openSUSE Security Announce
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
June 2006
- 2 participants
- 13 discussions
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:015
Date: Fri, 30 Jun 2006 16:00:00 +0000
Cross-References: CVE-2006-0898, CVE-2006-2197, CVE-2006-2898
CVE-2006-2916, CVE-2006-3057, CVE-2006-3082
Content of this advisory:
1) Solved Security Vulnerabilities:
- wv2 boundary checks
- perl-Crypt-CBC weak initial vectors
- arts setuid return check problems
- dhcdbd remote denial of service attack
- gpg denial of service attack
- asterisk buffer overflow
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- OpenOffice_org security problems
- opera 9.0 security update
- acroread security update 7.0.8
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- wv2 boundary checks
The wv2 library was updated to fix some boundary checks which could
be exploited by maliciously crafted files to access memory outside
bounds and possibly execute arbitrary code. (CVE-2006-2197)
All SUSE Linux versions are affected by this problem.
- perl-Crypt-CBC weak initial vectors
The Perl Crypt::CBC module versions through 2.16 produced weak
cipher text when used with block encryption algorithms with block size
larger than 8 bytes. (CVE-2006-0898)
This affects all SUSE Linux based products containing perl-Crypt-CBC.
- arts setuid return check problems
The KDE sound server aRts lacked checks around some setuid() calls.
This could potentially be used by a local attacker to gain root
privileges. (CVE-2006-2916)
We think that this is not possible since seteuid() is not affected,
but have fixed this problem nevertheless.
All SUSE Linux based products are affected by this problem.
- dhcdbd remote denial of service attack
A remote trigger-able crash was fixed in the DBUS DHCP client 'dhcdbd'
(CVE-2006-3057).
This problem only affects SUSE Linux 10.0.
- gpg denial of service attack
It is possible to crash (denial of service) the GNU Privacy Guard
(gpg) by supplying a specifically crafted message specifying a
very large UID, which leads to an out of memory situation or an
integer overflow.
It is unclear if this problem can be exploited to execute code.
This issue is tracked by the Mitre CVE ID CVE-2006-3082, and affects
all SUSE Linux based products.
Updates for the gpg2 package are still work in progress.
- asterisk buffer overflow
A security problem was fixed in the IAX2 channel driver of Asterisk
that could be used by remote users to execute code or at least
crash Asterisk.
This issue is tracked by the Mitre CVE ID CVE-2006-2898
and affects SUSE Linux 9.2 up to 10.1.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- OpenOffice_org security problems
Several security problems were found in the OpenOffice_org suite.
We are currently pushing out updates for this problem which will
appear in your YaST Online Update / Zen Updater shortly.
Please note that these updates are very large and might take
a while to download.
A full advisory will be released once the update was released for
all distributions.
- opera 9.0 security update
We released a Opera 9.0 security update which was unfortunately
broken due to a RPM problem.
We are preparing fixed packages for this and will release them as
soon as they become available.
A full advisory will be written once this is done.
- acroread security update 7.0.8
The Adobe Acrobat Reader has a new version 7.0.8 available, which
contains security fixes.
Updated packages have already been released for SUSE Linux 9.2
up to 10.1, but are currently still missing for SUSE Linux 9.1,
SUSE Linux Enterprise Server 9 and Novell Linux Desktop 9, due to
a new GTK 2.4 requirement.
A full advisory will be released once these problems have been
reviewed and solved.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBRKU26Xey5gA9JdPZAQEWPgf/bouNICFrB4+SOYh366GGU8lbOI8ryMEU
LnAXZSLRRauqFiH7jzbrc+SMhpdLBvV/bGXoQ8ZjobXHWPRln4lSTowyT0E7bMHP
HOjIi3Gn09umnNR+Y45Z4/E/I0xKa0O5jCmgyKLeLChPX7hC5sFBnKPTSyZkquAm
KA/4YTF4zX3HU6vtML3k1iJy/HUFO8OzZmnRX/YtR2+LxpwT8f0pENXMngua/jga
3L+Nabaf4qhlujMcfCaMttrMqBQTFKx6s9p2KOkv4oI67Dc7luWKm6dEZkxCZbxi
lvoRGs4eIsx5u+/QYyE0tPyX1XtIp61/OzNVw9f1vFELwKu2iSbUAw==
=P8+s
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: freetype2, freetype2-devel
Announcement ID: SUSE-SA:2006:037
Date: Tue, 27 Jun 2006 12:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE SLES 9
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE Default Package: yes
Cross-References: CVE-2006-0747
CVE-2006-1861
CVE-2006-2661
Content of This Advisory:
1) Security Vulnerability Resolved:
several integer overflows
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The freetype2 library renders TrueType fonts for open source projects.
More than 900 packages on SUSE Linux use this library. Therefore the
integer overflows in this code found by Josh Bressers and Chris Evans
might have a high impact on the security of a desktop system.
The bugs can lead to a remote denial-of-service attack and may lead to
remote command execution. The user needs to use a program that uses
freetype2 (almost all GUI applications do) and let this program process
malicious font data.
2) Solution or Work-Around
No work-around known.
3) Special Instructions and Notes
Please log out from your window-manager session and log in again
to let all applications restart and load the new code.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/freetype2-2.1.10-18.3.i586…
d8159af0dd876c9f75a30c7027ccc65e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/freetype2-devel-2.1.10-18.…
14ed91a58dbbf592bad515a34fa46bf1
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/freetype2-2.1.10-4.2.…
e55d8a3eb8a0e203db16703d4eb24ffa
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/freetype2-devel-2.1.1…
5f8bad1411007aab9d190036cadc0d1b
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/freetype2-2.1.9-4.2.i5…
76edb89bf583274c0cdc13a4a60a1a33
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/freetype2-devel-2.1.9-…
5995bb6179b03f75c174355c7303e4ef
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/freetype2-2.1.9-3.2.i5…
62b0c3c6886439cf10b4f64d0930f251
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/freetype2-devel-2.1.9-…
0df43df0ac31ecb637acda13a1c558bb
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/freetype2-2.1.10-18.3.ppc.r…
1316c1937957047ca3293a4181d1d16e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/freetype2-devel-2.1.10-18.3…
fb738052648a6fddf2e6e791e06c4b9b
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/freetype2-2.1.10-4.2.p…
5a1d2fa14ba666893e0e61ebbc583f9e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/freetype2-devel-2.1.10…
4c92c8bc862aaf734974da7ae0a8e8d2
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-2.1.10-18.3.x8…
b8c72431885e3b302954c83bbd3615f8
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-32bit-2.1.10-1…
c957ce5e918d0ee7933db8c859362eb2
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-devel-2.1.10-1…
da300d9b65f6ec99b59045a4ff17b848
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-devel-32bit-2.…
7f746c754434d96c6e1d1b1a4f42719f
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-2.1.10-4.…
ec8a92f9958022f27ded53222e6d16cb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-32bit-2.1…
b71540b7a43d88060a15f46a282083a2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-devel-2.1…
59ef42def49b6b8d57fc4927bbe3e503
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-devel-32b…
7749224202098d4cec74b15621a6bf90
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/freetype2-2.1.9-4.2.…
fe14dad1164731b5abc35e54bea51753
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/freetype2-32bit-9.3-…
916649bdc38f5c7d2f20b7f9c306928d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/freetype2-devel-2.1.…
5292d176535b6bc68dfa64a9087e783c
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/freetype2-devel-32bi…
1c9e160e832a33be4233653ead4745e6
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/freetype2-2.1.9-3.2.…
0df14e0676312be2bb28b0c1beb2245c
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/freetype2-32bit-9.2-…
95fd288ab5afc988c6881b2a6f8a9c03
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/freetype2-devel-2.1.…
8a56ae60affaa2ad3913126bb45684e2
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/freetype2-devel-32bi…
74fa3c308c0d2541fe71ba8c1d57e0e3
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/freetype2-2.1.10-18.3.src.r…
3d5053bd231a06234daf2b30c93b8aae
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/freetype2-2.1.10-4.2.s…
b7deaf1486d41b3f7462adb8c2c6a282
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/freetype2-2.1.9-4.2.src…
12dc71a010ddb89f753429892e46065e
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/freetype2-2.1.9-3.2.src…
1beda05b38c0445cb82bed8f01b3a62a
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/6dbf1efb42be3b7…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBRKEjEney5gA9JdPZAQGU2Af/WfTrsrBlVlAoMN2F24LIX0NQZBBhJOzt
rFL8VGnhawROvJCY9ZaldyrT7wfviUb9A/iAWu17+thqDWc0n9lxgxRmTaBU3ycs
PTB4ZQ5KYrQNvnoD/VrUTWAjNlOi34RIUs/wmkoBQN6/LpbeHfOPxt7p3AqrxJnd
OpJYU80pYkT0roPMtuVMHX6ZNbf8DH492y+KZGGTpqmUxsSCHX5Knj7umSZo1hQx
KBLBEkc2YMnbbYazMuC+21D1LpQPglDNuGxJQWJGDOX9zVPuly4p1I1To0kpyx+e
azeiutrI94iGdTSghvWDlu652jxyTFBDwZgVlvi5V8yPKath+7eaXw==
=3q8O
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: mysql remote code execution (SUSE-SA:2006:036)
by Marcus Meissner 23 Jun '06
by Marcus Meissner 23 Jun '06
23 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: mysql
Announcement ID: SUSE-SA:2006:036
Date: Fri, 23 Jun 2006 10:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Enterprise Server 8
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-1516, CVE-2006-1517, CVE-2006-1518
Content of This Advisory:
1) Security Vulnerability Resolved:
MySQL security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The database server MySQL was updated to fix the following security problems:
- Attackers could read portions of memory by using a user name with
trailing null byte or via COM_TABLE_DUMP command (CVE-2006-1516,
CVE-2006-1517).
- Attackers could potentially execute arbitrary code by causing a
buffer overflow via specially crafted COM_TABLE_DUMP packets
(CVE-2006-1518).
The mysql server package was released on May 30th already, the
mysql-Max server package was released on June 20th after additional
bugfixes.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of mysql after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mysql-5.0.18-16.1.i586.rpm
4dea85f3d52c94e09c469a79ab43fb5f
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mysql-4.1.13-3.4.i586…
e0e8621cff3ed97a28b92c684c5a7a22
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mysql-4.1.10a-3.6.i586…
03f598b001d1e845f21dce3757aa8a86
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mysql-Max-4.1.10a-3.6.…
26f4d0a0eeb71ebf33086086f1fe7a7d
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mysql-4.0.21-4.8.i586.…
d08f0a3f00b0b57691059e16808c334c
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mysql-Max-4.0.21-4.8.i…
e020aff4f0e75e8874bc589491431adf
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mysql-4.0.18-32.23.i58…
c2fe788b964bda22174cee23305dd07d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mysql-Max-4.0.18-32.26…
f2d7e97ddcb8ad1bb71e3d3479be3a94
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mysql-5.0.18-16.1.ppc.rpm
651e55aa7f5715119a80efb15c443f48
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mysql-4.1.13-3.4.ppc.r…
9e45efa2a53c95b0b2ea903418ccc350
ppc64:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc64/mysql-5.0.18-16.1.ppc64.r…
9dbfffd1a00b63816439a5440ef38154
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc64/mysql-4.1.13-3.4.ppc…
566e0653cd74d4609720a03572187e5f
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mysql-5.0.18-16.1.x86_64…
280e5e41997395e3894e859830e347d1
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mysql-4.1.13-3.4.x8…
f2944ca6b8392b9f04d81f7f6e033c72
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mysql-4.1.10a-3.6.x8…
b5f4630b84df39f66d5fd443c2ed8640
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mysql-Max-4.1.10a-3.…
c984aa6fb16d2c076e64ef0b5917fa82
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mysql-4.0.21-4.8.x86…
7edf1de7cd015427b0dcbb2bdaafd5f9
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mysql-Max-4.0.21-4.8…
e88d59f618e9388579ddaac2ee508430
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mysql-4.0.18-32.23…
5f07e550385e013b90f4005d12fb8ce3
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mysql-Max-4.0.18-3…
6ba91ee838f6efe043e0528fdccaa578
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mysql-5.0.18-16.1.src.rpm
a85b8ce37f01354b92799ca81cf81d95
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mysql-4.1.13-3.4.src.r…
e17a91c00b19f8f27e6a77f49fa7f4ac
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/mysql-4.1.10a-3.6.src.r…
b937478aa654975cd947a825792b80c4
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/mysql-4.0.21-4.8.src.rpm
08471d066667237b395868a8c5e3e142
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/mysql-4.0.18-32.23.src.…
3ab5d53a677970e2d10cdb1609a015c8
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/mysql-4.0.18-32.23.sr…
646b4af4383f96b858ebd605f3aa6778
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
UnitedLinux 1.0
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/d94b3db707a1941…
SUSE SLES 9
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/dfa3b040161b26a…
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/d94b3db707a1941…
SuSE Linux Enterprise Server 8
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/d94b3db707a1941…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRJulmHey5gA9JdPZAQJidAf/RWepTOQcJUISomOhu4yrbUldILcIcXfH
m+lDl3dae6ft7oAjEeUOl8dkvngI796Yn3hF3FA6Tlht6tnRYzdYu6hDMLvxYH39
DKB3MdW/kvlLKGWAOhIcyULjHPd6EwQmjCbMeapEIRUntyNo122HD+HVISg9J8lm
7UcLobYyj8a2298QrNR+g7oMBSeYGNkQLe8gvTtOcMLU9CWuQYzNyNX1OzzV/O8x
D6c24k44i+szRXbzsgHr22PG/UB0icYfn+ojg4ObEl7sDU0Nrv9jvuKM1eC/uSpL
lTLVrv14eA7NJ7jVJX6bGVmXJ4COteNxDJegj2JkBCgm+G7bpFLUUA==
=e+cE
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: various Mozilla browser security problems (SUSE-SA:2006:035)
by Marcus Meissner 23 Jun '06
by Marcus Meissner 23 Jun '06
23 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: MozillaFirefox,MozillaThunderbird,Seamonkey
Announcement ID: SUSE-SA:2006:035
Date: Fri, 23 Jun 2006 10:00:00 +0000
Affected Products: SUSE LINUX 10.1
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE Default Package: yes
Cross-References: CVE-2006-1729, CVE-2006-1942, CVE-2006-2775
CVE-2006-2776, CVE-2006-2777, CVE-2006-2778
CVE-2006-2779, CVE-2006-2780, CVE-2006-2781
CVE-2006-2782, CVE-2006-2783, CVE-2006-2784
CVE-2006-2785, CVE-2006-2786, CVE-2006-2787
MFSA 2006-31, MFSA 2006-32, MFSA 2006-33
MFSA 2006-34, MFSA 2006-35, MFSA 2006-36
MFSA 2006-37, MFSA 2006-38, MFSA 2006-39
MFSA 2006-40, MFSA 2006-42, MFSA 2006-43
Content of This Advisory:
1) Security Vulnerability Resolved:
various fixes in Mozilla Firefox, Thunderbird and Seamonkey suite
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This update fixes several security problems in the Mozilla Firefox
1.5 browser, Thunderbird 1.5 mail reader and Seamonkey Suite.
It also brings Mozilla Firefox and Thunderbird up to version 1.5.0.4
bugfix level and the Seamonkey Suite to version 1.0.2.
Only updates for SUSE Linux 10.1 are currently available. We are
working on backports for the older products, since the Mozilla
foundation has not released updates for those old products.
The full list with even more details is at:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
MFSA 2006-31/CVE-2006-2787: EvalInSandbox allows remote attackers
to gain privileges via javascript that calls the valueOf method on
objects that were created outside of the sandbox.
MFSA 2006-32/CVE-2006-2780: An Integer overflow allows remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via "jsstr tagify," which leads to memory corruption.
MFSA 2006-32/CVE-2006-2779: Firefox allow remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via (1)
nested <option> tags in a select tag, (2) a DOMNodeRemoved mutation
event, (3) "Content-implemented tree views," (4) BoxObjects, (5)
the XBL implementation, (6) an IFRAME that attempts to remove itself,
which leads to memory corruption.
MFSA 2006-33/CVE-2006-2786: HTTP response smuggling vulnerability in
Mozilla Firefox, when used with certain proxy servers, allows remote
attackers to cause Firefox to interpret certain responses as if they
were responses from two different sites via (1) invalid HTTP response
headers with spaces between the header name and the colon, which might
not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP
1.0 proxy, which are ignored by the proxy but processed by the client.
MFSA 2006-34/CVE-2006-2785: Cross-site scripting (XSS) vulnerability
in Mozilla Firefox allows user-complicit remote attackers to inject
arbitrary web script or HTML by tricking a user into (1) performing a
"View Image" on a broken image in which the SRC attribute contains
a Javascript URL, or (2) selecting "Show only this frame" on a frame
whose SRC attribute contains a Javascript URL.
MFSA 2006-35/CVE-2006-2775: Mozilla Firefox associates XUL attributes
with the wrong URL under certain unspecified circumstances, which
might allow remote attackers to bypass restrictions by causing a
persisted string to be associated with the wrong URL.
MFSA 2006-36/CVE-2006-2784: The PLUGINSPAGE functionality in Mozilla
Firefox allows remote user-complicit attackers to execute privileged
code by tricking a user into installing missing plugins and selecting
the "Manual Install" button, then using nested javascript: URLs.
MFSA 2006-37/CVE-2006-2776: Certain privileged UI code in Mozilla
Firefox calls content-defined setters on an object prototype, which
allows remote attackers to execute code at a higher privilege than
intended.
MFSA 2006-38/CVE-2006-2778: The crypto.signText function in Mozilla
Firefox allows remote attackers to execute arbitrary code via certain
optional Certificate Authority name arguments, which causes an invalid
array index and triggers a buffer overflow.
MFSA 2006-39/CVE-2006-1942: Mozilla Firefox allows user-complicit
remote attackers to open local files via a web page with an IMG
element containing a SRC attribute with a non-image file:// URL, then
tricking the user into selecting View Image for the broken image,
as demonstrated using a ,wma file to launch Windows Media Player,
or by referencing an "alternate web page."
MFSA 2006-40/CVE-2006-2781: Double-free vulnerability in Mozilla
Thunderbird before 1.5.0.4 and SeaMonkey before 1.0.2 allows remote
attackers to cause a denial of service (hang) and possibly execute
arbitrary code via a VCard that contains invalid base64 characters.
MFSA-2006-41/CVE-2006-2782: Firefox does not fix all test cases
associated with CVE-2006-1729, which allows remote attackers to read
arbitrary files by inserting the target filename into a text box,
then turning that box into a file upload control.
MFSA 2006-42/CVE-2006-2783: Mozilla Firefox strips the Unicode
Byte-order-Mark (BOM) from a UTF-8 page before the page is passed
to the parser, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via a BOM sequence in the middle of a dangerous
tag such as SCRIPT.
MFSA 2006-43/CVE-2006-2777: Unspecified vulnerability in Mozilla
Firefox allows remote attackers to execute arbitrary code by using
the nsISelectionPrivate interface of the Selection object to add a
SelectionListener and create notifications that are executed in a
privileged context.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of Firefox, Thunderbird
or Seamonkey after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-1.5.0.4-1.3…
86c51e4ea35fbcb0c6979cf96ef4c60c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-translation…
7622da7f1903268ba30d20d4a356c631
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaThunderbird-1.5.0.4…
f674da2024899e1bae549d004464bf9c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaThunderbird-transla…
77da007efc8a51a7bcf2f675ced33440
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-1.0.2-1.1.i586.r…
4565b51f1d4ef70a5e5ba28e36d41fe5
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-calendar-1.0.2-1…
baa91fc4390b02e79544a526fd2fca4d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-dom-inspector-1.…
a44e73346167dffc473ebf2a3e2bd6ea
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-irc-1.0.2-1.1.i5…
640a14020f0e84f83ce08074f202d24f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-mail-1.0.2-1.1.i…
4101f628fbcc4f7dc3b2fe9f9d9eb59f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-spellchecker-1.0…
3897ba20fce3c57ef94afc435be5f381
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-venkman-1.0.2-1.…
75e785054daf285e4fd5594bb0a99f7a
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-1.5.0.4-1.3.…
5ec8af0efb500f6a58b961632153a59b
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-translations…
441fd3ce01dcbf2b8641809420ae95b4
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaThunderbird-1.5.0.4-…
8a9de83297edb634db0c3c05adf7a1b6
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaThunderbird-translat…
86c7270e1c659e8fbf918231d7cc2db2
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-1.0.2-1.1.ppc.rpm
41ff6937602601fcf95c323926500cfe
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-calendar-1.0.2-1.…
c6e206c15a5fa0ec388b6accfe189f14
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-dom-inspector-1.0…
133c4dfbb846d778c1f73f4906ebc574
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-irc-1.0.2-1.1.ppc…
a7c60be4b45355d943be7514c4789eb4
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-mail-1.0.2-1.1.pp…
bac71e0b84a2cd6f33e5591c56c33830
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-spellchecker-1.0.…
ce7bad07a8ffeb056ad047df24d8b443
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-venkman-1.0.2-1.1…
dd8c8e6c70e13e987dc5aa83ad635fa0
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/MozillaThunderbird-1.5.0…
026f3d553c68332cd58bc27167f18bc5
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/MozillaThunderbird-trans…
9dcbf47049631f2528d2ab956feb9467
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-1.0.2-1.1.x86_…
9f1edd3d7a108a6cf81a765f31182cfa
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-calendar-1.0.2…
bc20b9a1d943effa5013d746de3b0512
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-dom-inspector-…
c1d41e16536674aea13631c268396304
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-irc-1.0.2-1.1.…
aa8562c4d8a3bc0b67defdb52c14a26e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-mail-1.0.2-1.1…
d67e427b02b0143ae93036f31e2ae815
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-spellchecker-1…
642d08908021597b522bbd963c31b090
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-venkman-1.0.2-…
812cd29fc72ed95a3da6c8ea593a718a
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaFirefox-1.5.0.4-1.3.…
01f2452723453889272a4714744c7868
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaThunderbird-1.5.0.4-…
88abba0ec606fb4b9b27ad7c9dc44cfe
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/seamonkey-1.0.2-1.1.src.rpm
9817ec2e9644d07a93827d87c406cde7
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEUAwUBRJugaHey5gA9JdPZAQKx9Af2IavhLmJFqMvXQv84E7WG9/kEqKGa63mL
sgUt88sKfIQ3yKDT94oMrBzrdBW3X+dR4Gkyr0QZwPMg8kS2BUtOkibQREk6ZLDp
DuavnzdvP9SrcLRrnMneoyUogqtAxVyCJKwS5Ficw03JkqkbCIBZk+9/fG+cgJJf
WW7jA+5F44Ywyh8l/AgD82dxfg0UEEbkNiCbp27X74RuOyxIQ7pBsYtPoTJpOlBz
y/6LFTvrdW6eJ0QFA7hM7H/5DL6PHmRBSwLxSmaYtZ5cEzKldVYiepIrRj8ZkOF0
E5eQneaPYoF8W9DqDoAXCpKHmblIEHiJnyRdtXs4AM6+aDoZWLzY
=NrUx
-----END PGP SIGNATURE-----
1
0
22 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: php4
Announcement ID: SUSE-SA:2006:034
Date: Thu, 22 Jun 2006 14:00:00 +0000
Affected Products: SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Enterprise Server 8
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: bug fix
Severity (1-10): 0
SUSE Default Package: no
Cross-References: CVE-2006-2657
Content of This Advisory:
1) Security Vulnerability Resolved:
bugfix update for previous PHP 4 release
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
In SUSE-SA:2006:031 we announced bugfixes for PHP4.
Unfortunately the patches to fix CVE-2006-2657 contained a bug
which made arrays work unreliable or not all and so broke several
PHP applications.
We have released fixed packages for this problem, as listed below.
Only PHP4 was affected, the PHP5 updates do not contain this problem.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of apache and/or
apache2 after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php4-4.4.…
68b04b2efbea6b19dc795ae5cd99e5a2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-4.4.0-6.15.i586.…
4a560750c14b6941d22ad59961f4ba53
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-exif-4.4.0-6.15.…
08ddd002efc044415257b1598c00ff7c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-fastcgi-4.4.0-6.…
22dbc5373d389e29dede7989bfae1fbd
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-gd-4.4.0-6.15.i5…
f0591b69b2997552c7c6ebc69e2ea626
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-mbstring-4.4.0-6…
3b6546de3ae1a8d1c7b105323cee19c2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-servlet-4.4.0-6.…
4dc4650c61dd0127d67fa735ccc14c0b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-unixODBC-4.4.0-6…
dc2e140fb600b7b02498fab0717f2afa
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.1…
6c26bb11835f27035f1f1987dae32c3e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.1…
56b81821f4c6efcfce3cfee712c829ff
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.25.i586…
f89e007d5b05dd5d24312edfd5256e82
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.2…
32a4784f5df6bbbd27f5f179600b379b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-exif-4.3.10-14.25…
571207c1432a33a28dd90958538bca1f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14…
cf7c0649419b8492c3f09aeef1b3941a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-gd-4.3.10-14.25.i…
505eab04c381d7f5ab479b276fe4aca7
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-mbstring-4.3.10-1…
8738a92c30421636cab3ca00d796b05c
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pear-4.3.10-14.25…
9deaf549ef63a4d3313ca6953915b9fc
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14…
56340826fc1e4be798c78c2c5752cf34
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14…
8cf3dbcc97638fb38b92a3e5d213d67d
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-mod_php4-4.3.8…
187ce3402645353d214c2b3a0cd1f9ed
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mod_php4-servlet-4.3.8…
1b0e6a47ad9a463e656130a943d42387
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-4.3.8-8.28.i586.r…
659424773f5dd2f49e7eb4de3321b67a
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-devel-4.3.8-8.28.…
e1990370e6f794b212701aa96cab248f
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-exif-4.3.8-8.28.i…
6e018a422474a3e94937230549d6c9f6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-fastcgi-4.3.8-8.2…
ce308f4fd305f1d426a0e77196b40ed2
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-gd-4.3.8-8.28.i58…
62d1e99398fe2564d9b1e6d891e289f9
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-mbstring-4.3.8-8.…
2d89c210f1f69cc379b561c47f71723a
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-pear-4.3.8-8.28.i…
f9134199842dd3ec2549accee184e1e6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-session-4.3.8-8.2…
8335d15b6b282fccce7c602692d5c190
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-sysvshm-4.3.8-8.2…
2a3c67e33f12256fee0aab9d7203e8fb
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-mod_php4-4.3.4…
a39b9471efb52224a5822aafbd9aae05
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-core-4.3.4-43…
7575d11737d891adcf454c7319006976
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-servlet-4.3.4…
6ce7cf156885adc543ecbade468b7885
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.61.i586.…
e427a7b430327577facc994a061657f2
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-devel-4.3.4-43.61…
5624c13f07417578785053c13e9159c7
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-exif-4.3.4-43.61.…
045bee7e27e3523e95fd0037292d0fb3
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-fastcgi-4.3.4-43.…
1023c2db204dfa98360580581515af20
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-gd-4.3.4-43.61.i5…
d7baf7c1b3856bea32e3084a3d1ec3c3
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.61.…
b0ddc9522bb3e56aa77c6b298aee0e96
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mbstring-4.3.4-43…
c818d87c8324c929254bec4ef4ef1553
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.61…
1d4126b943f6d412d382ea5a36754ec0
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-pear-4.3.4-43.61.…
b559fd1c85fc6be0611afd23c1dd6f18
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-recode-4.3.4-43.6…
a1c3499ebff3c3493f49977abd82d8ef
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.…
ea2c506fa449c18090d8d81c5fda1da7
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.…
934fcd686006ba5e3cdef9f0763abca4
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-sysvshm-4.3.4-43.…
ada042141532ceb503499022bd343200
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.61.…
40c4eded2b858de9a596fdc6d9e21a42
Power PC Platform:
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php4-4.4.0…
a140b3feb66d4aaeaef41b2399e0a788
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-4.4.0-6.15.ppc.rpm
91d0a696e9bb5bd9193d7963fc2c06b8
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-exif-4.4.0-6.15.p…
3b444d35b210ab2463332092aff75a49
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-fastcgi-4.4.0-6.1…
10810749229a4cee68d94cf039126c24
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-gd-4.4.0-6.15.ppc…
6e40b40f62337e8ccc6ebe8da992486a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-mbstring-4.4.0-6.…
228fcf57bcbf6fe631d2996c92df34d3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-unixODBC-4.4.0-6.…
f2adf27d69a3ef54e5d3da39da46903d
x86-64 Platform:
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php4-4.…
bb1df56dd702ce6af3c55bdb89866d3b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-32bit-4.4.0-6.…
16a0307d33c644711f8073a246c2f6ef
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-4.4.0-6.15.x86…
671bbcd235e2322ddf5d247969be05e5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-exif-4.4.0-6.1…
7c6f4fd05ebb4e92f57f63d8ddfd93db
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-fastcgi-4.4.0-…
67e2a98d581f8ccccb680fc4d0bb776d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-gd-4.4.0-6.15.…
1d849d989158068f478d5c7027e6686a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-mbstring-4.4.0…
5ae332bccfee664c040a9f30186b8852
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-servlet-4.4.0-…
90ef9cbfaa8a837543b0b08f8b32377f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-unixODBC-4.4.0…
0657f62fc9bbcd0ebe5679ab62168a2d
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php4-4.3…
187682919d052dab78c2fa25da5ca285
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mod_php4-servlet-4.3…
689e899498be1dcf1a671ceb533d6a32
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-32bit-9.3-7.11.…
ea830e8cfea0cded96b8edcf809525ba
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-4.3.10-14.25.x8…
6a48c70dad81fb5712ea35c4aef2075e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-devel-4.3.10-14…
9f6b614c5095376a28c3f288e8a5f50b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-exif-4.3.10-14.…
47cb30945e8fc5c3798b5983fb7cb94c
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-fastcgi-4.3.10-…
694aadb8908ef9d8d138e54bc6d42b24
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-gd-4.3.10-14.25…
afb9584831f5a6f8322d00f2282703aa
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-mbstring-4.3.10…
3e7b8b67f49b1f0c476af84c0dbd5694
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-pear-4.3.10-14.…
f8efb254ef885a3a2d04252e902f4f33
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-session-4.3.10-…
52a54d535a5185533ddb2a29d0e7cb08
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-sysvshm-4.3.10-…
1461201a76c5b430e71c56d6b2fa4777
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-mod_php4-4.3…
518fdd320cfb21b2dc08f9c55b16d6ba
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mod_php4-servlet-4.3…
da409dc041243c8b12b5fbd149f190da
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-32bit-9.2-20060…
eefc10a16242a3ba2b0c713007b96f1b
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-4.3.8-8.28.x86_…
45d1776a156304c009a4c4f8ae6c15aa
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-devel-4.3.8-8.2…
9f4d1dbc5d73964c32bb3dd0ab419eec
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-exif-4.3.8-8.28…
81710c6db8fb97c4bf97b13ac9e185fc
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-fastcgi-4.3.8-8…
c312c20ddd6af00a5fd00f2bd2cedabc
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-gd-4.3.8-8.28.x…
55ef3a2542547f5f167c56a41f320d52
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-mbstring-4.3.8-…
8bb0ea1ccd830011cb04bac05fc5061e
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-pear-4.3.8-8.28…
20971cc05c837d423d35f7584a71617c
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-session-4.3.8-8…
e9c3a24289b1d00133fc23082f65d02e
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-sysvshm-4.3.8-8…
4949447f09a8ebd00dd21df9a34b68b9
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-mod_php4-4…
b966b6665a32c1b437152b6a2468a1ab
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-core-4.3.…
c9d3000f4ff9d70fd53a01afa1ea6528
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-servlet-4…
87a554fcce1cb600c81815203b718502
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.61.x…
07d7a77a3504b4748b22f228c07bf6ef
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-devel-4.3.4-4…
968d6a01832ede73530c0f1dd356e276
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-exif-4.3.4-43…
ef6441a0ea53d002431cc39a630c62ce
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-fastcgi-4.3.4…
e0de13330b9c81dbfea13d4e20762e4c
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-gd-4.3.4-43.6…
0b46e1136f22d99e911087f627420a80
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43…
0ff2aeb36eeccb96fa5b81c58331d7db
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mbstring-4.3.…
d175e8217d17a9faa779a61eaafbb1b5
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-4…
6e0b1814909753e432856e36c257130f
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-pear-4.3.4-43…
f28fd61c54d6d55895c0228f96341098
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-recode-4.3.4-…
538fcc0e2f64235f1564c03fe5dcf1d0
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4…
38e483e109067fc0fed78ec172bc4823
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4…
286d218356729415ccbff4ab3a3034ad
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-sysvshm-4.3.4…
c4e11b7dc6ca5aa190071effe867ac25
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43…
9ea11b3924f67cbb3b929da72d6cd396
Sources:
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php4-4.4.0-6.15.src.rpm
b22894e000afd9eec90ea7481ccf737e
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php4-4.3.10-14.25.src.r…
b00346afb847c32b00e66ad24887b5a8
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/php4-4.3.8-8.28.src.rpm
b122c554e82537bafdd7ed721c220fe6
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.61.src.rpm
82ee0ce0dd5d1704c3e64abfd8747582
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.61.src.…
dcf6c840cf7f236db987d2f91d6f65d6
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE CORE 9 for Itanium Processor Family
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/872c84fe4ddb36c…
SUSE SLES 9
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/154731d4e512c74…
UnitedLinux 1.0
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/af51507882deee0…
SuSE Linux Enterprise Server 8
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/af51507882deee0…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRJq3vHey5gA9JdPZAQLhqgf+O6QoiB28//KiHCD3My45T1aTS0t3ZfAO
sXYFc4RxMG2jARFBoDfZ/ryOB1pSMxfXcju9aVoooqVXeX3WziV9P1cYlbMRvbjh
E5jgc63YxjyuCU5VZZmhFU10iKFHO+dcFYOFsLS4KkAVIHSqBg3DdpCPE8UA9WbV
mU0pIVy1hZOvFlcWpR4mNnmHmHAtgaPpT5x805V7ftnBWi27NfpUMvv3TpRFmuIX
Xd9BZy989n9wrukQ9s9on3p7NycTZVbtXtR2jPGvbCCPNJbwtPIxSmdnu5sIndWs
J7aaRYTEYPL+dU1X7SYN658JJmYlr/aAiPyCq+2oFw9Af6eKtp2t7Q==
=y7DN
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:014
Date: Tue, 20 Jun 2006 16:00:00 +0000
Cross-References: CVE-2006-2193, CVE-2006-2656, CVE-2006-2769
CVE-2006-2802
Content of this advisory:
1) Solved Security Vulnerabilities:
- tiff buffer overflow in helpers
- snort URL parsing evasion
- xine-lib buffer overflow in HTTP plugin
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- Configuration of Maintenance Information Mails
- php4 problems with last update
- Adobe Reader security problems
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on
our FTP server and via the YaST Online Update.
- tiff buffer overflow in helpers
A stack-based buffer overflow in tiffsplit was fixed that can be
triggered with long filenames (CVE-2006-2656).
An additional buffer overflow was fixed in tiff2pdf (CVE-2006-2193).
All SUSE Linux based products are affected.
Both tools are not setuid but may be exploited in conjunction with
other applications (as helper tools).
Exploitation of those two problems is unlikely.
- snort URL parsing evasion
An evasion attack on URL parsing in the intrusion detection
system snort was fixed. The faulty code is in the http_inspect
preprocessor.
All SUSE Linux based products containing snort are affected and
the issue is tracked by the Mitre CVE ID CVE-2006-2769.
- xine-lib buffer overflow in HTTP plugin
Missing length checks in the HTTP plugin of XINE could lead to a
buffer overflow on the heap when accessing remote video streams.
All SUSE Linux versions are affected and the issue is tracked by
the Mitre CVE ID CVE-2006-2802.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- Configuration of Maintenance Information Mails
This concerns our Enterprise customers only.
If you miss the Maintenance Information Mails we send for every
patch after migration to the Novell Portal, please visit the page
below to configure your mail settings for these maintenance mails.
http://support.novell.com/suseNotifications/index.jsp
This page allows selection of Mails per registered SUSE Linux
Enterprise product.
- php4 problems with last update
The last security update for PHP 4 broke functionality of some
applications in array handling.
This is tracked in https://bugzilla.novell.com/show_bug.cgi?id=185516
We are currently testing fixed packages for this problem and hope
to release them tomorrow.
- Adobe Reader security problems
Adobe Reader 7.0.8 was released fixing security problems.
We are working on updated packages.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRJgJSney5gA9JdPZAQINOgf/Q6r27QqXs7036aHdc1wIXmmfj3GDUgal
amwIq3f8IBR4auGP5liVaBOyqsYdxN6uxLbHzBxtyCQYs8mCHasxob0OBklETqli
CGFnuMh1brF1iym7DNNdys27C1Zoxdn+qjs0/ruIMK5P0RiFGgpT8eB6qj+aLOUF
HDuDwEjFGfvYRh13z6nEkR58bMaOof+D7b/yE+Jd+d4xtrRNU/i3exYs3ktKANqI
m37NPMRApqMc/I85XfNNANAcqBX3ygHgoxKrl6CRe36WNs3tj3DY+AOif+JJOPC0
vObjOi0seJeqUh9far3tysXa5HTzUJJbwpcwriIS9kNK2NK78tDW1w==
=cBKk
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: awstats remote code execution (SUSE-SA:2006:033)
by Marcus Meissner 20 Jun '06
by Marcus Meissner 20 Jun '06
20 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: awstats
Announcement ID: SUSE-SA:2006:033
Date: Tue, 20 Jun 2006 10:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-2237, CVE-2006-2644
Content of This Advisory:
1) Security Vulnerability Resolved:
awstats remote command injection
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This update fixes remote code execution vulnerabilities in the WWW
statistical analyzer awstats.
Since back porting awstats fixes is error prone we have upgraded it
to upstream version 6.6 which also includes new features.
Following security issues were fixed:
- CVE-2006-2237: missing sanitizing of the "migrate" parameter. #173041
- CVE-2006-2644: missing sanitizing of the "configdir" parameter. #173041
- Make sure open() only opens files for read/write by adding explicit <
and >.
2) Solution or Work-Around
Please install the update packages.
Some workarounds are:
- Deinstall awstats if you do not need it.
- Protect the awstats CGI by normal web access protection methods so
that only authorized users can access it.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Platform Independent:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/noarch/awstats-6.6-0.1.noarch.r…
a70bfe537486e3f318b371ad610c373c
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/noarch/awstats-6.6-0.1.noa…
2d8eb8d53dee2adaeab7474d39d6ae2c
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/noarch/awstats-6.6-0.1.noar…
e38bb2ae10bc598708b1e38b3e3c4bdf
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/noarch/awstats-6.6-0.1.noar…
d0e86bbc349ce339e76dbe13ed5c3e30
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/noarch/awstats-6.6-0.1.noar…
385a3eca20f8dd779f64c71449700886
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/noarch/awstats-6.6-0.1.no…
312e17aef1372843f14e676477d5e6c8
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/awstats-6.6-0.1.src.rpm
6accf63aa103dbffd728da8287006437
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/awstats-6.6-0.1.src.rpm
4ab4c7a702ca7043fbd2e6e4fe56c8fb
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/awstats-6.6-0.1.src.rpm
bdaccf1a0eff3551e5fd3ee99129f843
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/awstats-6.6-0.1.src.rpm
0363176a39bafe164617da4ee85f05d7
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/awstats-6.6-0.1.src.rpm
2d3b029476f5ff91f3fe483ae1bad9fe
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/awstats-6.6-0.1.src.r…
7a27454e22fd62673af6c184c0bb6956
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRJe5C3ey5gA9JdPZAQJuCgf/SvA6s0Mn4lIxQDFv3TsmLlZ+vzatdmbt
6oPLqo88rkpmsvFFU2+pdFyxdoW8U7/kAZ+E6kHC8UtSDPzGeC+Xsg+zq5w4PqdL
BweSgKwNJl4iIpdbJrczX/JIXdb3stWplli0VpUbXqsnhIMM4yCpXNLQQmOKfEJ3
ZOOc3FarGJUVzsgxozC6fLQPQFpN53p5vgh9SzX/ZLAxPhFClShPuDEf6TC6wIG2
jjwyVji0t7TcOwY3xzMN32VRAkLi+EV0jgXuDLhNb+HLfcKFEv1YCfwGnERtRDmV
dFplRMsGC9Gehw/kFOzi3Tm2iNXNlNW9GkbylHoP7dH43gO2BNFLHg==
=rQt6
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: sendmail remote denial of service attack (SUSE-SA:2006:032)
by Marcus Meissner 14 Jun '06
by Marcus Meissner 14 Jun '06
14 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: sendmail
Announcement ID: SUSE-SA:2006:032
Date: Wed, 14 Jun 2006 19:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Enterprise Server 8
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote denial of service
Severity (1-10): 5
SUSE Default Package: no
Cross-References: CVE-2006-1173, VU#146718
Content of This Advisory:
1) Security Vulnerability Resolved:
sendmail remote denial of service attack
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Mail Transfer Agent sendmail has a remote exploitable problem,
where a specially crafted MIME messages can crash sendmail and block
queue processing.
This issue is tracked by the Mitre CVE ID CVE-2006-1173 and CERT
VU#146718.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of sendmail after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/sendmail-8.13.6-9.3.i586.r…
1e3fa1b7a729d2b260a4da6d9ff962f4
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/sendmail-8.13.4-8.6.i…
70a41db80164fb7d50e823774566ea9e
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/sendmail-8.13.3-5.6.i5…
94679162ea3b479f20362f0d01ea4d72
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/sendmail-8.13.1-5.6.i5…
10e79f3a40ec0c25911cf2549009d609
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/sendmail-8.12.11-2.7.i…
adc59ac9fa4ba76743bd073e0334b9d9
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/sendmail-8.13.6-9.3.ppc.rpm
81580c25511daa9862a1dd8f5ca7d48b
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/sendmail-8.13.4-8.6.pp…
ff81143d1dee29c58aea6038a952c903
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/sendmail-8.13.6-9.3.x86_…
8f724bcf3c0aaac8923241c9f3288c40
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/sendmail-8.13.4-8.6…
40fc8a5f7ad12159528b8cc1d4c2173f
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/sendmail-8.13.3-5.6.…
d8b8ba804ac1a04b22d673c52d654f69
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/sendmail-8.13.1-5.6.…
6dcf297dbbcfb5d2b7d0a55efb9c3099
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/sendmail-8.12.11-2…
dd3ed5bd5318928a9bfe4320eed67027
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/sendmail-8.13.6-9.3.src.rpm
7ed5b46eb2ed2a18becadf43b8cba7b1
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/sendmail-8.13.4-8.6.sr…
0f93d3d608305d44667ec1b35a76e626
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/sendmail-8.13.3-5.6.src…
c9ac83c770a63f94fe18a156898ffe70
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/sendmail-8.13.1-5.6.src…
6dd980cf9e4ee2d14d9ec1e8f7c804f5
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/sendmail-8.12.11-2.7.sr…
d312bd0544a7e3b7456abfb79a296383
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/sendmail-8.12.11-2.7.…
c1bfd5c0dbd95faee42ae0a2694147bf
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
UnitedLinux 1.0
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e92dc8b293ef625…
SUSE SLES 9
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e92dc8b293ef625…
SuSE Linux Enterprise Server 8
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e92dc8b293ef625…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRJBeM3ey5gA9JdPZAQJVQgf/bwNm+ZLLDbUIBT4xj6/vbjoyuYScRHwV
CIbU73rHkHJSNCjjTjXOeU5inNu/YYkNs1T7DLkFQFiYxy9V2p6voHiZhcjwGOZg
VxmUyo707ybQJayvzLTq2U0y+PWHYQ0/CdRD6jZTFJ7etOiQCcqAGXTCuMvuK1Bl
4CfpQj80tMwNzcrldzAsD1UTBZ05DXLVgUO2hNzx0BOydvM6pHXco4Ow5am4mbFW
LMTP+LkmKIgqkhMk+WInxvVglVEyrbFszcv0D2tGC9M8wMlUPYulbhVRBJboc/do
xQBHa0MhQ9BuxmfdvqLudrwIHmBb8Cy9uqKO/dGG+RP97DhiH6UhYw==
=0D4O
-----END PGP SIGNATURE-----
1
0
14 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: PHP4,PHP5
Announcement ID: SUSE-SA:2006:031
Date: Wed, 14 Jun 2006 18:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Enterprise Server 8
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-1990, CVE-2006-1991, CVE-2006-2657
CVE-2006-2906
Content of This Advisory:
1) Security Vulnerability Resolved:
multiple PHP4/5 security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This update fixes the following security issues in the PHP scripting
language, both version 4 and 5:
- Invalid characters in session names were not blocked.
- CVE-2006-2657: A bug in zend_hash_del() allowed attackers to prevent
unsetting of some variables
- CVE-2006-1991, CVE-2006-1990: Bugs in the substr_compare() and
wordwrap function could crash the php interpreter.
- CVE-2006-2906: A CPU consumption denial of service attack in php-gd
was fixed.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of Apache/Apache2
after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-mod_php5-5.1.2-29.…
43caed16d11d6d744cc9ffd8395b556f
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-5.1.2-29.4.i586.rpm
c710b5f21c59e26b3614bd9f678f3cd9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-gd-5.1.2-29.4.i586.rpm
bdbdf268f1e7c28380280eb92f401543
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php4-4.4.…
ee9a036c0c3e7980a0e7d549b7cc002f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php5-5.0.…
f481f326f7f54dfc3206556a9bf67205
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-4.4.0-6.13.i586.…
d75c89b6b52acbef2b390cea964bd9b5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-exif-4.4.0-6.13.…
a3cd814e0fad2159a8b2792a6fd911f9
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-fastcgi-4.4.0-6.…
c3afcc6e4032720fe1eea12a765f61dc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-gd-4.4.0-6.13.i5…
6a7a52370500ae40e9326cc381c2675d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-mbstring-4.4.0-6…
c50ba2c19f5fe867795f65bf137aea93
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-servlet-4.4.0-6.…
04435104d2b5b5b66d0b5225d285700f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-unixODBC-4.4.0-6…
4fdc57479a471ad661c4eac0e2b69026
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-5.0.4-9.13.i586.…
df6a2c45dbba97b16211fbd2897de09d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-exif-5.0.4-9.13.…
35e432a21e77c68843b51b65ace9b6a0
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-fastcgi-5.0.4-9.…
497e4234c830dc8206bbd011dbbb8bfd
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-gd-5.0.4-9.13.i5…
1afe872c30a7789c608146de00abf369
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-mbstring-5.0.4-9…
e8c65c894d7ea28aa09bf7e8f7f3ccd9
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-mysqli-5.0.4-9.1…
73f0b104e6a9e74fe2ded7e77dfecb7d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-pear-5.0.4-9.13.…
232e84253c063a8942396b8e10338682
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-snmp-5.0.4-9.13.…
8bb28c6c7e48b64ea24740dbffd8892f
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.1…
821357c5187d35011ca6719a4800ad7e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3…
262d39f817115eb7ee6e7684976fc4d0
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.1…
34b0fedf7ed621c9733df67b7495331c
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.23.i586…
7a0ad94e62e8c743094f6ec40a1d9b1d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.2…
407c70d3733afd11132cbeab07c631e3
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-exif-4.3.10-14.23…
671185e5ea32d549247714b4d677fd14
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14…
96ef30c80ab27d9d7cf4adb8c27ede5f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-gd-4.3.10-14.23.i…
7c98b8423f6499926f8dd0d49c7e06a6
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-mbstring-4.3.10-1…
8065b470f710f03ee254618edec63330
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pear-4.3.10-14.23…
36e29339a0f06826813baf1fe3c0183a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14…
1cd935f93eeb3e1e08467a8ec9da1546
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14…
068daf588e69e8e032ae9b8788660c8e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.23.i586.…
d21c0b2190b4a9eacb8d01baa2a94cc8
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.23…
15be3d77516c642011e7a219b2dc9f19
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-exif-5.0.3-14.23.…
233eb72898dff61aaaf96d4619a5dfe6
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.…
000b41b363221d36f461710b78b70306
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-gd-5.0.3-14.23.i5…
92a47575b0c8de691ef41dd29b7efc6e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-mbstring-5.0.3-14…
e263a60c24b957b1fdebe7b00d769e83
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-mysqli-5.0.3-14.2…
b4334f824c9f7943417b745426a63b11
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-pear-5.0.3-14.23.…
b2d16811dfd728c67addb90f79b54d67
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvmsg-5.0.3-14.…
0477129977e118178cb9e0431d706990
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvshm-5.0.3-14.…
530bda9a7f5a7ab7568a8e69f99c7868
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-mod_php4-4.3.8…
f212924910ec209c3f8f0c5db3b18447
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mod_php4-servlet-4.3.8…
21b4f9c977f76764f02961510aa80b49
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-4.3.8-8.26.i586.r…
0d6fac421b1c28b6610cdec8c2525ba6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-devel-4.3.8-8.26.…
02dc039703f3f781a5861c9535203624
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-exif-4.3.8-8.26.i…
8175deacb02985b6a9fdbf60140c2563
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-fastcgi-4.3.8-8.2…
c26e1826c2f5e32370f6a304dec39bd8
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-gd-4.3.8-8.26.i58…
0ed67cbb3bceeeb61588c1d9e300fa7b
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-mbstring-4.3.8-8.…
6201452c9c6b9181d0fcfb5642aa1897
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-pear-4.3.8-8.26.i…
39956165064be228b7ced1d8fc8b1975
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-session-4.3.8-8.2…
67b3927a7e0bb817f62c883639df0334
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-sysvshm-4.3.8-8.2…
36f89680156c19d5d84047ba69d6a719
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-mod_php4-4.3.4…
6b7dce5b6fc404959f2bb9d2cc837f98
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-core-4.3.4-43…
6598a95fa00d7b011a0d56d76cd70f0d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-servlet-4.3.4…
b3a5aa3461fa89cd35d1a20d321bb7f4
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.58.i586.…
ddb3e2ddf9b9b45655ff44f1e7e9317c
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-devel-4.3.4-43.58…
73302ac6b1ae2d5120e8a7d2a05052db
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-exif-4.3.4-43.58.…
5ffedeb8515eafc065c639f9470eb7d3
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-fastcgi-4.3.4-43.…
7c194d8b2bc3de4a96928e2c99a80a96
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-gd-4.3.4-43.58.i5…
0bf2068e87c47cea0f81bf4f55b6dc50
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.58.…
4b9dd632e7d5a7d8aa0dd8a4efc8e37b
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mbstring-4.3.4-43…
bea433cff0221243363ea0105111c86c
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.58…
96dd1d3d5063be3216e7492670d00cc9
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-pear-4.3.4-43.58.…
a84d8ddd7ce534c7acc7972628f2ae0c
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-recode-4.3.4-43.5…
5b646636567e96cca066695f6ce6cfe9
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.…
04c41b24b8d8c20a925f1c17d0acb281
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.…
982d7b35f8061f74bbc66ba00b25d88b
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-sysvshm-4.3.4-43.…
bf9af241b791dc090925c09ef135afc0
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.58.…
b085e91f153f26b164d5d6a342097bf1
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-mod_php5-5.1.2-29.4…
c9d486f1c9b55bfb9e810adb6abc8aab
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-5.1.2-29.4.ppc.rpm
1e23a318feeaa1f34ed00cc399ad356a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-gd-5.1.2-29.4.ppc.rpm
5108034703d9c2108babee92c0ae17d3
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php4-4.4.0…
3938e739a478cccb4b71f6b7e43edd2c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php5-5.0.4…
0673e6b7978d86592a2e49571aa6a2a7
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-4.4.0-6.13.ppc.rpm
be46e319b18df7e2109d356ff4ebc20e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-exif-4.4.0-6.13.p…
c1996ef13815d7fdcee7f8f5baed4bcf
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-fastcgi-4.4.0-6.1…
92e5fabb5f4dad75be2b4a3617e97988
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-gd-4.4.0-6.13.ppc…
eee4690f118364474826d26c054bdf10
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-mbstring-4.4.0-6.…
f318576b118be51d17a0e60a87e17d9f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-unixODBC-4.4.0-6.…
95e643e8edc72663358494c534b62552
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-5.0.4-9.13.ppc.rpm
9cf6ee8f88a5060ac8a0f594d9e48fa6
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-exif-5.0.4-9.13.p…
bfa39d4d148b56ad8b7c6e44510a0c11
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-fastcgi-5.0.4-9.1…
3adbbbf720410c1ed23dd79bea9e220d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-gd-5.0.4-9.13.ppc…
948fc3125a641981d3f87975d6e97c54
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-mbstring-5.0.4-9.…
cb0923a3313c4fd116318bf471e50778
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-mysqli-5.0.4-9.13…
50e68b88d43d25ec73d9aecc69f30e5b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-pear-5.0.4-9.13.p…
71dfa81dfd012f548d8f025bfdfeedbd
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-snmp-5.0.4-9.13.p…
8653bdc6fd1339ab69c36eac0ba686ac
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-mod_php5-5.1.2-2…
f4dede6f601bfcee52dd3b93859870e3
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-5.1.2-29.4.x86_64.r…
ef9cee1726b8bd511855f874823ab825
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-gd-5.1.2-29.4.x86_6…
ad72b93f1472ab9103f092ad899d697a
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php4-4.…
b9bf78047d75d193eb45e76f889e48b2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php5-5.…
677743bbf4162fde6757a055ddf1a1c1
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-32bit-4.4.0-6.…
c55eed73f54c6f0a145342644fe44078
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-4.4.0-6.13.x86…
f9907902edf1a76b44cf3adb7a1b484d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-exif-4.4.0-6.1…
90fcd0d1423caf1b96f79b7b16f65439
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-fastcgi-4.4.0-…
b05af431c9bb58ecb9d5e6d1871f17eb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-gd-4.4.0-6.13.…
e07adcdd81a962e259ae4b1c0d21f89d
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-mbstring-4.4.0…
591794e8f5690db6eb0544f75ca5aabb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-servlet-4.4.0-…
b35a87bba7a2d1301806a7af10473725
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-unixODBC-4.4.0…
b432e0e35ee0cb30672e89b324a23396
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-5.0.4-9.13.x86…
a82f50460802a1767854758d406b82cb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-exif-5.0.4-9.1…
78f9287306f1d029a9b3d471318fafda
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-fastcgi-5.0.4-…
f6dd1443d043715c103ff0ec77bcb9b7
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-gd-5.0.4-9.13.…
aaf4cdd7b69405bc2fc46d721cb208b8
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-mbstring-5.0.4…
8fac63d139a16a587c6a38f7ef622531
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-mysqli-5.0.4-9…
1b0a546491b54b4d73eecfee1db04a5a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-pear-5.0.4-9.1…
b60a17edeb48d6cdc291bdb3204398ec
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-snmp-5.0.4-9.1…
1030f5db7852122bc3d7a0d6432a8dc6
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php4-4.3…
3efa464de374a316bcfc48edc0728b80
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php5-5.0…
0807c3ffba97947d7f58e434d6be424a
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mod_php4-servlet-4.3…
ac4933dcb44e3a28f19ec4535e3d1f69
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-32bit-9.3-7.10.…
d5d5e1b56a7c99004bf7048bead9506f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-4.3.10-14.23.x8…
8cddaa485f432a4e3c644e53fa31b3fd
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-devel-4.3.10-14…
1f5aeb49f2cb874fd213c97563c11492
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-exif-4.3.10-14.…
f9f96ed8c0cce5ab6aef622a79d6e67b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-fastcgi-4.3.10-…
1e3ddeafab63b93e6149df2996afc674
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-gd-4.3.10-14.23…
001446522678324806c21f2777dcce19
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-mbstring-4.3.10…
566299076beb81ab015e834707646fb8
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-pear-4.3.10-14.…
2bdad5f2e29738442e49fee529862842
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-session-4.3.10-…
6219659daad37fbcbee11748f1d2b34f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-sysvshm-4.3.10-…
67757dc0a8a9cb00ffd653ae2cf26224
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-5.0.3-14.23.x86…
bc3737aaf8c7f5b0ec4f76ac333b4f49
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-devel-5.0.3-14.…
a1f6a145f2af57e006a2099baeb1398f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-exif-5.0.3-14.2…
3caafddfc109b70e80acf683a155219b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-fastcgi-5.0.3-1…
eaab55971ca52912c0853d0d29ed98ec
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-gd-5.0.3-14.23.…
629dc2798d1dff92a1b1f5ca1f3334a3
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-mbstring-5.0.3-…
6947c955edc17fe914feebe48fcfae3b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-mysqli-5.0.3-14…
f8c743c3cb7973ccbece026844cae9fb
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-pear-5.0.3-14.2…
a11dedb05754fcf1f2d4a4eff98d1070
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvmsg-5.0.3-1…
6500afb7ff16fa52098805f0a8aee789
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvshm-5.0.3-1…
fef838635d36eda73402eabfab666a5c
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-mod_php4-4.3…
a984fab6423ee37c7d479180b670d635
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mod_php4-servlet-4.3…
b3f236a5f51d6916ebce5306e9cf8dc9
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-32bit-9.2-20060…
8899d8b26da5381a69e928b07f7af3e1
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-4.3.8-8.26.x86_…
b41e5526228b3a47a8d33ccc4bfd8593
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-devel-4.3.8-8.2…
2e0b5cd33d5a401b85757a9185240f39
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-exif-4.3.8-8.26…
9b35b4fcb6ba77ffcd05a662d4ce5318
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-fastcgi-4.3.8-8…
6886ac119c43e6cd535974bdf2f30698
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-gd-4.3.8-8.26.x…
b5f4c3eeb0f1a167e3dbc030b9c1edd3
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-mbstring-4.3.8-…
c4c258802dbecfac5106064561d24255
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-pear-4.3.8-8.26…
67b7965d8b9624e8243b6f46de8411d3
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-session-4.3.8-8…
11b2e0a23639145772a3c359abb52e59
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-sysvshm-4.3.8-8…
e2cd105c941877d49e28277705a7039e
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-mod_php4-4…
6881897376e783520b891056e35ec534
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-core-4.3.…
30947f905b21c7ef536478d64fee5bfd
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-servlet-4…
bb4d633dcc7dcb10ef1a3bcfcdc84797
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.58.x…
8e4b3fea82c3cbb106377b87f1fee6c9
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-devel-4.3.4-4…
04e5fa26ac5e8fc63314aacad1d6b249
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-exif-4.3.4-43…
5f2a74b4adb0c839562e02b42bf4f05c
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-fastcgi-4.3.4…
3fdad764d7b36a3b5b7870e18c984e9e
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-gd-4.3.4-43.5…
68d576893b580efc27be7a634bb42568
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43…
2838bcfd8f223d81c471e3405da00c33
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mbstring-4.3.…
573fad1c28b3e8554f2cb4e0861dc057
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-4…
869974b14a9a22e79bbc73f6a7af6a55
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-pear-4.3.4-43…
6ba59734b7107a021a68bcd315db1bf2
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-recode-4.3.4-…
77421b8c21f635fbc78f64168961b62c
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4…
b32cbd1db68a50f843fbdf0cbabefa68
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4…
00376ad2619727f8d7feef6f5d8d3e26
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-sysvshm-4.3.4…
1acf46b9184a55159ac1e38bb26d43ff
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43…
e017ba71e1269460e5124ba46cd34bac
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/php5-5.1.2-29.4.src.rpm
98d8846387e3b252a7af710388460128
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php4-4.4.0-6.13.src.rpm
507d65d8ee0d358ee43fcf793c0d7955
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php5-5.0.4-9.13.src.rpm
9adf218a1b0d39b06350a57a0f627a55
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php4-4.3.10-14.23.src.r…
42587bbd02008e856204797ba2d3e312
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php5-5.0.3-14.23.src.rpm
ba707c9762597086350062dcce3d8d99
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/php4-4.3.8-8.26.src.rpm
f8ee786af575e1bd2dcf4f243a471623
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.58.src.rpm
d1c7f23f762099bcabacb3b9a1425ab6
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.58.src.…
bc7a12efeaf4cc118a857914e3a09910
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE CORE 9 for Itanium Processor Family
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/7fc9fde927d1b85…
SUSE SLES 9
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/02d299d80da3813…
UnitedLinux 1.0
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/ec8efbd0fe4a2ee…
SuSE Linux Enterprise Server 8
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/ec8efbd0fe4a2ee…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRJA6+3ey5gA9JdPZAQLVOwgAhVokVx+6LkqzKhhYntCivg5zVi94QTVZ
Ew3EZQPaZJTZFe9RMx5X2cYYkW0VITTHpYEbX444vVzDgvoNWX+KLpdrBYQ808NN
QPolM7TysBRbZNazbQVmYvZ3YdaWS7Z/p+dOS5WPIu2VFd60egoORc/2d+egl5IM
iZgw7TY9xRAp8sE5VpXEzfwKdVXblMhCb+ygkP9EF+xf5tRqc/bQ4bP06i/2Z7uc
GDMLxE65Hv246j/+aBi99tI3EXbeikPn+ItiJQ4LgHlgYtwj5tjT3nKG1meopPDE
0WvPB+Dru5pMbqaektCyjHY3cu8mQ5u+n93o69Uc493kHt+g3wtXew==
=mZ7E
-----END PGP SIGNATURE-----
1
0
Hi,
If you are a user of SUSE Linux 10.1 you will have likely noticed that
the Package Update System is not up to the quality you were accustomed
to in previous SUSE Linux versions.
The reason for this is that SUSE Linux 10.1 got a completely rewritten
package handling, which offers a multitude of new features necessary in
todays world of dozens external package repositories, Add-On products,
multiple update sources, remote management and cryptographic repository
integrity assurance.
This incurred not just a new lowlevel packagement (called ZYPP) but
also inclusion of the Novell product Zenworks in the form of the ZMD
daemon, the commandline tool "rug", and the graphical "zen-updater",
"zen-installer" and "zen-remover" frontends.
As we shipped SUSE Linux 10.1 we were aware of these quality issues and
had already planned to release a online update. At that time we were
confident that it would be possible to use all updater frontends to
install this update.
Unfortunately this was not the case so some special procedure is required
once to install this update:
- Start the YaST Online Update (as root user).
If you are not familar with YaST this can for instance be done:
- via The KDE or GNOME menu link to the YaST control center
-> System -> YaST (Control Center) -> Online Update
- by starting:
KDE: kdesu yast2 online_update
GNOME: gnomesu yast2 online_update
- By opening an shell window (xterm, konsole, or similar) and doing:
$ su
Password: <enter rootpassword here>
# you
... follow the graphical interface ...
- In the patch overview only the "libzypp update" patch will be selected.
Just press "Accept" to install it.
This will install the update and should not result in errors.
- Afterwards you will need to restart "zen-updater" once on the desktop to be
able to install the rest of the updates.
If you install a new system now, you can avoid this by running the
Online Update during installation (if network is available). This will
also download the "libzypp patch".
Also please note that not all of our mirrors have this update yet and
might take some days to get it.
The list of fixed bugs can be found below.
Open issues:
- Patch and Delta RPMs are not supported yet. The update will always
download full RPMs.
- Performance and memory usage is not optimal.
Sincerely,
Marcus Meissner
* Do not create anymore /.gnupg (the directory can be removed)
(#171055)
* Handle daemons launched in rpm %post that do not close
filedescriptors (#174548)
* Really get all package descriptions (#159109)
* Support large files, e.g. DVDs as installation source (#173753)
* Handle update source setup after installation (#172665)
* Do not add duplicate update sources (#168740)
* Fix yast2 instserver module so that it works with 10.1 (#171157)
* Do not exit in online_update when only packages (and no patches) are
selected for installation or deletion (#175668)
* Improve syncronising sources between yast and zmd (#168740, 175174,
175159, 175173)
* Fix segmentation fault with non-signed repositories (#173291)
* Handle system proxy setting with zmd (#160830)
* Fix zen-updater bugs when installing packages (#171171, 174740)
* Update packages to follow ABI change in libzypp.
* restarting zmd if it is updated (#178218)
* While updating ourself delay the call to
ShutdownManager.allow() so the client polling
the transaction can get the final status of the transaction
before we restart (#179413)
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:013
Date: Fri, 09 Jun 2006 17:00:00 +0000
Cross-References: CVE-2006-2417, CVE-2006-2418, CVE-2006-2452
Content of this advisory:
1) Solved Security Vulnerabilities:
- phpMyAdmin cross site scripting issues
- gdm login configuration problem
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- none listed today
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- phpMyAdmin cross site scripting issues
Cross site scripting problems due to missing checks of the 'db'
and 'theme' parameters could be exploited for cross site scripting
attacks in the phpMyAdmin package.
All SUSE Linux versions were affected, and these issues are tracked
by the Mitre CVE IDs CVE-2006-2417 and CVE-2006-2418.
- gdm login configuration problem
A bug in GDM was fixed that allowed local users to bypass root
authorization to access the login configuration.
All SUSE Linux versions were affected and this issue has been
assigned the Mitre CVE ID CVE-2006-2452.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
None listed today.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRImMlney5gA9JdPZAQL0iAf/WJsuS0DqDU4Q7ckhy22GGmvfToZh2d4v
Fldby7lHFmn4AWth9BsVm2r8+w3k/suEIHI3WZwRJaFuHq01SqMj6dI9LzcS1BDm
Kl+70MCdIs1ZIltWdtrR9u13kxm16V2Vw+UOaV1coNqcwlQNo8TYJeN2EzY5KfLk
zroIkbmRqtM12squhIoupp4i+7A3os/StlQVy68CrMmqFEQ0la/PSEYiHIFM3qIy
dWT+unfRb4lNSlMcma3N4rV7l+UyaivQD2jdS81Bok3PKNs/825CJXsLS4A9l28f
YgFFg//zHoeNkj63j18CaLMxrvRGoFEN80Qgt1/o0B5SMdAappPyPQ==
=9z8e
-----END PGP SIGNATURE-----
1
0
SUSE Security Announcement: PostgreSQL SQL injection attacks (SUSE-SA:2006:030)
by Marcus Meissner 09 Jun '06
by Marcus Meissner 09 Jun '06
09 Jun '06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: postgresql
Announcement ID: SUSE-SA:2006:030
Date: Fri, 09 Jun 2006 16:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SUSE SLES 9
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE Default Package: no
Cross-References: CVE-2006-2313, CVE-2006-2314
Content of This Advisory:
1) Security Vulnerability Resolved:
PostgreSQL SQL injection problems due to encoding problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Two character set encoding related security problems were fixed in the
PostgreSQL database server:
CVE-2006-2313:
Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling
of invalidly-encoded multibyte text data. If a client application
processed untrusted input without respecting its encoding and
applied standard string escaping techniques (such as replacing a
single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server
could interpret the resulting string in a way that allowed an
attacker to inject arbitrary SQL commands into the resulting SQL
query. The PostgreSQL server has been modified to reject such
invalidly encoded strings now, which completely fixes the problem
for some 'safe' multibyte encodings like UTF-8.
CVE-2006-2314:
However, there are some less popular and client-only multibyte
encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which
contain valid multibyte characters that end with the byte 0x5c,
which is the representation of the backslash character >>\<< in
ASCII. Many client libraries and applications use the non-standard,
but popular way of escaping the >>'<< character by replacing all
occurrences of it with >>\'<<. If a client application uses one of
the affected encodings and does not interpret multibyte characters,
and an attacker supplies a specially crafted byte sequence as an
input string parameter, this escaping method would then produce a
validly-encoded character and an excess >>'<< character which would
end the string. All subsequent characters would then be interpreted
as SQL code, so the attacker could execute arbitrary SQL commands.
To fix this vulnerability end-to-end, client-side applications
must be fixed to properly interpret multibyte encodings and use
>>''<< instead of >>\'<<. However, as a precautionary measure,
the sequence >>\'<< is now regarded as invalid when one of the
affected client encodings is in use. If you depend on the previous
behavior, you can restore it by setting 'backslash_quote = on'
in postgresql.conf. However, please be aware that this could
render you vulnerable again.
This issue does not affect you if you only use single-byte (like
SQL_ASCII or the ISO-8859-X family) or unaffected multibyte
(like UTF-8) encodings.
Please see http://www.postgresql.org/docs/techdocs.50 for further
details.
Unfortunately we are not yet able to provide back ported patches for
the PostgreSQL included in SUSE Linux Enterprise Server 8 at this
time. We are working on a solution for this problem.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
If you are running a PostgreSQL server please make sure that it
is stopped or at least doesn't have any client connections during
the update.
If you are running or using a PostgreSQL server please carefully follow
the instructions in /usr/share/doc/packages/postgresql/SECURITY-NOTICE
to complete this security update
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-8.1.4-1.2.i586.…
8fb5e2f12fb4db3b468a735be55902bc
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-contrib-8.1.4-1…
fd229189b9b93d90cf223fbe29ecf937
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-devel-8.1.4-1.2…
278a5823adcc686131b55cad9984f34c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-docs-8.1.4-1.2.…
a91427f863badb6edc03ae27b3e5f15e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-libs-8.1.4-1.2.…
ea7ce106f0bc482469e96e27b8e544bc
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-pl-8.1.4-1.2.i5…
56a69980760509bb49de4868315d5baa
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-server-8.1.4-1.…
ed388e0c0a524559d13050eb1dfdc9c1
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-8.0.8-0.2.…
923404a774e7cabec9df64c62da88a27
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-contrib-8.…
85b25723f9d67a70b04e0ce3811cc85c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-devel-8.0.…
50e5a977ed8b9120768bc5e603961f98
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-docs-8.0.8…
e45faf70ef7def2aade7b94ba89bd864
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-libs-8.0.8…
36b5719ca00eaf3cddb4c2d506d1d2fa
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-pl-8.0.8-0…
318081f3601d5f7baf872c94b104b2fc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-server-8.0…
05d154dcc296a9c7e956e9138a312108
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-8.0.8-0.2.i…
a260aec2aef3ea77694a76a0201044ae
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-contrib-8.0…
37b5114bbbb78f6e80ffb1b89401e8da
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-devel-8.0.8…
a61d1e17cd2ccc61f6b4975520ab7e9f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-docs-8.0.8-…
841b0470d29b9170b18bbfbaafe41435
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-libs-8.0.8-…
78ef824e90a62d24d6bb2deaa9b74ab9
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-pl-8.0.8-0.…
733a5aa1b89477c2011910d0fa72e166
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-server-8.0.…
f688fedcc332b893e0ac9e5154d977c1
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-7.4.13-0.2.…
ea88d118184c182bfacb7544d48f34c6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-contrib-7.4…
ce7b90c42fb477b97c0dbc64c147b5e0
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-devel-7.4.1…
1bcfeb756fe5c5d5e347a5ff4ccf84fe
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-docs-7.4.13…
890c3a7ced118229ec9bc640cb057800
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-libs-7.4.13…
b7ec99237d6fe4e8682c78f7a8bcdb63
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-pl-7.4.13-0…
96a4e10fee0a465819a07ee2e89b03e2
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-server-7.4.…
5ca65525e7d340e4e98a3a59dac1cbe3
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-7.4.13-0.4.…
34eed42fd77148c86ec86c086a18af0d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-contrib-7.4…
e05064dbdfba0a0a0ca43b745f2a6402
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-devel-7.4.1…
8ecb634c77035ccac12cee347c632f99
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-docs-7.4.13…
f3ac880c647474f1bee6c72fec75b550
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-libs-7.4.13…
92e1ed36148af0b98691296b5f20074d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-pl-7.4.13-0…
76c494f41f4cc6d31d181c0d672b85db
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-server-7.4.…
77dddc495feae1c6b0f926b0169585af
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/postgresql-libs-32bi…
e1def686b4da15034ecdba05ae52d317
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-8.1.4-1.2.ppc.rpm
20bf4b672950391a885c39647be3fd29
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-contrib-8.1.4-1.…
a438d0c348de0e2352a24ba34f1b3efd
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-devel-8.1.4-1.2.…
a24d09f29f4dc635420a4cf44d01de7a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-docs-8.1.4-1.2.p…
733ebb4b98b47c4ae645b2a6d3f5f127
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-64bit-8.1.4…
2e2a884eb58f654bad8b4986f8347d63
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-8.1.4-1.2.p…
afb35a53b9dad8e2b7f193eb59265c94
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-pl-8.1.4-1.2.ppc…
e26756896b6023f3b7a56edf504508e0
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-server-8.1.4-1.2…
3e7b5e34ab551a15adf87a4533f71919
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-8.0.8-0.2.p…
1f0d19658278ce363a02f34c8408badc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-contrib-8.0…
ab128f5681367e3260f28007f1eb223b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-devel-8.0.8…
4934796258b5095bde35d82dcce8400e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-docs-8.0.8-…
c6ed5f891260a707ff34d2c0d6bc8dd5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-64bit-…
11eae2961bc6806c81144f980cf47c26
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-8.0.8-…
84d1d74b1be2fa9bc3814347e48d666a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-pl-8.0.8-0.…
7c2091e7324d055d584d18de5d016b02
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-server-8.0.…
565f8479ac8b992cc6dee514d009c6a0
ppc64:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc64/postgresql-8.1.4-1.2.ppc6…
eaaea2f30a115beed208a33fb7985319
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc64/postgresql-8.0.8-0.2…
a16b451535c8a819814fc0081a6a3855
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-8.1.4-1.2.x86…
7037db2dbb3d7d251f74a383a8779ebd
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-contrib-8.1.4…
efc0a6e5c729fa83995b24ac9cb248de
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-devel-8.1.4-1…
dba4d4671e306ea3f610576b8e455152
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-docs-8.1.4-1.…
ad4d0ceb06de8f4a66506ce8822752f9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-32bit-8.…
4ee45efb63361bba98e6d65d07187afa
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-8.1.4-1.…
c5a016add913fdaad2b5157d705e3fe4
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-pl-8.1.4-1.2.…
109a82fdb9ba89bd72323906d03ef0a8
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-server-8.1.4-…
e2100dbf6917d14f375d7860275d35e5
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-8.0.8-0.…
aeae0da5a394b4c24d8cda8560f18dbb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-contrib-…
10e6615d3c4648b9cc9d0c69e10a5e23
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-devel-8.…
42fa8a74543ba2dc5983829e87f9cf03
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-docs-8.0…
f39ed20c68895151c7540224bfa733e5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-32b…
694a1886b2d287fe91b7182d5d9a6cd2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-8.0…
07a3202ef0840ebd64c797570ad37959
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-pl-8.0.8…
d16750bdb4d6c7c8c9a4d770db05224f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-server-8…
f16b518aa08e10c7afea31b294cfc778
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-8.0.8-0.2…
3e1d2b7a5f48312f45629ef1e2aca09e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-contrib-8…
c93b8d25d8c1c8d3ff71330148b0bfe1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-devel-8.0…
7282ec73b022c0a64df4131449ffa03e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-docs-8.0.…
6555bbcb2dece1509ce34689e6866089
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-32bi…
b3bb611cbe68ca215f5dddad9c5427a6
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-8.0.…
01e3fa4fe1de5c07c923f86b8b6edfe1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-pl-8.0.8-…
b19f8062671374939259f1a283736622
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-server-8.…
691e3d79c8fd58acd3e754b3ac3085b1
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-7.4.13-0.…
e4b11cc66197cf5f186f07ee9928e66e
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-contrib-7…
c6b41d5cbf22749909f787a4618037da
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-devel-7.4…
1f0119c73b50f3a5da6d31e2eea35369
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-docs-7.4.…
9a8f7959d081395e312ca02a8a7a5fc3
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-32bi…
2ddf607af4ce09f4269cbca02ec03a7d
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-7.4.…
272ef016cd23ae673b803b5767a1554c
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-pl-7.4.13…
51523699fb995488a1dbded7eb5fe2cc
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-server-7.…
897a20ab9ea122d43f89567e485ff500
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-7.4.13-…
a38b622178a32cdd06233c842327295d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-contrib…
085aab7d5729e3f27dbab7fb9e420254
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-devel-7…
4691be0aa24c42eeaa50c092353bd6f4
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-docs-7.…
5bc0a01514247c29c765b3c8938c795d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-libs-7.…
c12dc2877ec65c6a3f988b51157b5ab7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-pl-7.4.…
83fa45b8a322910a38f071e9bd0d9031
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-server-…
79ad3926185107da714ab3754aa889e7
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-8.1.4-1.2.src.rpm
44f36fd35b82cea18e01a4fe667ad40d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-pl-8.1.4-1.2.nos…
f189f8e0fca64e0e3991c7d4f928327f
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-8.0.8-0.2.s…
361ca18474faf36146a84236618afaf2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-pl-8.0.8-0.…
5a7a5a8af3c4bc930300c908413d8fe0
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-8.0.8-0.2.sr…
384b25b835cfd3990395967571ae2b05
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-pl-8.0.8-0.2…
a1155e3cadf7907178c57fc20a3b2aa1
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-7.4.13-0.2.s…
186111c9f577a1583725aef28da96636
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-pl-7.4.13-0.…
fb124cb2d1424d21035040847423e7b6
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-7.4.13-0.4.s…
7a76decace79f6dcb7d183f461626b2e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-pl-7.4.13-0.…
4739e9d6fee0bee6934be76870d4ce51
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-7.4.13-0.4…
7fadd3d1bed3c30759d94af7cd924800
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-pl-7.4.13-…
a357ff94aec54e5ebb08c7fd758fbdeb
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLES 9
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/da59db7f50aac32…
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security(a)suse.de) the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRIl/Zney5gA9JdPZAQJLuwf/Rn+cDRFVAD23X0K8Ll6zjyU8qQdOytud
sxK+awU9ncb4dVE8iEW6U6Vt8P+/HvQHroQom73StxzSK7oEFCG4Ss6kU+Ov8oCO
wm8hxEEcXf7NE29xDsY0q+pGbrM1tBXzUITaYDEN9OC5G6ltwMj6BTANkooLVl4S
I1vwG58EHDLBf8FGsNuEFOREffjtiS06dpQZX2h1OFWbSmE8QjOsUlPSPX3eaNrH
c7yEOcrp+LUOWHBGhtknCWy/OMuSbvwPGaUqggINg4/+H7SzE7gJ+3Ea4j8U1IbE
VFl6E56qEnHqQbu0uyvSHCCBG/3Glq3LjmpmQBrEOVSednG9e8haKA==
=EBgW
-----END PGP SIGNATURE-----
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:012
Date: Fri, 02 Jun 2006 17:00:00 +0000
Cross-References: CVE-2006-1516, CVE-2006-1517, CVE-2006-1518
CVE-2006-1931, CVE-2006-2426, CVE-2006-2453
CVE-2006-2458, CVE-2006-2480
Content of this advisory:
1) Solved Security Vulnerabilities:
- mysql COM_TABLE_DUMP problems
- Sun Java 1.5 denial of service attack
- dia format string bugs
- ruby XMLRPC denial of service attack
- NetworkManager automatically starts ypbind and autofs
- libextractor heap overflows
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- cron problems after last update
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- mysql COM_TABLE_DUMP problems
In the database server MySQL, attackers could read portions of memory
by using a user name with trailing null byte or via COM_TABLE_DUMP
command (CVE-2006-1516, CVE-2006-1517).
Also, remote attackers could potentially execute arbitrary code
by causing a buffer overflow via specially crafted COM_TABLE_DUMP
packets (CVE-2006-1518).
A full advisory and updated packages will be released with the new
SQL injection vulnerability that become public yesterday.
- Sun Java 1.5 denial of service attack
Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6
and earlier, and SDK 1.5.0_6 and earlier allows remote attackers
to cause a denial of service (disk consumption) by using the
Font.createFont function to create temporary files of arbitrary
size in the %temp% directory.
This problem affects SUSE Linux 9.3 up to 10.1 and is tracked by
the Mitre CVE ID CVE-2006-2426.
- dia format string bugs
Various format string bugs in dia could potentially be exploited
to execute arbitrary code.
These problems affect all SUSE Linux based products containing dia
and are tracked by the Mitre CVE IDs CVE-2006-2453 and CVE-2006-2480.
- ruby XMLRPC denial of service attack
The HTTP/XMLRPC server in Ruby used blocking sockets, which allows
attackers to cause a denial of service (blocked connections) via
a large amount of data.
This issue is tracked by the Mitre CVE ID CVE-2006-1931 and affected
all SUSE Linux products containing ruby.
- NetworkManager automatically starts ypbind and autofs
The NetworkManager automatically starts ypbind and autofs if the
DHCP server provided a NIS server address, even if NIS or autofs
was not configured otherwise.
This has been disabled and can be enabled by environment variables,
please read:
/usr/share/doc/packages/NetworkManager/README.ypbind-autofs
- libextractor heap overflows
Two heap overflows in libextractor have been found and fixed:
- Heap overflow in the asf plugin (CVE-2006-2458) [# 176280].
- Heap overflow in the qt plugin (CVE-2006-2458) [# 176280].
These problems affected SUSE Linux 10.0 and 10.1.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- cron problems after last update
We have received reports that an automated online update of CRON
resulted in cron no longer executing jobs.
Please check that your machine is still running cron jobs and if
unsure, execute as root:
/usr/sbin/rccron try-restart
If you rebooted in the meantime, this work-around is not necessary.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security(a)suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build(a)suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com>.
=====================================================================
SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRIBPjney5gA9JdPZAQIHdAf/RWipqwrEmiQFWp+eSt+19MD1Ky2aUIqV
Vf2WK1Ptlhf/ZUPju/5DYtKPbyW7VUKupBsIRnqWeefNPw6RBKNHvWOyiG+38KxH
X+fGm7L77riZLcWtCIrEqvPJFfLUHkEqFJ4o9iOf6HuQpVVedyTnGM14UCOvKb8D
k9s/1I6Dr73S8En439deCgDDeWv+WqugHeCp+xZ+fdLVSNmUb2iKiOHfjr09BLDO
+8VSvbB6OtUU7TKfJyDcdfPDkB9uACz/Ak9kr6p1vHc7PpOZc9m3vJDZHMIk15mR
PiCdT9Mvt0ygh4j78GH5psTxz3GU3pi5/9fTKG7ofAHrU+/uDb2zTQ==
=11NT
-----END PGP SIGNATURE-----
1
0