaba9ac4aef97f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssh-askpass-3.9p1-… 4cab20c7e83f6de0e440383939e69ec5 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssh-3.9p1-3.6.i586… 9b8cf778290ac743fd07445799f79b1f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssh-askpass-3.9p1-… 003115e216c2b36da09ec3679744ba3d SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/openssh-4.1p1-11.16.i5… 6e89bdd71e10933bf8e95dc7fad0c289 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/openssh-askpass-4.1p1-… 3d0446f739bcea3715e6945d253b0d53 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssh-4.1p1-10.4.ppc… 3970357da536041d1ae3f7e42655aac7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssh-askpass-4.1p1-… 6a79a95ece5bc7738998adad11205f2f x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssh-4.1p1-10.4.… e9eec927db0859a76851d1b94fa7923d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssh-askpass-4.1… b4a2b9cf969794d1deb1abd07f192786 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssh-3.9p1-12.4.x… 65416ca8578374fa4db63ed9e67f41a3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssh-askpass-3.9p… 3fef6bb43541532a654b09dd46201f69 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssh-3.9p1-3.6.x8… 3373a79ef05695446f72fdc1a3ec2d44 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssh-askpass-3.9p… 37ac73c4c9a7723fdcaeb16671b4c6b9 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/openssh-4.1p1-11.1… d04d20e03a63676d5c3349c382318194 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/openssh-askpass-4.… ea0deb3eef9970963af2c8c0adce6a7b Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/openssh-4.1p1-10.4.src… 97ffd38b1144c4797d474c7de1eb6f51 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/openssh-3.9p1-12.4.src.… 1d43324b9d51941bf60e8e0bcbfa25c7 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/openssh-3.9p1-3.6.src.r… 647e4b45eba8dd5399c30dcb64db0c91 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/openssh-4.1p1-11.16.src… cf86431c7c2b1b0b58f6a5f4fff92893 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/openssh-4.1p1-11.16.s… c04ea03236cd9955c5f21f8c15a35416 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c0a0e2dc5435936… http://portal.suse.com/psdb/c0a0e2dc5435936145cde433208b0b1b.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ/Gy9Hey5gA9JdPZAQJWxAf/Q8qKnvA9R4Zz2v8NZ9wok7qUTuJJWhFa +vwrHjXaDgIcXUA+Lxz/R7MKFM6R5F7bVYhxq/YnumdULUKtW2kr9pBavIZdYjUj B6Qe1BlzL6XltLoSfwcTOyp9wGjhOc1rYlWzZHQRWV7Ea7P7jhxk9T4mYV2bVpUA LvayzxB7obs9OxX1zi/NL0yrPJ/mgtCWmojHVUmO4F2lKZIlWFCP6ml5YTjACppN yk3W+NxcI1nttc58aqlOFPTnwYeem7lyMu/G6dXaxpELmm69YWJy0e4yTmvU34d7 CDckONvwglxI4+WEJ7Yh3WCmXQwlpdS9nyXLXPte3bGPRS1d6M/j/w== =rrBZ -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: binutils,kdelibs3,kdegraphics3,koffice,dia,lyx (SUSE-SA:2006:007)
by Ludwig Nussel 10 Feb '06

10 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: binutils,kdelibs3,kdegraphics3,koffice,dia,lyx Announcement ID: SUSE-SA:2006:007 Date: Fri, 10 Feb 2006 15:00:00 +0000 Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SUSE SLES 9 Vulnerability Type: local privilege escalation Severity (1-10): 6 SUSE Default Package: yes Cross-References: - Content of This Advisory: 1) Security Vulnerability Resolved: privilege escalation due to empty RPATH in binaries Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SuSE Security Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion A SUSE specific patch to the GNU linker 'ld' removes redundant RPATH and RUNPATH components when linking binaries. Due to a bug in this routine ld occasionally left empty RPATH components. When running a binary with empty RPATH components the dynamic linker tries to load shared libraries from the current directory. By tricking users into running an affected application in a directory that contains a specially crafted shared library an attacker could execute arbitrary code with the user id of the victim. 2) Solution or Work-Around Do not run affected binaries in directories that are writeable by other users. It is recommended to install the update packages. To fix self-compiled applications install the updated binutils package and relink the application. 3) Special Instructions and Notes Use 'objdump -p' to check whether a binary is affected. RPATH and RUNPATH must not contain a colon that is not surrounded by path names. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/binutils-2.16.91.0.2-… 5336c44f08baed1eb20e31672e376996 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdegraphics3-3.4.2-12… 8fa8cadb9fc305648d809c43d078ee74 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdegraphics3-3D-3.4.2… b04b5ea686bface4391d91b96a06b4b7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdegraphics3-imaging-… 4be879313304f774cc0e0721b9a4ca52 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdegraphics3-scan-3.4… f93207a11a661c6beac8620693ceeb26 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdegraphics3-tex-3.4.… bdcdbdfb5651faabb99493b861fda9b2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdelibs3-3.4.2-24.3.i… 82a02e5e55613d7cd60df86fbbb2b050 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdelibs3-devel-3.4.2-… 68702ff3f54cca4d3e8c95fd1953b02b SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/binutils-2.15.94.0.2.2… 4cdc297d2ddc398829356d8032d2c570 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdegraphics3-3.4.0-11.… f8364afec78108dcb3bb089112c9e486 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdegraphics3-3D-3.4.0-… e8405aca4fb3ddf5a5fe38095891173f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdegraphics3-imaging-3… 1521df464699151917c5edebf7c0e9c8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdegraphics3-scan-3.4.… d5f69e63936e044c7668453643ebdb8d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdegraphics3-tex-3.4.0… c6db7f1b79c54fdbfee5306fb06d327c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdelibs3-3.4.0-20.11.i… 3986977230c6cf5e375652707599d086 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdelibs3-devel-3.4.0-2… 13e39a04f8dcdb2235a4554a242c01d8 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/binutils-2.15.91.0.2-7… 574a32932f442d6ae097c62e67a804bb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/dia-0.92.2-128.1.i586.… d3d6d553b0e3f1a1e44e67a1e79cc336 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdegraphics3-3.3.0-13.… 0f9f1a102d15103fee1d1e6c29f70148 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdegraphics3-3D-3.3.0-… 1ee1f29003e5333d777699d6b89b80f1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdegraphics3-imaging-3… dcf97cc31d22664de69e730f734479be ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdegraphics3-scan-3.3.… 0e79d0489c8fe12b62964f3ab3c653a2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdegraphics3-tex-3.3.0… cec40000030a2db31d34bbe048581e9a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdelibs3-3.3.0-34.12.i… 27b0c1bfa0b2a683483b7122b34523aa ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdelibs3-devel-3.3.0-3… 0a22a4ff2245610205a2275e41cd154a SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/binutils-2.15.90.0.1.1… d499c31bbd95986a70673d8cb11b99f4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-3.2.1-67.… ff479907370e9848e78b2762395457e0 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-3D-3.2.1-… 9cf5e0afd4a5650db22cbf8e4da9ba01 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-scan-3.2.… 5c90bfeca61591ce396066a7bba4acc7 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-tex-3.2.1… a1611b75579097aa3d0031818b7b6db6 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-3.2.1-44.66.i… 26ce2b4076b945a3d9ecf8af0b83e1e6 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-devel-3.2.1-4… 8c595a2e37986a22a09848a1a128645a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/binutils-32bit-9.1-2… c2d8945ce2d0607cf909d29f83262f4f ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/kdelibs3-32bit-9.1-2… b36749d947eb47286f0a21922b491a70 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/binutils-2.16.91.0.2-8… de1e858bf7dac44e8adc2a07a0fcf334 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdegraphics3-3.4.2-12.… 7a2769b5e3e7ec4af6350dc1d826e7c3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdegraphics3-3D-3.4.2-… ceb289844025be2048fb86a671ef3d48 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdegraphics3-imaging-3… c94eed10ad637634db3b24f08d5c0c81 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdegraphics3-scan-3.4.… 6f9aa4b7433345db9826580872438eb5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdegraphics3-tex-3.4.2… 307bdaead8245a26a7b2b00572d290dc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdelibs3-3.4.2-24.3.pp… fb1247f46a4414bda0ac48acb971c126 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdelibs3-devel-3.4.2-2… 4a4d94290e692bf515690953df895155 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/binutils-2.16.91.0.… 07905bd004aff0e7f034fbf1839880e4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/binutils-32bit-2.16… 2808eb66106aac360659f314ce6b8e8e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdegraphics3-3.4.2-… b72daa5dd362a30acb9c9ee60076a432 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdegraphics3-3D-3.4… 90db781dfd39d8c046c42c3117d42d21 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdegraphics3-imagin… 50c7e9bb81a223766f8a1b05e961f586 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdegraphics3-scan-3… bd603d3147becf226534a12d58de9848 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdegraphics3-tex-3.… 324124fb727c6133de4c63fc0d8b109a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdelibs3-3.4.2-24.3… 04f44a7a9113053c11ea2897fea189d1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdelibs3-32bit-3.4.… 1232ac61554a53bb772e4ee03d4e75ef ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdelibs3-devel-3.4.… a96fa42b4bc03ff15d951029f7606b7d SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/binutils-2.15.94.0.2… 503efba51e385e61053e177cab67e111 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/binutils-32bit-9.3-7… c4ac261d7021cff6ce157365c75b659f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdegraphics3-3.4.0-1… b3d2853ee0f65fdb0f771f597555fde7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdegraphics3-3D-3.4.… 92681909dd0d1374386f2a081609cd2f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdegraphics3-imaging… 5a2494c0e345a35631c22647ff426541 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdegraphics3-scan-3.… 389b8d61c3776006c4f2389f60b3e3c1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdegraphics3-tex-3.4… 11f247f28d1dfd1837b8e2f2774c2446 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-3.4.0-20.11… bbe654a9c69c7e110e1b7de14b498312 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-32bit-9.3-7… 6d4db92e1305e20aa3337624c845bd30 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-devel-3.4.0… 7da490073d6190af2003687951622405 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/binutils-2.15.91.0.2… a97601f2e0d5dd4768cda24282b2f4d9 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/binutils-32bit-9.2-2… 6047b8d9493c221302439e289726fbd2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/dia-0.92.2-128.1.x86… 88b9c13e88b013370ac411f2aaa19c19 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdegraphics3-3.3.0-1… d2f8eba01914b6dd3d05c27c468dcfb0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdegraphics3-3D-3.3.… 7b8f6fbb5a0a311c29e900877aebd9d7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdegraphics3-imaging… 8540ad7e2a46994313cfd3a2963463b8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdegraphics3-scan-3.… 2032b30bb43091c625baa1792716ae61 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdegraphics3-tex-3.3… 7fbd5512b3598157e80c60f0b2855878 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-3.3.0-34.12… 7b5077bce547bcdd4576c6a541f90267 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-32bit-9.2-2… 7c62d3a25c8623f156fb43c36468935e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-devel-3.3.0… 2dc9fac20d13442b3b5302dc29fe9118 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/binutils-2.15.90.0… 354087b9758e50f86497996b19eeec94 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/dia-0.92.2-112.11.… 03659fbb7563826a87f7f94beb1c75a6 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-3.2.1… 353ef4a09a8a80e2d64b4d427976ce45 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-3D-3.… 56d31cb34a3837725df75308e0f88703 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-scan-… d1458dddfcffacdb5ef6f430c31c6119 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-tex-3… e525803caa7c3dd617f3c5a9a0683ff0 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdelibs3-3.2.1-44.… 4d3432e2ffc9765d425e69cdf315ba4f ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdelibs3-devel-3.2… e2abc0442f078a34c1ca8516579e3a50 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/koffice-1.3-67.4.x… 02bd9d62e0d1c38f8f71f0cf2494b41b ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/koffice-illustrati… e002a223ab2e3c024c0df5693fd1a3a8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/koffice-wordproces… 08b03cb4214d760bf6072cd59aac5003 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/lyx-1.3.4-35.1.x86… e4bc1e182a72bb3a9e4a878208f13cfe Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/binutils-2.16.91.0.2-8… 2dd1e35033820628da6b80be0dbe4936 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kdegraphics3-3.4.2-12.… 0397a4c448a829ac21c11305212ff22b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kdelibs3-3.4.2-24.3.sr… 7c198fa4ace4919c221939e6eca00734 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/binutils-2.15.94.0.2.2-… 98d6ea23959aea2765f9c17702ec62dd ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kdegraphics3-3.4.0-11.5… e15f2a22a803a18be7a1ab145a25007b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kdelibs3-3.4.0-20.11.sr… aeeb36fc3937dd93d506f526c6c98cc4 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/binutils-2.15.91.0.2-7.… 952e90bdae6b1abeb7ca13b4401b398c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/dia-0.92.2-128.1.src.rpm 4f1d414bf9fd2a2515aaf4463a441aaa ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kdegraphics3-3.3.0-13.7… 0fae44a5765adc1de2b5462873560bfd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kdelibs3-3.3.0-34.12.sr… 7debc7aeee1ffca646d5c7216ce683fe SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/binutils-2.15.90.0.1.1-… 5c7ab33f6c050ba300aaaba7e2040fb4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdegraphics3-3.2.1-67.1… 8ae65c3f8ab7d3edf8a4e24209ed9e64 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdelibs3-3.2.1-44.66.sr… 851de1a4caea121c9ed82d77115928b5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/binutils-2.15.90.0.1.… 239ff55c3e755403a97a121a058c2caf ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/dia-0.92.2-112.11.src… 309668f36903aed44e8bfd15435f1908 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdegraphics3-3.2.1-67… 51ddd6ca60f542ad852eff7a436a7275 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdelibs3-3.2.1-44.66.… c23abf7c55209043d1c546877d2aaef7 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/koffice-1.3-67.4.src.… d341d9f1e16966db09bd071aeece3a3b ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/lyx-1.3.4-35.1.src.rpm 029f7638dbcba4c841e3803121fb30c7 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/43ed32936d1f47c… http://portal.suse.com/psdb/43ed32936d1f47c23b6d758b748169d9.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/052bc7b0a62a290… http://portal.suse.com/psdb/052bc7b0a62a29064c15644ebf01dc51.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/37ceddfb4166e06… http://portal.suse.com/psdb/37ceddfb4166e0699e8b64b9e4afea11.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9a3add7ef9404b7… http://portal.suse.com/psdb/9a3add7ef9404b778a7defb57a14b531.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SuSE Security Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ+yi4ney5gA9JdPZAQKHJwf/ZVp8+ZHDzUh6vD7yh8KiQuczEgL3hel1 CaLGSqd96Bb/TIzBeThb7i5N7ry7BJwGp89FGU9UIWSPLP+xtxBN2PQ2RoiH8mXW +dSEtCBuQQKaoTfV36gZTlJhVn7CG2eMgL5HyvmUuOFAtpu+WOMteDmbBKw2LASi xIk4pIoRY/L3XlZz0mmUhj8vd+q4R1MvrXPdhKnuZf4BC10fWV7IK4SR9hhhvpzL k29yIDhm2IQBF1W546ZNJHcv52SbMtfWGLGBuJtfRjRfuVpoioH2vqOHMA8TdeaX kyGQ43YHUF/9ZbLhI7NPgRmIbmTWuJDOQSjIQOvZl/GUpVmZTDq7HQ== =tqKn -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: kernel remote denial of service (SUSE-SA:2006:006)
by Marcus Meissner 09 Feb '06

09 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2006:006 Date: Thu, 09 Feb 2006 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 Vulnerability Type: remote denial of service Severity (1-10): 9 SUSE Default Package: yes Cross-References: CVE-2005-3356, CVE-2005-3358, CVE-2005-3623 CVE-2005-3808, CVE-2005-4605, CVE-2005-4635 CVE-2006-0454 Content of This Advisory: 1) Security Vulnerability Resolved: various kernel security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Linux kernel on SUSE Linux 10.0 has been updated to fix following security problems: - CVE-2006-0454: An extra dst release when ip_options_echo failed was fixed. This problem could be triggered by remote attackers and can potentially crash the machine. This is possible even with SuSEfirewall2 enabled. This affects only SUSE Linux 10.0, all other SUSE distributions are not affected. - CVE-2005-3356: A double decrement in mq_open system call could lead to local users crashing the machine. - CVE-2005-3358: A 0 argument passed to the set_mempolicy() system call could lead to a local user crashing the machine. - CVE-2005-4605: Kernel memory could be leaked to user space through a problem with seek() in /proc files . - CVE-2005-3623: Remote users could set ACLs even on read-only exported NFS Filesystems and so circumvent access control. - CVE-2005-3808: A 32 bit integer overflow on 64bit mmap calls could be used by local users to hang the machine. - CVE-2005-4635: Add sanity checks for headers and payload of netlink messages, which could be used by local attackers to crash the machine. Also various non-security bugs were fixed: - Fix up patch for cpufreq drivers that do not initialize current freq. - Handle BIOS cpufreq changes gracefully. - Updates to inotify handling. - Various XEN Updates. - Catches processor declarations with same ACPI id (P4HT) - PowerPC: g5 thermal overtemp bug on fluid cooled systems. - Fixed buffered ACPI events on a lot ASUS and some other machines. - Fix fs/exec.c:788 (de_thread()) BUG_ON (OSDL 5170). 2) Solution or Work-Around There is no known workaround, please install the updated packages. 3) Special Instructions and Notes SPECIAL INSTALLATION INSTRUCTIONS ================================= The following paragraphs guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, make sure that you read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed must be run as the superuser 'root'. Each step relies on the steps before it to complete successfully. Newer SUSE Linux versions do all this automatically when running the YaST Online Update. **** Step 1: Determine the needed kernel type. Use the following command to determine which kind of kernel is installed on your system: rpm -qf --qf '%{name}\n' /boot/vmlinuz **** Step 2: Download the packages for your system. Download the kernel RPM package for your distribution with the name indicated by Step 1. Starting from SUSE LINUX 9.2, kernel modules that are not free were moved to a separate package with the suffix '-nongpl' in its name. Download that package as well if you rely on hardware that requires non-free drivers, such as some ISDN adapters. The list of all kernel RPM packages is appended below. The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that correspond with the binary kernel RPM packages. This package is required to build third party add-on modules. **** Step 3: Verify authenticity of the packages. Verify the authenticity of the kernel RPM package using the methods as listed in Section 6 of this SUSE Security Announcement. **** Step 4: Installing your kernel rpm package. Install the rpm package that you have downloaded in Step 2 with the command rpm -Uhv <FILE> replacing <FILE> with the filename of the RPM package downloaded. Warning: After performing this step, your system may not boot unless the following steps have been followed completely. **** Step 5: Configuring and creating the initrd. The initrd is a RAM disk that is loaded into the memory of your system together with the kernel boot image by the boot loader. The kernel uses the content of this RAM disk to execute commands that must be run before the kernel can mount its root file system. The initrd is typically used to load hard disk controller drivers and file system modules. The variable INITRD_MODULES in /etc/sysconfig/kernel determines which kernel modules are loaded in the initrd. After a new kernel rpm has been installed, the initrd must be recreated to include the updated kernel modules. Usually this happens automatically when installing the kernel rpm. If creating the initrd fails for some reason, manually run the command /sbin/mkinitrd **** Step 6: Update the boot loader, if necessary. Depending on your software configuration, you either have the LILO or GRUB boot loader installed and initialized on your system. Use the command grep LOADER_TYPE /etc/sysconfig/bootloader to find out which boot loader is configured. The GRUB boot loader does not require any further action after a new kernel has been installed. You may proceed to the next step if you are using GRUB. If you use the LILO boot loader, lilo must be run to reinitialize the boot sector of the hard disk. Usually this happens automatically when installing the kernel RPM. In case this step fails, run the command /sbin/lilo Warning: An improperly installed boot loader will render your system unbootable. **** Step 7: Reboot. If all of the steps above have been successfully completed on your system, the new kernel including the kernel modules and the initrd are ready to boot. The system needs to be rebooted for the changes to be active. Make sure that all steps have been completed then reboot using the command /sbin/shutdown -r now Your system will now shut down and restart with the new kernel. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/Intel-536ep-4.69-14.3… 617123d586215e94e373797650689b7f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-2.6.13-… 0cbb96d083eb5c5cb6f14896b156d3d6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-nongpl-… 9da719c36eb4119165d5cd70bfb98703 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-2.6.13… e84cf4f754e2dbad45d32f22764ac363 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-nongpl… 96556ee27a4a34ad2757fe0605f56e0a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-2.6.13-15.… 6bcc5556183a30d5be7164229f1a9b2a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-nongpl-2.6… 78883d88c7cca8f55676c6ad8fae8f74 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-source-2.6.13-… 566deccc17d66d38037829b04cd90bf6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-syms-2.6.13-15… 98dd96111ed5932e29f17bdea8785ad4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-2.6.13-15.8… 37d53ae4b23984e6c2c1eccf2cab1418 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-nongpl-2.6.… 9486e2bbba0809d01469eb8ce2862e45 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-2.6.13-15.… 916db787417eb6714f4ef29e2b4fc215 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-nongpl-2.6… c9f178ee29025e37fad02fc97f54a960 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/um-host-kernel-2.6.13… b7bd6a96c6f4e484c71121d928ccd88c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-3.0_8259-0.1.i586… a45eca7e51d5013a33c911ea1a4cfee2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-devel-3.0_8259-0.… da838d086ab74ae26217fdefd48536ae ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-doc-html-3.0_8259… 803b0ce83f4a3a08988b3af39f187158 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-doc-pdf-3.0_8259-… 9224d203e3466d1bf9a44ccfa0811471 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-doc-ps-3.0_8259-0… a9b0794189169f88275922da3e3e8566 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-tools-3.0_8259-0.… 3c39e8fadf994ba48c77f429d6d57b89 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xen-tools-ioemu-3.0_8… 08559ccb01107e018ac9b1bdf8b6be65 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-default-2.6.13-… 9809772427eb306647e818d806a77e89 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-iseries64-2.6.1… e180170929a1ea8d3f98331bcfb30c9b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-ppc64-2.6.13-15… 87a70ccab5ba54792dee4aa10c793842 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-source-2.6.13-1… b87c03b2d486fd03c3fac0b3d2a6a226 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-syms-2.6.13-15.… 7dade40bb01bd88a8b0fe59d1305f5c8 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-2.6.… 1b257b185e8eedfc3d8fbded87ad78d7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-nong… 602f86133787c0ecc8eec89b23d54315 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-2.6.13-1… 1a60423b90616a8cbe9f709f3af24788 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-nongpl-2… 95a1d602ec636d83429e326c5d72a6ac ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-source-2.6.1… 72998ee6616db4d71eb5f6830b02775d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-syms-2.6.13-… 8dbeccfea33a188e645c49d18b489ec8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-2.6.13-1… f8b7244ffdfce6cd10a63793bfff91c1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-nongpl-2… 3a1b868760ccfcd9e58a99d0cc2e6e10 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-3.0_8259-0.1.x8… bf63af95f1460384576fe544497a69d9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-devel-3.0_8259-… b40992546fe02ba8c1b575ea0d219459 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-doc-html-3.0_82… 89ebeb3a359c3bea923579d557ddd799 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-doc-pdf-3.0_825… 596a4325239ea8b18dd13a2f32a23fd9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-doc-ps-3.0_8259… a0dec51273e8b67313cb7001efa4e555 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-tools-3.0_8259-… 88ec4608838d3c0175412d4f9a3a722b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xen-tools-ioemu-3.0… c4d1a2fb18cc12cc670eaecbcc52e51e Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/Intel-536ep-4.69-14.3.… 318b6e58e9618c58b45b442402f02d8d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-bigsmp-2.6.13-1… a8106394b8179741f4abe6c5033b825b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-default-2.6.13-… 15357679ff39d7d172915286cf366a02 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-iseries64-2.6.1… 4819d48418dd04d54a6a2cc95ae743dd ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-ppc64-2.6.13-15… 07716c45346938286197c12459139f1d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-smp-2.6.13-15.8… 1f0626d1a7a4f9512a68787369110323 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1… 0d54d3a5531ca860327a42d026d6a5ed ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1… de47591367758860be95265cf81a514b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-syms-2.6.13-15.… 807f7d1ffde7604cf90198237b3db382 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-um-2.6.13-15.8.… 859c7778b1138f4a6a650ca855d81d09 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-xen-2.6.13-15.8… 131b8f17f1aa4ea060bcc1d3a6148756 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/xen-3.0_8259-0.1.src.r… 75b98cae0e6d1c682e70309bb975060b ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ+tpFXey5gA9JdPZAQIyOwf+JroOzv7U1YP+rVgCcT1nKlB6PdXxM3QS oAvh6CbEH4uu/QdLN+Yt9gQl3PNZcPsNwVg6Bpr0AnOn5YTHB4pEd+LV4McgMX9m n6pADFKv37KDl15kYV9eddIEBnXy8ZNBEldUjCFPLbB93kkGF5yfdiWAhak3dluA XJUV2SKLD5KmfRuKrGdWCpVfAwhUiCTDKGeIPuMsePFMohTO9qYHcKnzs7NOe9av tQW/hcWLLyTxMmcy0MBEfbM6RTQyEOXFL52XJTRP3dcGUEpKiLZPN90pUG0v3KQo gqzZRxwn/VKrvsmV51T4ywzKR1vnp4FjnDt2KeWP59d99vV6MpRJPw== =E18s -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2006:003
by Marcus Meissner 03 Feb '06

03 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2006:003 Date: Fri, 03 Feb 2006 12:00:00 +0000 Cross-References: CVE-2004-0990, CVE-2005-2798, CVE-2005-4501 CVE-2005-4591, CVE-2005-4592, CVE-2006-0322 Content of this advisory: 1) Solved Security Vulnerabilities: - SUSE Linux 9.0 discontinued - openssh GSSAPI problem - gd integer overflows - mediawiki problems - bogofilter buffer overflows 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - various kernel security issues 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - SUSE Linux 9.0 discontinued As previously announced, we have now discontinued SUSE Linux 9.0. It has received its final security update a week ago (phpMyAdmin). Next product to be discontinued: SUSE Linux 9.1, end of June 2006. - openssh GSSAPI problem This update of openssh fixes an information disclosure bug in the sshd server. If option GSSAPIDelegateCredentials is enabled, it could happen that credentials are send to users that are using non-GSSAPI methods for authentication. (CVE-2005-2798) The option is not enabled by default in SUSE Linux. This affects SUSE Linux 9.2 up to 10.0 and SUSE Linux Enterprise Server 9. - gd integer overflows Some integer overflows were fixed in the image manipulation / creation library GD that may be exploited to execute arbitrary code. (Old patch was missing upstream.) This is tracked by the Mitre CVE ID CVE-2004-0990. All SUSE Linux based products are affected. - MediaWiki problems Two problems were fixed in MediaWiki: - Several cross-site-scripting bugs (CVE-2005-4501) - Certain links could lead to denial of service (CVE-2006-0322) This problem affects SUSE Linux 9.3 and 10.0. - bogofilter buffer overflows The Bayes based filter bogofilter was updated to fix following security problems: - Decoding Unicode sequences could overflow a heap buffer (CVE-2005-4591). - Very long lines could overflow a heap buffer (CVE-2005-4592). This problem only affects SUSE Linux 9.3 and 10.0. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Kernel security issues Various kernel security issues are known and we will start preparing updates soon. The next kernel update will probably be available mid of February. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ+NeuXey5gA9JdPZAQJ9IwgAkOapn5LK57qTciiL4veN/ULbQ5chE7u2 xzS+5SannyKkSij3OXji1JnYz1mb2pCnzkvD/DQZxomsAz0kxw7lY6LGmA9f7wU2 QA85a6ZAa8SMHoBz4B7V14MpjUo/E+/NESM7pj9NWeTMoaWpLGqH6tnOe5xoMQfO akxbbemHx/x7pMaLA7M03MxFeMUJAQdU2oNZwjAqFLTDMPW0qvWxwjbwNVZXTHBx b3aNGte4UcEST6zadzIjQIH116H98+FX30nDa+PoWgO9qqvNWIE4H6N4Gi9UIt27 vezPJOsXYNxVoSyRsRwFB5YMHEVrArM+rR5ryX1KyE3wsuMITVziWg== =rG7D -----END PGP SIGNATURE-----

1 0