September 2006 - openSUSE Security Announce

SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)
by Marcus Meissner 28 Sep '06

28 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: openssl Announcement ID: SUSE-SA:2006:058 Date: Thu, 28 Sep 2006 18:00:00 +0000 Affected Products: Novell Linux Desktop 9 Novell Linux POS 9 Open Enterprise Server SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SUSE LINUX Retail Solution 8 SuSE Linux School Server SuSE Linux Standard Server 8 SUSE SLED 10 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738 CVE-2006-4343, VU#547300, VU#386964 Content of This Advisory: 1) Security Vulnerability Resolved: several security problems in openssl Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Several security problems were found and fixed in the OpenSSL cryptographic library. CVE-2006-3738/VU#547300: A Google security audit found a buffer overflow condition within the SSL_get_shared_ciphers() function which has been fixed. CVE-2006-4343/VU#386964: The above Google security audit also found that the OpenSSL SSLv2 client code fails to properly check for NULL which could lead to a server program using openssl to crash. CVE-2006-2937: Fix mishandling of an error condition in parsing of certain invalid ASN1 structures, which could result in an infinite loop which consumes system memory. CVE-2006-2940: Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack to cause the remote side top spend an excessive amount of time in computation. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-0.9.8a-18.10.i586.… f5d7a08e60a52b7816cae88e9def7762 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-devel-0.9.8a-18.10… a583491fc985dff2f3f405776fa8554a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-0.9.7g-2.10.i… 13d07a7a3b81fdef9ba68b0f0670f14c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-devel-0.9.7g-… 1198085023a60d99ce90207b5498db45 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-0.9.7e-3.6.i58… 51606d0da43bc5c61562bb8d4679ca8b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-devel-0.9.7e-3… c6a9122fec64b5a82f433c56b602f2b5 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-0.9.7d-25.6.i5… 96b59a2af5663ae1f780626da0b5756a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-devel-0.9.7d-2… e33a86104b85919dda444b4a9901a10b Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssl-0.9.8a-18.10.ppc.rpm 8310266cd6da01baaf964ed8cac841c0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssl-devel-0.9.8a-18.10.… 8ff4b94e685be05d00599ecc6cc939e7 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssl-0.9.7g-2.10.pp… 0678839057c3170dc84fab28b3dd202f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssl-devel-0.9.7g-2… e86965c19538073b15c2131a04c20260 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-0.9.8a-18.10.x86… 28dc138c088450b753fdd419c487023e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-32bit-0.9.8a-18.… 651d62cab3c31d0bc3e18b91a4ba9ac3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-devel-0.9.8a-18.… 2a3e98aca1aa613a58f09b39f12e84a4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-devel-32bit-0.9.… 81bb446763424df4c18eac760e0ed80e SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-0.9.7g-2.10… 5a612bd7a6756e2926a3ef59a72fd197 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-32bit-0.9.7… 840e98707317d9cef51837a486541be7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-devel-0.9.7… 46b1a289d445c5304001aba4417e73a9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-devel-32bit… a4e2a59c151ff22ed683e115da8fce48 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-0.9.7e-3.6.x… 3bf35d8e03848aa87a662b93a8c14fe1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-32bit-9.3-7.… 35ce818f05f655397c4b1b13ba3a93b3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-devel-0.9.7e… dcfbcadb626de068028ac546f07ba685 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-devel-32bit-… da50170edc9a2596954c2453030494d6 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-0.9.7d-25.6.… 32ec53e71eefb0ebe893034ac2e552ac ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-32bit-9.2-20… 0b7706ce568832eb1b2e86bdd7cbe51d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-devel-0.9.7d… c8671a7a77dcc5a08e2c19f9a6ff056c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-devel-32bit-… 2bebb0fea9579ca5e659fca63c7beac0 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/openssl-0.9.8a-18.10.src.rpm 2613501ca4ea03f1a79548014b13ff67 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/openssl-0.9.7g-2.10.sr… c5b1ff892ff74af82ddbceaf757c6fb3 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/openssl-0.9.7e-3.6.src.… f62e34422fc77343fd15a1790e6ef8d8 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/openssl-0.9.7d-25.6.src… 8c451560ea55a3bec1b01f0b36943048 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… Open Enterprise Server http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SUSE SLES 10 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SUSE SLED 10 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRv66Xey5gA9JdPZAQL7fgf/WskObtJd6xDwy4d+F9TjeGy+K3Mi8iNC Meb8Chs08TaVuuuvp6+UwtUpek+zuMTimdUZdedF4Tc3xBjwQL6GmIvdh5Kr5vdA UZRnHUMWdD9ClKyc3KPKVHXrDGOmgytWVtaQdD4pSmrh6k7j5aE9Gsss1MSrI64u BefsTWYnoJ0OJ/iXFVIIh964A/6wBcFV6f0C9YWKMYjfylXPBTWlSBzhY69g722N kmgboFffBkxD37ILQSKygJrJ3N2fn6acN7pRylCEb+n0XWu5nPMf/xTWVVzH4f/I FS5jdzJc7gfb096tWsNoB48ULkLENIaauHZup1p6NCyt5/R3eLmgcQ== =TSxY -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: kernel security problems (SUSE-SA:2006:057)
by Marcus Meissner 28 Sep '06

28 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2006:057 Date: Thu, 28 Sep 2006 17:00:00 +0000 Affected Products: Novell Linux Desktop 9 Novell Linux POS 9 Open Enterprise Server SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE SLE 10 DEBUGINFO SUSE SLED 10 SUSE SLES 10 SUSE SLES 9 Vulnerability Type: remote denial of service Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2006-3468, CVE-2006-3745, CVE-2006-4093 Content of This Advisory: 1) Security Vulnerability Resolved: various kernel security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Various security problems were found and fixed in the Linux kernel. We have released updates for following distributions: - SUSE Linux Enterprise Server 9 (on September 21st) - SUSE Linux Enterprise 10 (on September 26th) - SUSE Linux 9.2 up to 10.1 (on September 14th) The SUSE Linux Enterprise Server 10 kernel for the S/390 platform is still pending due to platform specific issues found in QA and waiting for further analysis. Following security issues have been addressed: - CVE-2006-3745: A double user space copy in a SCTP ioctl allows local attackers to overflow a buffer in the kernel, potentially allowing code execution and privilege escalation. - CVE-2006-4093: Local attackers were able to crash PowerPC systems with PPC970 processor using a not correctly disabled privileged instruction ("attn"). - CVE-2006-3468: Remote attackers able to access an NFS of a ext2 or ext3 filesystem can cause a denial of service (file system panic) via a crafted UDP packet with a V2 look up procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only. - Matthias Andree reported a deadlock in the NFS lockd to us, where a remote attacker with access to lockd was able to at least crash the lockd kernel process and so render NFS exports from this server unusable. This problem existed only in the SUSE Linux 9.2 up to 10.0 kernels. The SUSE Linux Enterprise kernels also received a number of bugfixes, not listed here (please refer to the Novell TID pages listed below). 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-bigsmp-2.6.16.21-0.… 26ee41f91791f2960f43e0d2c34cf111 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-debug-2.6.16.21-0.2… c647ad25d5138e1d283fa02531b7c612 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-default-2.6.16.21-0… 0655ceb69b59943d93d63e07f803af34 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-kdump-2.6.16.21-0.2… 9f274f216d6d980d71925298198f89ff ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-smp-2.6.16.21-0.25.… 3bbed65fe2d793be471ec0ebca9489bf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-source-2.6.16.21-0.… ea0ca06ddd13803a4854bb953127b4e7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-syms-2.6.16.21-0.25… e719ca56ca6b03db836251aa2f42c193 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-um-2.6.16.21-0.25.i… d64bdf65439078f98c8167ebc8d40eff ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-xen-2.6.16.21-0.25.… 73ef09479e7dd484e039c99090ce532f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-xenpae-2.6.16.21-0.… a2127a9be7804e4c6ff781fa25a0f669 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kexec-tools-1.101-32.18.i5… 8ab73349be3faecc0b5ead1f1d43a8ce ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kexec-tools-1.101-32.19.i5… 9f749594cb21038f6d1ede1122471521 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mkinitrd-1.2-106.18.i586.r… 8cac732b2aa56ee7ca4e2a805d9e1ba0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mkinitrd-1.2-106.19.i586.r… 2fe40e6a58b5efb8c40343bb2c869d83 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/multipath-tools-0.4.6-25.1… 5f560930255f944ec2f977884952571a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/multipath-tools-0.4.6-25.1… ddf0978610451b0a053069fdf4bc6e73 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/open-iscsi-0.5.545-9.14.i5… 7e1a2256a99b7bdc25519855a5e28234 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/open-iscsi-0.5.545-9.15.i5… 6c7b0c7a2da71842535c8ec370552e27 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/udev-085-30.13.i586.rpm 2131ff74613d4b96f3f4c3c9549bdc91 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/udev-085-30.15.i586.rpm 2f1789a0213dcc06d7cacc5413fbf6af SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/Intel-536ep-4.69-14.7… 2af14df978db016abff71394be91f3d8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-2.6.13-… 4ec46129e95f86d1923b7ca09fb1de7e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-nongpl-… a85f38ca6fd0249e04d218ebe3c04b4f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-2.6.13… 95fb71b8087ed73337b2a3a30ff5b7fc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-nongpl… ff0e216a784386933362bf7db380b819 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-2.6.13-15.… 4b545ecf3e2ef7b3d02bdc130afe61a7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-nongpl-2.6… 040a65937bea52ee354a44c6e8ea0dd5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-source-2.6.13-… b99214d91edb56eefac0fd7502485e6e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-syms-2.6.13-15… 850a089ddb0a6c97ad78a88a04e45820 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-2.6.13-15.1… ba0afa63f5cccc66c6a6270264b04894 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-nongpl-2.6.… fc0157febbcff6f2fb3b8e596ec22bdf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-2.6.13-15.… b50f100866a55617e3b6724740c0dd41 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-nongpl-2.6… ccd26549d72a980c616583c4c552dc9b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/um-host-kernel-2.6.13… 3b63fca8d78139ecedc8627707b1588d SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/Intel-536ep-4.69-10.8.… 2b8178c9b01b851ba8f5a9ecdcc6f6a4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-2.6.11.4… 152d28fee5c9cd4fb778a8a4c3660226 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-nongpl-2… 2d60e8b3eb5668cecb80299d0d88aa33 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-2.6.11.… 416ff9c4f2fc7dea1cbdc03c6e862351 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-nongpl-… 25faa5a8ec4792f9fe81730be064542b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-2.6.11.4-21… 318179da1b704cb58d56c2b788918406 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-nongpl-2.6.… 3431140892a4af27a15bba7cf3941342 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-source-2.6.11.4… 3d4450f5875e2b373a041dd012d4e597 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-syms-2.6.11.4-2… 1db4ce873dd95631365d2d15b0cfe202 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-2.6.11.4-21.… 8dd722f05ef44b48f11980dcbf7b6739 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-nongpl-2.6.1… 7ead5d3f4e87183b5a746e63bb3af48c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-2.6.11.4-21… ce09371496e027006e0a693a56bbdbbb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-nongpl-2.6.… f391d767e4cb4ada285618d95be3e23c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ltmodem-8.31a10-7.8.i5… 4cdc5561fd4f17991f710e179ba76cac ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-install-initrd… 9fcc211d480cb3cbdb1555d70b0f7bb9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-kernel-2.6.11.… ec605260f319746da30a892839b7c1c1 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/Intel-536ep-4.69-5.17.… 038656a7cce85c5c86985d15ba0e556d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-2.6.8-24… 7894bdea230a27609e922430f61ef8c1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-nongpl-2… a245181f7371eb502c34365d42dc8b3a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-2.6.8-2… 46bb52ad6dd33ba0c54d00f132b8657d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-nongpl-… e6f18530619112a4a870f8fb2fe4dc44 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-2.6.8-24.25… 7f9e8b77ee9aef4f7076ad578d623cb0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-nongpl-2.6.… cf7d45606257c1a28f19e77d9f27d0d4 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-source-2.6.8-24… f0f1443dd8e7642f2d215cb0fef4a74c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-syms-2.6.8-24.2… 52a6cd1a67bfd3b3523f71ff5593fddb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-2.6.8-24.25.… f8ddfaedc0c27a7f7f2635992908e11b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-nongpl-2.6.8… 655a456ed974b72b307194fd21e730ee ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ltmodem-8.31a8-6.17.i5… 185b53741ed424c4763bddf5015e0535 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-install-initrd… 8ae192eefa7d9760045f6d57ea3d3c02 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-kernel-2.6.8-2… 6e9c55225262d3b3a03f79dff3644241 Platform Independent: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/noarch/kernel-docs-2.6.11.4… 0fad36276d5bae4fc03610c0719a077d SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/noarch/kernel-docs-2.6.8-24… 123eadba5982d48938ff49b75d8bfd93 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-default-2.6.16.21-0.… 20b5b086a22f22fae0b91d12798b39df ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-iseries64-2.6.16.21-… 64d801cdcd4bfdde674ec72c398e7420 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-kdump-2.6.16.21-0.25… 237576cf62c8d529d42cc6d5c687f703 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-ppc64-2.6.16.21-0.25… 417368a7cfaba1f67122974224f4cd71 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-source-2.6.16.21-0.2… 2c14c599f55356d0bd8241c0043fe560 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-syms-2.6.16.21-0.25.… d52c2745e3a20d985cf2a3bb6ac65fde ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mkinitrd-1.2-106.18.ppc.rpm a7beef801eeb05247bccf4dddea5f48d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mkinitrd-1.2-106.19.ppc.rpm 3cb51185fccc353b29c746fb90959cd0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/multipath-tools-0.4.6-25.10… 83a1fc32e74747fd612af24cd46ac943 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/multipath-tools-0.4.6-25.11… 6d9721cccbd73f0949c488de60d2723f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/open-iscsi-0.5.545-9.14.ppc… 0bbcac956f8ac2a799b9b3d1a39cc84b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/open-iscsi-0.5.545-9.15.ppc… 75c1c4739d87ea4b7dc9b7dad427c0d0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/udev-085-30.13.ppc.rpm 781bc7be83179f251ba5514793425c4c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/udev-085-30.15.ppc.rpm 86dc31bcd413ef0ccc98966a41fd6c07 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-default-2.6.13-… 6fdc8658c4605aa4800a3a50f57460fd ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-iseries64-2.6.1… c90240b82bfa0bd20e20a1000fca9207 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-ppc64-2.6.13-15… 21d8fffc3d831ac395d293ce434a3101 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-source-2.6.13-1… 96d98884803aad3c0d6886a208a5d16d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-syms-2.6.13-15.… 188959ddae5c169c6c745ed0619f4c1b x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-debug-2.6.16.21-0… 407fa7974e9042fa81f3a1ece4b64894 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-default-2.6.16.21… e38811a6f40c5bb0b5e38bafaeb2a30e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-kdump-2.6.16.21-0… a4954cd4dbc27ed99453119749075228 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-smp-2.6.16.21-0.2… 86ea460aeb5f7749bc0ea8e2f5d7f986 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-source-2.6.16.21-… 8e3f29905322d570b0f22dd440f15d5a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-syms-2.6.16.21-0.… b5fb7d58c39ed10cf9a78edf6c6b0e57 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-xen-2.6.16.21-0.2… e61f4590776bf88a83480f22396e2353 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kexec-tools-1.101-32.18.… a0097406eb277a8a126f182e83acad9f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kexec-tools-1.101-32.19.… 64b12b3c69f02f981484941e09dd1305 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mkinitrd-1.2-106.18.x86_… c3d37645b7b2be4906d5183e69407196 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mkinitrd-1.2-106.19.x86_… 12837d37eaa3234edeaba256472943ea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/multipath-tools-0.4.6-25… 11b9458db5cd66552811d0da052e47a9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/multipath-tools-0.4.6-25… 8f3f08bdc5896c3f0fc8ab629b8845d0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/open-iscsi-0.5.545-9.14.… 1523eed567a3e8413ea01253c750e1f3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/open-iscsi-0.5.545-9.15.… 1e882a55477b9ad85ee43e0d7185571d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/udev-085-30.13.x86_64.rpm 18bd9ae1d14e1f7cde21ef302c007f2f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/udev-085-30.15.x86_64.rpm d2573b55f593de8d1695d3a41182ac5c SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-2.6.… 07e8e89fc66fe07f36e4d4e09f70a7cb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-nong… 30b8b37d91e9c90e88a7d98d597e418c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-2.6.13-1… 3cd105d707c55c893cf8f20d9e57bfe1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-nongpl-2… 2affd3ce1908e4f20260f70a7b65f540 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-source-2.6.1… ba3484999dc5acdd02d61ce251031f02 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-syms-2.6.13-… 8a84195236b9daf739776049eb163454 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-2.6.13-1… 9c84162cb6a4648206eb17d59dd193bc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-nongpl-2… eca45a94e1400b2ed794f45c963a02e3 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-2.6.1… 7516001db6c4da22c1311a4c6fbb81d5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-nongp… b5be7f122d6b333e730eaf33dfc2ec32 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-2.6.11.4-… cb5ad4009bb96c8e60733f7732626d7c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-nongpl-2.… e2656b47c8745963677435f4e379092c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-source-2.6.11… 2329c9588f91a765e671b9db01cddcf8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-syms-2.6.11.4… 7a393b3bdf27d0c1f7bd236ed0dd6805 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-2.6.8… 746c1b1f8080aadb9c6224ed3e2cdbb5 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-nongp… 2e022be7d2f48f73ca28e8ed0e53f6ff ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-2.6.8-24.… c9ba42011cf7fe08bf4528cd20cc13c3 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-nongpl-2.… 37dba688d48ac29f86889b82af1fc803 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-source-2.6.8-… b9ab803971d96f20c0cfdc5970a59912 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-syms-2.6.8-24… 0edad8e927be3183d3c32c5530202693 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-bigsmp-2.6.16.21-0.2… 02047b35925ab3e1ad77152469b5fcfe ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-debug-2.6.16.21-0.25… db7a4a3de5958502cb1a0271c218d972 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-default-2.6.16.21-0.… e0a654f9bf9c0c632a52c77aa7352d08 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-iseries64-2.6.16.21-… 7908e6d951e39975d3eb6c92c1bc37e9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-kdump-2.6.16.21-0.25… 8be0d70f4f6a1965ad9c3bd6550c800a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-ppc64-2.6.16.21-0.25… 167c55c6967fa50bdd93f78883832d03 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-smp-2.6.16.21-0.25.n… 007dcc251e8d77fde2fb2d16b54e0c09 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-source-2.6.16.21-0.2… 75d155d775f982603a03d7fc81540865 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-syms-2.6.16.21-0.25.… 570ad5f425bd98d328930c073a5592c1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-um-2.6.16.21-0.25.no… ee91eb16467c7080a153550f6731665b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-xen-2.6.16.21-0.25.n… 2de232b8508674051fe96476aad1d122 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-xenpae-2.6.16.21-0.2… 4cb0833d3f1f60544858a129240adda6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kexec-tools-1.101-32.18.src… 0f29b25c5c5a6c2cc9fcbc23c53f3479 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kexec-tools-1.101-32.19.src… 45e46db0edafd400bfdab8b58fd206ec ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mkinitrd-1.2-106.18.src.rpm b28e2812bcbb47e8d3666838513675a6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mkinitrd-1.2-106.19.src.rpm aa1e25d84eca64c10f825dde7fb2208a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/multipath-tools-0.4.6-25.10… 85607a495f3a69e8335a5c0e69c421d3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/multipath-tools-0.4.6-25.11… e7a66c40e16808d5cc72c7637e378637 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/open-iscsi-0.5.545-9.14.src… 3394b2319cd4cda72161db7977ed2359 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/open-iscsi-0.5.545-9.15.src… 10646530f2302ece6e597129dd24113f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/udev-085-30.13.src.rpm 24b94ef552acc2d43f0588c630a1e9b0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/udev-085-30.15.src.rpm ad593e66581e0b905050a15cc7a65fb8 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/Intel-536ep-4.69-14.7.… 5ae584684e85f709d4a871f4de6c4df4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-bigsmp-2.6.13-1… a3f82ff354aa48d0721f26b14859f27b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-default-2.6.13-… e9b63dc3399d8ddfb649e0aeec323372 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-iseries64-2.6.1… 13248d29e9cdbed7d90bbc8d6cbc08d6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-ppc64-2.6.13-15… 8011760bc1e22c87fd2f3f3fad2d4d45 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-smp-2.6.13-15.1… 3e9c1ff772c853e74b3311ffff6a60d2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1… 151894265d76bef5b295f16d99e0ef16 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1… b20b08230e3f7f9f4e685d567f023919 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-syms-2.6.13-15.… 3b2d4f9d0a5e3131fc355ed38942a65d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-um-2.6.13-15.12… 84cc165050a33e8ebe7bb8adaa0dd9c3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-xen-2.6.13-15.1… ee4e5fc534f0f34d925b309945721342 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/Intel-536ep-4.69-10.8.s… a8cafba62a93b64bc38fc79615b6d590 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-bigsmp-2.6.11.4-… 44d3eea6d288f9edc59fcc5f6dea4178 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-default-2.6.11.4… 62748061a37469af50b7b9e2fc5fe795 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-docs-2.6.11.4-21… ecc6e515a2604d9099abf33c94432d65 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-smp-2.6.11.4-21.… fad50e98426d6abbb246017a1627a692 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-source-2.6.11.4-… 8c6e300fafb0e1387a0f00c817190da2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-syms-2.6.11.4-21… 00b0d5d6ec6dbd3cd7eca40f27bdb57f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-um-2.6.11.4-21.1… 9877dbacf6298140c1489bb9bdfd11c6 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-xen-2.6.11.4-21.… a45d90badc71f999edf2faf759890895 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/ltmodem-8.31a10-7.8.src… 722f60ef83aeba40e56a2f1d89fc3d37 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/um-host-install-initrd-… 762d225dd1465436e7b854a35ea1a93e SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/Intel-536ep-4.69-5.17.s… 35a62f1a4ffb10b4cada1980d82cf45f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-bigsmp-2.6.8-24.… d26b9bc28d4a47189422952f63c27113 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-default-2.6.8-24… f2d21ad973085053bd882a0f53733678 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-docs-2.6.8-24.25… 8a13bf708aa71befa8ffc7e8ffcf722d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-smp-2.6.8-24.25.… 27651472ede629d5276e818e7189de51 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-source-2.6.8-24.… 74181284da47a0164a5314a22c6922c0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-syms-2.6.8-24.25… 16d3393e60b6f5c9dcb5dd836a9f332b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-um-2.6.8-24.25.n… cc2ae39d0bf5dd0d00100e66a6867edc ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ltmodem-8.31a8-6.17.src… b0b40a64fb09d2969564b281f1a168d9 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/um-host-install-initrd-… fb30549494b3c02fd9e7bcb0d31487af Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE SLED 10 for AMD64 and Intel EM64T http://support.novell.com/techcenter/psdb/c36e25c3bc040fa8da0dac65d0a11e20.… SUSE SLES 10 http://support.novell.com/techcenter/psdb/c36e25c3bc040fa8da0dac65d0a11e20.… http://support.novell.com/techcenter/psdb/7d34da4852342609ccc4eae93e12e994.… http://support.novell.com/techcenter/psdb/5f920b87f4abe21a324ff6def42a562f.… http://support.novell.com/techcenter/psdb/897ffd66535d805196af98da15b00f72.… SUSE SLED 10 http://support.novell.com/techcenter/psdb/c36e25c3bc040fa8da0dac65d0a11e20.… http://support.novell.com/techcenter/psdb/897ffd66535d805196af98da15b00f72.… SUSE SLED 10 for x86 http://support.novell.com/techcenter/psdb/897ffd66535d805196af98da15b00f72.… SUSE CORE 9 for IBM zSeries 64bit http://support.novell.com/techcenter/psdb/14f276ed108cb62104b1743ee48bd92b.… SUSE CORE 9 for IBM S/390 31bit http://support.novell.com/techcenter/psdb/d501672f20f1f468d24344550dbc92e0.… SUSE CORE 9 for IBM POWER http://support.novell.com/techcenter/psdb/5ba747ab54f313a5bd8726ca99439c15.… SUSE CORE 9 for AMD64 and Intel EM64T http://support.novell.com/techcenter/psdb/261185f7ea10c374f4fc53453e6ef3d7.… SUSE CORE 9 for Itanium Processor Family http://support.novell.com/techcenter/psdb/b8565f7473b0f60258a2da4e825025da.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/261185f7ea10c374f4fc53453e6ef3d7.… http://support.novell.com/techcenter/psdb/e2ef926c5f7d109a84807c89d6446736.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/14f276ed108cb62104b1743ee48bd92b.… http://support.novell.com/techcenter/psdb/d501672f20f1f468d24344550dbc92e0.… http://support.novell.com/techcenter/psdb/5ba747ab54f313a5bd8726ca99439c15.… http://support.novell.com/techcenter/psdb/261185f7ea10c374f4fc53453e6ef3d7.… http://support.novell.com/techcenter/psdb/b8565f7473b0f60258a2da4e825025da.… http://support.novell.com/techcenter/psdb/e2ef926c5f7d109a84807c89d6446736.… Open Enterprise Server http://support.novell.com/techcenter/psdb/e2ef926c5f7d109a84807c89d6446736.… http://support.novell.com/techcenter/psdb/25b56bb7bbe0db4e56b56f5edd414e9b.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/e2ef926c5f7d109a84807c89d6446736.… http://support.novell.com/techcenter/psdb/25b56bb7bbe0db4e56b56f5edd414e9b.… SUSE CORE 9 for x86 http://support.novell.com/techcenter/psdb/e2ef926c5f7d109a84807c89d6446736.… http://support.novell.com/techcenter/psdb/25b56bb7bbe0db4e56b56f5edd414e9b.… SUSE SLE 10 DEBUGINFO for IBM POWER http://support.novell.com/techcenter/psdb/7d34da4852342609ccc4eae93e12e994.… SUSE SLE 10 DEBUGINFO for IPF http://support.novell.com/techcenter/psdb/5f920b87f4abe21a324ff6def42a562f.… SUSE SLE 10 DEBUGINFO http://support.novell.com/techcenter/psdb/c36e25c3bc040fa8da0dac65d0a11e20.… http://support.novell.com/techcenter/psdb/7d34da4852342609ccc4eae93e12e994.… http://support.novell.com/techcenter/psdb/5f920b87f4abe21a324ff6def42a562f.… http://support.novell.com/techcenter/psdb/897ffd66535d805196af98da15b00f72.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRvl53ey5gA9JdPZAQKJ+Af+Id2deeCw1I90lrdX9kZqCUuQjvF54kF0 5QvfrhMA+sYmaCeopHj69B0U/y1cJWRLUuv0gTEna0Y2mdUsI43BRc46k/COgS9y J7vciNKFBtvSi+9dmhSm/5Z0mX3n5ZGjy2cP/o7Q9ryBu7W56DMcjr/cJIFxINUj fPylPfmw6tWzNDQBOXKx0kvC8v8sdUTXRI8oCeS5ABykE/wlfYA3DluT7t/RwQxg k0//O/cUbFHJl0vcalc9496cLAwVHhiMpzvTrkscB+yWIpz9ktlwoWuh+4QupK89 J1mVzOkRb3NkxLfu9mJi3ec0tvt4wCa5ufZnu++qVNkOC1BtiGpF4Q== =uYoE -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2006:023
by Marcus Meissner 27 Sep '06

27 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2006:023 Date: Wed, 27 Sep 2006 14:00:00 +0000 Cross-References: CVE-2004-2655, CVE-2006-3739, CVE-2006-3740 CVE-2006-4019, CVE-2006-4031, CVE-2006-4192 CVE-2006-4226, CVE-2006-4227, CVE-2006-4790 Content of this advisory: 1) Solved Security Vulnerabilities: - X11 error handling in CID fonts - mysql authorization problem - xmms-plugins buffer overflow - gnutls RSA signature forgery - squirrelmail security problem - xscreensaver locking without keyboard grab - newpg,libksba crashes on signature verify - bind remote denial of service problems 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - kernel update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - X11 security problem in handling of CID fonts An integer overflow vulnerability when rendering CID-keyed fonts in the X Server was fixed. This problem is tracked by the Mitre CVE IDs CVE-2006-3739/CVE-2006-3740. The update was released on 19th September for all SUSE Linux based distributions. - mysql authorization problem The database server mysql was updated to fix several security vulnerabilities. CVE-2006-4031: authorization bypass through a previously created MERGE table CVE-2006-4226: authorization bypass on case sensitive file systems to databases differing only in capitalization (getting access to 'Foo' even if you only have access to 'foo'). CVE-2006-4227: argument evaluation in suid routines was done in the privilege context of the routine definer instead of the caller. Updates for this problem have been released for all SUSE Linux based distributions on September 22th. - xmms-plugins buffer overflow When using the XMMS plugin bundle package (xmms-plugins) specially crafted AMF files could potentially be used to exploit a heap based buffer overflow in libmodplug (CVE-2006-4192). Updates for all SUSE Linux versions were released on September 21st. - gnutls RSA signature forgery The GNU TLS library was also affected by the RSA signature forgery problem, where excess data was not checked during signature checking with RSA keys with exponent 3. This problem could be used to fake those RSA signatures. (CVE-2006-4790). Updates for all SUSE Linux based distributions were released on September 27th. - squirrelmail security problem A minor bug was fixed in the squirrelmail webmail front end were authenticated users can modify the preferences of other users. This problem is tracked by the Mitre CVE ID CVE-2006-4019 and was released on September 15th for SUSE Linux 9.2 up to 10.0. - xscreensaver locking without keyboard grab xscreensaver locked the screen even if it failed to grab the keyboard. Therefore it was possible to accidentally type the password into a different program than the screen saver. rdesktop is known to expose this problem. The Mitre CVE ID CVE-2004-2655 was assigned to this problem and it was fixed for SUSE Linux Enterprise Server 8 and 9, and Novell Linux Desktop 9. - newpg,libksba crashes on signature verify The gpgsm program crashed when verifying a signature with certain malformed x.509 certificates. This update was released for all affected SUSE Linux Distributions. - bind remote denial of service problems This update fixes two vulnerabilities in bind that allow a remote attacker to trigger a denial-of-service attack. (VU#697164 - BIND INSIST failure due to excessive recursive queries, VU#915404 - BIND assertion failure during SIG query processing) Up to now only SUSE Linux Enterprise 10 fixed packages were released, others are currently QA tested. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - current kernel update The packages of the last kernel update have almost all been released for our customers, except SLES 10 for S/390. Once this last kernel has been released, a separate security advisory will be published. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRpptHey5gA9JdPZAQJllAf9FUnIs8Rn1asULz7NQhawi0OUWVKRhPZu 6Ia9EsW5Xi5gtDmG29qpS6AX/5Er9Wj2xKpCQOlH8BRdE8n59IOC3aXdzvvDpkft 5Wohk9niEl+uHzdHrYebkCtaOQWBswkKPe9B0nBJZ6QbMIJ5DnAtCSV802Is4ndy iuJpKAIGGCpd5TFLXaSBUvXke6gMOxqmMm5zHkwyKPKF495dya0WuIQGgPZKKRHo t4ftuURfAA0AXWO5Y12+PBgGLB0W8NWkgmDGk0ZK+0B+SiURUkqONhy6em6dujzP d6oFZQtafutr1BJPefAMhesE+DDnroUm7sJKhBNWyY5GFiRRP0cH/g== =OmFV -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: gzip (SUSE-SA:2006:056)
by Thomas Biege 26 Sep '06

26 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: gzip Announcement ID: SUSE-SA:2006:056 Date: Tue, 26 Sep 2006 15:32:33 +0000 Affected Products: SLE SDK 10 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote system compromise Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2006-4334,CVE-2006-4335,CVE-2006-4336, CVE-2006-4337,CVE-2006-4338 Content of This Advisory: 1) Security Vulnerability Resolved: buffer overflows, infinite loops Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The gzip tool does not handle some specific values correctly when unpacking archives. This leads to vulnerabilities like buffer overflows or infinite loops. Various different programs like mail clients, file explorer, etc. use gzip and if a user can be deveived to unpack the archive of an attacker these bugs can lead to remote system compromise. Thanks to Tavis Ormandy, Google Security Team for informing us about this issue. 2) Solution or Work-Around The is no work-around known. 3) Special Instructions and Notes none 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/gzip-1.3.5-159.5.i586.rpm dc3d0d1fa04f309155188d456339e320 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gzip-1.3.5-144.2.i586… fa214e77cac58482b03a39aa3637402f SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gzip-1.3.5-140.2.i586.… 93c268c56d6f2bfb97fb1362440619ff SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gzip-1.3.5-139.2.i586.… 9ce8e3d5dda60f5c0226e1003555e7e3 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/gzip-1.3.5-159.5.ppc.rpm e5216ebf301cc076117d24b1d641d666 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gzip-1.3.5-144.2.ppc.r… 70fad9dec1124d6e2a18cddb56542e21 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/gzip-1.3.5-159.5.x86_64.… bc88120404ee14a4f85869bf7b664c23 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gzip-1.3.5-144.2.x8… 9bac8a94f263b70fcb0188b8fe61b51a SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gzip-1.3.5-140.2.x86… e99894cc66b479b026a8d6ab8f3d4bee SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/gzip-1.3.5-139.2.x86… 7f58b2c8124e895b5bbbf24e92f5701a Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/gzip-1.3.5-159.5.src.rpm ccc806bead84a51395e24d03e1b08132 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gzip-1.3.5-144.2.src.r… 8d38b0719a591ac7c41aa35062ca8f2e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gzip-1.3.5-140.2.src.rpm 1c7511c702371171e4a940e6c6740c35 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/gzip-1.3.5-139.2.src.rpm 81243003d7d3b397d7043a74059c5d7f Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c9a04465aadc28a… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRksDXey5gA9JdPZAQIw+Qf+JkoRQdnYv990ygFvIERPpxOb8Yvdbwu9 51W+6i0CExg2h3t2yv7KDID55W4AyXY4uXpyMUaBUF3kZ8BbsqJe1d8AqWoBL0m8 tWuyx8HGDlcm1voCglGZbIZH0J3TpYg86e/m6ksWK+IpLJ2sBhBtdDi4ajT1nRCL kHG/jloB7P4LLWBFoeoxexr+8+vlqr/srjpBNRP6VDNXMAshmY9gHaRHT199DGlr VvPDrX3oublT3e8tIT8Y3AFyGSH2pWrD7xdqcOPZNH80l/RihpmmUmN0khcKu75v AsWGza6udv25DaqyyXQhBX+Q0/oJV5+Q3qjVnEPJMuDclNZSS4t4wg== =/oM5 -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: openssl,mozilla-nss RSA signature evasion (SUSE-SA:2006:055)
by Marcus Meissner 22 Sep '06

22 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: openssl,mozilla-nss Announcement ID: SUSE-SA:2006:055 Date: Fri, 22 Sep 2006 18:00:00 +0000 Affected Products: Novell Linux Desktop 9 Novell Linux POS 9 Open Enterprise Server SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SUSE LINUX Retail Solution 8 SuSE Linux School Server SuSE Linux Standard Server 8 SUSE SLED 10 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: RSA signature evasion Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2006-4339, CVE-2006-4340, CVE-2006-4341 Content of This Advisory: 1) Security Vulnerability Resolved: RSA signature evasion Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion If an RSA key with exponent 3 is used it may be possible to forge a PKCS verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature. This problems affects various SSL implementations. This advisory covers the following implementations: - OpenSSL (CVE-2006-4339) - Mozilla NSS (CVE-2006-4340 and CVE-2006-4341) for SUSE Linux 10.0, 10.1 and SUSE Linux Enterprise 10. Implementations that are affected and still need to be updated: - gnutls in all distributions. - Mozilla NSS before SUSE Linux 10.0 and SUSE Linux Enterprise 10. The official openssl advisory is here: http://www.openssl.org/news/secadv_20060905.txt Some details of the actual technical problem can be found here: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart running programs using SSL to verify PKCS signatures (web browsers, E-Mail clients, etc.) 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mozilla-nss-3.11-21.7.i586… 2ca59cfa949741f970019250db6e7890 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mozilla-nss-devel-3.11-21.… 5176d16fddcc9085c9c62633df1c1e7a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-0.9.8a-18.7.i586.r… f3c5cb97da8acb6a4c4ef9434cb89e1a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-devel-0.9.8a-18.7.… 20c03b69fb682e341fbcbd6e0b7fa08d SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-nss-3.10-12.3… f1040a75792a24085ffeacaf4fdbbadb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-nss-devel-3.1… f666ce57dcedd14078d2289831658ec2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-0.9.7g-2.8.i5… 2a2ec627749b0ebef913522777d6d10a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-devel-0.9.7g-… 0889bf02be6b048e62109510b711debf SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-0.9.7e-3.4.i58… ef34f676b7c3279c368d044a35761e23 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-devel-0.9.7e-3… 2c0333c5ec9ba7b73c23c35bd8478668 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-0.9.7d-25.4.i5… e059156ac8c786f92915c66101c22cca ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-devel-0.9.7d-2… 163ce037ad79bbf3c53e4182a37c8b1a Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mozilla-nss-3.11-21.7.ppc.r… 6b8a99c4f638adda50eda09925c11983 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mozilla-nss-devel-3.11-21.7… 1e78438027cc3e92e7a65af293142280 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssl-0.9.8a-18.7.ppc.rpm a324d27cf6dfa4ceedcf83c1dcffb534 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssl-devel-0.9.8a-18.7.p… ab05376b3874aa893546a31630b503e8 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-nss-3.10-12.3.… 420734304297e8e4f708d83843790ee4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-nss-devel-3.10… 530a0571a379a3b5965c7a16aac74c09 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssl-0.9.7g-2.8.ppc… 53a2702d6c99c2976730c4eca4f81fa2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openssl-devel-0.9.7g-2… ec29d438d00028c4c4937174fd378a49 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mozilla-nss-3.11-21.7.x8… 6fa083972df9ae919858f621b1aec930 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mozilla-nss-32bit-3.11-2… 5ce7f14b2fd30384aa123dd6185f074e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mozilla-nss-devel-3.11-2… 2a4c684d4f59f64d4e25e18ea53f49c5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-0.9.8a-18.7.x86_… 724ffd5c1123d162f19e3f9a929f2bc7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-32bit-0.9.8a-18.… 7016abba594501c51de8f32e4051acec ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-devel-0.9.8a-18.… 96413d2dd6658ce9a08d777627e78b0a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/openssl-devel-32bit-0.9.… d2af23fa3cabfb7a4458affcd4f24f89 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-nss-3.10-12… f0e48cc8482ffa3d9f557caa8c495189 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-nss-32bit-3… c5185e5f3ec998948e714231da384fae ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-nss-devel-3… b872a76bded9ca5fea3a92ea6311a820 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-0.9.7g-2.8.… 4780f468291c749b082c18143319f7e0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-32bit-0.9.7… a3203768a3736019ef975cfed314ddd3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-devel-0.9.7… bc1f3b4a20b4d4a26e22c41700fa7c57 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openssl-devel-32bit… 305646efe9293dc744744a9198c9d61b SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-0.9.7e-3.4.x… 0ee8251cc8d18e34683cffb9b836f6d2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-32bit-9.3-7.… 01d8ecb0b20265fd547f2f6ce550ef30 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-devel-0.9.7e… e3e7086a44dfd719005b335c90b93dd0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openssl-devel-32bit-… 78b2ee77d6a84f3afded42aa048f77b1 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-0.9.7d-25.4.… 82bbf9b57187eae584eee9c748471266 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-32bit-9.2-20… 8a8ac0b203100e5ac137064760c5e285 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-devel-0.9.7d… 153d3ba8a9e7f1179d7495c643a46432 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openssl-devel-32bit-… e0e8c2345d6a176e0b79fe1f5ec0b1eb Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mozilla-nss-3.11-21.7.src.r… 2d64292745510b79081aff63af3ae57c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/openssl-0.9.8a-18.7.src.rpm a43b90f75865fbc3596084c35aac3585 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-nss-3.10-12.3.… 205b16b750e3fdd4ba3c0b7a12627d6a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/openssl-0.9.7g-2.8.src… 7949b6cbcd17092289949e85670e8330 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/openssl-0.9.7e-3.4.src.… a3fec9ffa1b2e15fedc51461d603e9c8 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/openssl-0.9.7d-25.4.src… f52a4666f358c6399137c6470c04355d Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… Open Enterprise Server http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… SUSE SLES 10 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… http://support.novell.com/techcenter/psdb/a9b0730b9578c91a3685d9913a531d37.… SUSE SLED 10 http://support.novell.com/techcenter/psdb/5ed5dd66328b2d660bce8191dbd9d7de.… http://support.novell.com/techcenter/psdb/a9b0730b9578c91a3685d9913a531d37.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRQAM3ey5gA9JdPZAQJJZQf9HiAwquQBJHoB/lOc6iVQj85iTlxXg5Rz srCTb7j0sYKNqn1bvoGHJYreYI3if2SU2ANH7Y3xgIaGt71R6254Yq5vEgEFralC ScK6LyWniJfn2CGFHewDndFAEjbyVTgcdo4kIeSrYLM/qsqRNBCqkSeLyDC9893l vjjebpKOfp2RSLZ695BFnI3qV/5GrRk14g8pRBlPewTrf82lxJuE9GEHI9laE9Yu WQciGGcS69yKuu+BG0tntIS5Gwrj+tOMpUKxebL19XlDPtA0Y2RGHT+KCwgkGXdT 64GckulBk13464q1OhZ8qjOmhWuhX2UwqfBmItXR7pHDuPvGD0z/+g== =Wjjp -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: Mozilla Firefox,Thunderbird, Seamonkey (SUSE-SA:2006:054)
by Marcus Meissner 22 Sep '06

22 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: MozillaFirefox,MozillaThunderbird,seamonkey Announcement ID: SUSE-SA:2006:054 Date: Fri, 22 Sep 2006 15:00:00 +0000 Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE SLED 10 SUSE SLES 10 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2006-4253, CVE-2006-4340, CVE-2006-4565 CVE-2006-4566, CVE-2006-4567, CVE-2006-4568 CVE-2006-4569, CVE-2006-4570, CVE-2006-4571 MFSA 2006-57, MFSA 2006-58, MFSA 2006-59 MFSA 2006-60, MFSA 2006-61, MFSA 2006-62 MFSA 2006-63, MFSA 2006-64 Content of This Advisory: 1) Security Vulnerability Resolved: various Mozilla security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Security updates have been released that bring Mozilla Firefox to version 1.5.0.7, Mozilla Thunderbird to version 1.5.0.7 and Mozilla Seamonkey to 1.0.5. Seamonkey and Thunderbird were released early this week, Firefox was released today. Please also see http://www.mozilla.org/projects/security/known-vulnerabilities.html for more details. The updates fix the following security problems: MFSA 2006-64/CVE-2006-4571: Crashes with evidence of memory corruption MFSA 2006-63/CVE-2006-4570: Executing JavaScript within E-Mail using XBL MFSA 2006-62/CVE-2006-4569: Pop up-blocker cross-site scripting (XSS) MFSA 2006-61/CVE-2006-4568: Frame spoofing using document.open() MFSA 2006-60/CVE-2006-4340/CERT VU#845620: RSA Signature Forgery MFSA 2006-59/CVE-2006-4253: Concurrency-related vulnerability MFSA 2006-58/CVE-2006-4567: Auto-Update compromise through DNS and SSL spoofing MFSA 2006-57/CVE-2006-4565/CVE-2006-4566: JavaScript Regular Expression Heap Corruption 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Mozilla, Firefox or Thunderbird after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-1.5.0.7-1.2… c2241c461583cb54da9444aa13513da8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-translation… cede57cc709d100a17747f87fbc8f02b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaThunderbird-1.5.0.7… 28bba6b62a42895ccd6df331a7926500 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaThunderbird-transla… acee42b344e5e3a367d243aa417c12b3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-1.0.5-1.1.i586.r… 75af4685ab07ddd80d95ff2b6f8fceef ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-calendar-1.0.5-1… 5b25c1e00032672ec95245b9cb0dcf8a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-dom-inspector-1.… 430729d03b65c87f882d1e2997d316a8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-irc-1.0.5-1.1.i5… d1f2779e225937c360cd9c68a583fc37 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-mail-1.0.5-1.1.i… a471c1ded619519aa9ecbc9890a9382c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-spellchecker-1.0… 17dc992659486f8216549fc39cda55bd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-venkman-1.0.5-1.… 88678b6dfda08966bb9994f081804b0c SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-1.5.0.… e6d74190437f49b0fc5276f6b856b67e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-transl… 225f846874b32245b23492d51bc077b3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaThunderbird-1.… 39371eb2f03f8f90a4e8ffc4f29a182c SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0.7… 746a56a6aa9402287d7c0f054989689c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-transla… 5ef6019c2a3b149e84073a699c178b27 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaThunderbird-1.5… 05b9588e09dccfcc8e4b5320398ebd07 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/MozillaFirefox-1.5.0.7… 653f774d37b664ce97ecbb31bdca9041 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/MozillaFirefox-transla… dc8d989574b91fca7cc6d294469330e7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/MozillaThunderbird-1.5… 5e96afa8a01e9c487e46cfb144cea474 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-1.5.0.7-1.2.… c81caccf49c06e060b095c50c9241212 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-translations… 53e3e3acf042ccf76882d27bfd0b1bb8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaThunderbird-1.5.0.7-… 3fb66e6bce779781cb25175f4ba029ed ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaThunderbird-translat… d69cd7b2f1853b84a1f64f1187196f8e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-1.0.5-1.1.ppc.rpm 5d81db21ab3ff65e2da8f7c7834c9dd7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-calendar-1.0.5-1.… 195fe45f87de1625191df8fe9b56216a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-dom-inspector-1.0… d797584d1507df5cee459ae52025ae4f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-irc-1.0.5-1.1.ppc… ac452dc31a45124129faca0b7a289881 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-mail-1.0.5-1.1.pp… 213ee0051aabeb1606128fdf031f87ec ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-spellchecker-1.0.… 7200d9d8f6de89125c12c18fb082ff92 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-venkman-1.0.5-1.1… 0e51a3e3b0ea39f951bf146db8316995 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-1.5.0.7… c18441b3b260aeb26445bc6f514d76cf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-transla… 22c3c4e9102e35bdcdccc9970bb8e86b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaThunderbird-1.5… a27cfdf5824fe2155215806c3e48ef01 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/MozillaThunderbird-1.5.0… c8f0e029fd901c0ee4b792e657534094 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/MozillaThunderbird-trans… 6adbd489c023501639fd417844a4af6f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-1.0.5-1.1.x86_… 3134380adefa0d0eef28ceaea0feefa3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-calendar-1.0.5… 9264ba5a10f98dc9c4bc6b6bb3f948c9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-dom-inspector-… 2391b23a49e8044025feeba96f3c98aa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-irc-1.0.5-1.1.… 6e6de01bba861db89ae1cef20423f99b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-mail-1.0.5-1.1… d54a8f88541d6809b55510899ad60e9c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-spellchecker-1… fd6847218166c1f3175fe5197d057340 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-venkman-1.0.5-… 36bff38cd92af4b4759805498c9f26fc SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/MozillaThunderbird-… 21dd3f6e951b6a26b423fef4446049a9 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/MozillaThunderbird-1… 29a0d99e40b423720c412778f9c348c2 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/MozillaFirefox-1.5.0… d9373f704a849e401296a6ce1029af8e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/MozillaFirefox-trans… 95e941405253b750c712008f8ede371e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/MozillaThunderbird-1… db25bb261cefcc722e349450190ac0dc Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaFirefox-1.5.0.7-1.2.… a84a3ced8c0f7c3222cc3ab76e51a2d9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaThunderbird-1.5.0.7-… 63cb05e759521c36b28ca86b95e3008b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/seamonkey-1.0.5-1.1.src.rpm d5c0667bc7ac9899e5d083335259de32 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaFirefox-1.5.0.7… 9081b907a933f4112b1dea8501c5be8c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaThunderbird-1.5… 0af702b1eac30f7413b7959e08d92f4f SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/MozillaFirefox-1.5.0.7-… 2cb13934696dc77c4a92cf6e51cb3947 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/MozillaThunderbird-1.5.… 70b0ce0a6abc740bb3b7564ee8d95de4 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/MozillaFirefox-1.5.0.7-… c56ba0432ded361fe09e7e12fec9ff48 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/MozillaThunderbird-1.5.… 56770bca1157d6e43e21ecd4fddcad51 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/ef4a219c3a29a3b7d4c57c43cccd0acc.… SUSE SLES 10 http://support.novell.com/techcenter/psdb/ef4a219c3a29a3b7d4c57c43cccd0acc.… SUSE SLED 10 http://support.novell.com/techcenter/psdb/ef4a219c3a29a3b7d4c57c43cccd0acc.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRPet3ey5gA9JdPZAQJs9wf/Wc047A4asq8qbI61B/e+LeVjT9YjkLC8 Kfri1nyoy9lT4WVKKhJpcoWTF7P3xFfaoegRmqkDvj/8tUQQnCpAwMfOJ7Z+0W62 quPMH3oUMkNem+9xn6MuIz09gyMIHO4U8UnTrtdsmaRqXzuohjiqaUiZ2GQ7n174 reJJXXv5yfaCxZOLcBQjF8uwVaI+zcTcHlbm7Fn+oTD6cy+v1eA/zF9CmzawacwP Gf1iCU9IrhKlH8kKQDxK7JD/TuqylvGrEgAFUbMNQDDtrlDLL6nVTxTIPEmqYMyO xwM/Cnj1oWk/0KIE8Wl/azWOyiDNg23U+dXGsCj7+g9/eGTAwa26Fw== =jjC/ -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: flash-player (SUSE-SA:2006:053)
by Marcus Meissner 21 Sep '06

21 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: flash-player Announcement ID: SUSE-SA:2006:053 Date: Thu, 21 Sep 2006 13:00:00 +0000 Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE SLED 10 Vulnerability Type: local code execution Severity (1-10): 4 SUSE Default Package: yes Cross-References: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588 CVE-2006-4640 Content of This Advisory: 1) Security Vulnerability Resolved: flash-player various security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Multiple input validation errors have been identified in the Macromedia Flash Player that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user's web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588) These updates also include changes to prevent circumvention of the "allowScriptAccess" option. (CVE-2006-4640) 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running web browser instances after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/flash-player-7.0.68.0-1.2.… 63f5401393619b7507ee0799a946585b SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/flash-player-7.0.68.0… 08db4253c044700b8ace05e48c0d1f30 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/flash-player-7.0.68.0-… 1da70b61f88ac230d3a32ab86d81dff8 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/flash-player-7.0.68.0-… 4e968dc6cb9c786f2059eeb11c71ac57 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/flash-player-7.0.68.0-1.2.s… a2c721f392edc190ee7ed744804819c6 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/flash-player-7.0.68.0-… 73818355a51f9e5ae0d9f82b705d2fa0 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/flash-player-7.0.68.0-1… 74a26ba1d763f785a7dc861decdfc042 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/flash-player-7.0.68.0-1… 6658938ba3d5b367ccfe62c222606d8f Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/8ca1dc42850524d1908ffbf18670eb2a.… SUSE SLED 10 http://support.novell.com/techcenter/psdb/8ca1dc42850524d1908ffbf18670eb2a.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRKbbXey5gA9JdPZAQJUsgf5AR39AlNaOZh44yquQtEqZReBSvL6BQ9f zS97/xsbJaU3w+vEa/wSaueM5TQTw8lE06+ngK9RUVtMohrO19OuMpah9cx62arM OfA5wJHn+Fq/zRrlNiKJDJN24LzkQRlGBPfc0qcmaWjy67VxpksjYf0A3LVs3TF9 yxBG7Jq/vU7XInzwZkeb/LLa93AbKxzzMYe0MGG5eMZCipCUnFhn45tvfJLCkXo9 pUZHFbIBxhhQsEGDAERqEC81U75RpxGWEtj7gLdRY1KPvHuAGFU33zQOt6Wk/Kzd lsc/6L1mN3jir/s4M1XQ9La8rTIQIZJaiWXe1I+DDu47UuAaSJ4lkA== =moPh -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: php4,php5 (SUSE-SA:2006:052)
by Marcus Meissner 21 Sep '06

21 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: php4,php5 Announcement ID: SUSE-SA:2006:052 Date: Thu, 21 Sep 2006 12:00:00 +0000 Affected Products: Novell Linux POS 9 Open Enterprise Server SLE SDK 10 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SUSE LINUX Retail Solution 8 SuSE Linux School Server SuSE Linux Standard Server 8 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10): 5 SUSE Default Package: no Cross-References: CVE-2006-2563, CVE-2006-4020, CVE-2006-4481 CVE-2006-4482, CVE-2006-4483, CVE-2006-4484 Content of This Advisory: 1) Security Vulnerability Resolved: php4 and php5 security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of apache and apache2 after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-mod_php5-5.1.2-29.… 8936b85744d4fc0679fa3ecb01241ad4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-5.1.2-29.14.i586.rpm 05c943f8791e8c27cae744c90028ce84 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-bcmath-5.1.2-29.14.i5… 15367a8a1d1bbf08d5b3bd37a08e329f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-curl-5.1.2-29.14.i586… 76b51b9e5c525ebabd52aea5b588e18e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-dba-5.1.2-29.14.i586.… 726732d2758b5e3cb5390b089c158efe ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-devel-5.1.2-29.14.i58… c195e60cae48447af36854801b6ce063 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-dom-5.1.2-29.14.i586.… 2f9be84c019a88e7b5ea91ccf33c8cb7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-exif-5.1.2-29.14.i586… 6eb8e865acc9d507a50589bc26094d2a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-fastcgi-5.1.2-29.14.i… 26713a185511d55324775f7166dca5c8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-ftp-5.1.2-29.14.i586.… 1e7090b251a4b9c37a68bd26c633d59d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-gd-5.1.2-29.14.i586.r… f874e52e7b71e25e954f5b1cadcca239 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-iconv-5.1.2-29.14.i58… 9aed86afbf7923a66f72bd4f7cb4bf18 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-imap-5.1.2-29.14.i586… 0ce67bbec20d3933d4eb1ba49117d01d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-ldap-5.1.2-29.14.i586… 4e05abc4e56cf05ddc31678d01c4ca11 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-mbstring-5.1.2-29.14.… 2da6c06a2e4eba06ea34ab1ebc2f0f5f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-mysql-5.1.2-29.14.i58… fd2673f24195733d5c7efaf00b0b93cb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-mysqli-5.1.2-29.14.i5… 8a66acc9cb55532003e9732ea23e16ba ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-pdo-5.1.2-29.14.i586.… c8396008eacaf6bf4f8bcfe76029b9e4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-pear-5.1.2-29.14.i586… ffa119e44cdc3fb5fabba53b4d71beca ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-pgsql-5.1.2-29.14.i58… c900f5c407201246f33242ff140921a7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-soap-5.1.2-29.14.i586… 978f86a644c840fb2025029ffd442756 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-wddx-5.1.2-29.14.i586… dff9b44b112366d77797fc14f5860687 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/php5-xmlrpc-5.1.2-29.14.i5… 21bd1f4bb6333c050433af28329f5175 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php4-4.4.… 0826135f5a6adb72b7fb76c224e961e5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php5-5.0.… ea651421644344d819c09657e8bf4cbb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-4.4.0-6.18.i586.… b49f51dc41b1f78e9d75e38b597a78e9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-curl-4.4.0-6.18.… eceb8ba7aee1fd11f26fdf3aeb130a23 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-devel-4.4.0-6.18… 179ac585bc9d7cb0f790a2d8943d8331 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-exif-4.4.0-6.18.… cadfbeb0736052e9c65e2c866e3c488e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-fastcgi-4.4.0-6.… 33ef26231502942dc679ca7e3a1f0b07 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-gd-4.4.0-6.18.i5… f0377f81a39dbec44fadd9f890ab710e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-imap-4.4.0-6.18.… ac459e842c6430c5cd0ceef19a524006 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-mbstring-4.4.0-6… b331f9ce7d5a2eb06a6f58fd02fa5711 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-pgsql-4.4.0-6.18… ee820c73df5b479cb6fdea4487e9339f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-servlet-4.4.0-6.… dd70729a66b59bf877a7ad4ab98923b8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-session-4.4.0-6.… 0909d275dc1a2b552c570aef4fe5ece7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-unixODBC-4.4.0-6… 2e62bd1c728b273028f04855d7f047ca ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-wddx-4.4.0-6.18.… dd66143160606fca5ddefe9a15e6cd49 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-5.0.4-9.17.i586.… fa9e9761a9e16eb4c1111f8852d72c23 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-bcmath-5.0.4-9.1… 2f45db6c7641553384a278203a9a499d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-curl-5.0.4-9.17.… f6e832a9db273b1276759c275da01acd ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-devel-5.0.4-9.17… e10c44d54b8702312fb55806e7311d07 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-dom-5.0.4-9.17.i… bfb41b1d29a37b16d9157273530095ac ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-exif-5.0.4-9.17.… e6abfb9618f4fb01985d274de9edf3c3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-fastcgi-5.0.4-9.… 007261957f7d68c84848c2ac5cf9cabe ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-ftp-5.0.4-9.17.i… c755696cab8db4939606f258a6f0f829 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-gd-5.0.4-9.17.i5… f8683dc9c41dbad0abe7deeb43709c93 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-iconv-5.0.4-9.17… 60e0796af4343c65b7053db88459d832 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-imap-5.0.4-9.17.… 9a4f98f58f94564cbca814650f73f0d0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-ldap-5.0.4-9.17.… fddc6b655fbab589542064c7a2e7faa3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-mbstring-5.0.4-9… ef7f9d2787ed567720a1c28bad524eb8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-mysql-5.0.4-9.17… 98a7aa1aafca47f773a87252ed4afa29 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-mysqli-5.0.4-9.1… ce2b78e9c9747c50fc000c60a14f3bf1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-pear-5.0.4-9.17.… 61714b39589d00c7ee7c66ce030b8b4d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-pgsql-5.0.4-9.17… 07e976a5f57c33ee4a268dcc9205b217 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-soap-5.0.4-9.17.… e7dc5a940efb47703a5835d7da679752 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-wddx-5.0.4-9.17.… 37b0e98284f9ac09c3ce6c6212104f5c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-xmlrpc-5.0.4-9.1… e61ce92e87cbac1bed9b450fe3f125b3 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.1… 53c2a628dc059035abb71771a9924088 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3… 8ba79eb44c374f75eb1499ec67ed0aaa ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.1… d26ca08214ef83085b2814a8f45d6f6a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.28.i586… 1906ce2ba1ad314114bd73b03a6869cf ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-curl-4.3.10-14.28… 3ac484fe68c4da67c234d0516895b6d9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.2… f7ed459d2eef8c8e20d360d92857d6a4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-exif-4.3.10-14.28… 190ffe8e4956bf47df80dbffbb09f78a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14… 8815199cfda3c074da63bbbe0b8ac13b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-gd-4.3.10-14.28.i… 6252c6e6b2b280b37e7d46ca8affe806 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-imap-4.3.10-14.28… 69884f260d056c656574537c2065d7b1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-mbstring-4.3.10-1… 23b883c38a2d6bd89a99770b802e958c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pear-4.3.10-14.28… 76e5007fd8340678534d97a00bd4aac3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pgsql-4.3.10-14.2… b2e93e6f858e413015dd9c49ef6f43c2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14… c7de5c1644b413140dfeb0079713d68c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14… 109bf46b42af8451440b2b12ea2d7e74 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-wddx-4.3.10-14.28… 0a1f381f6306b580ab7bff8cb37aad55 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.27.i586.… 1cc974d0c46440027b6834c485bd6c55 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-bcmath-5.0.3-14.2… 8ec38fb68f0dfa016197f7176b74c4bb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-curl-5.0.3-14.27.… 2220b978d57bed97d1e12ecd7fd80a20 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-dba-5.0.3-14.27.i… fcecf5db2bdcccaddf86a114aa427f71 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.27… cf2f3aad0fe5a7f9dfd9d79097cc6d89 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-dom-5.0.3-14.27.i… 53e9937fa54ecaba299d5670e73a8f0e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-exif-5.0.3-14.27.… 954d519c8223d5afff863eb497337139 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.… 620186472403641f0889d3a750424ea5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-ftp-5.0.3-14.27.i… 403f1ace2182a1d56cd81a9350c93732 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-gd-5.0.3-14.27.i5… cbd9fd2960b1e250c466161693135c37 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-iconv-5.0.3-14.27… fe6f1702e44ee4fcb941b95d1bf8a7e4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-imap-5.0.3-14.27.… 6ae3b3939b8071848a7a6a5a68720bda ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-ldap-5.0.3-14.27.… 1bbb5beddb631dc58c88b5907c3ced63 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-mbstring-5.0.3-14… 03c5828cdfd325a70e2fb0d443bee7fc ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-mysql-5.0.3-14.27… b31fbad17afca8b314669c5520e3df03 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-mysqli-5.0.3-14.2… 8d4423ef232e330fd1c038b3efa2f566 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-pear-5.0.3-14.27.… 9b9d282f6c2a05b7c12a3b4dee0a3a0a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-pgsql-5.0.3-14.27… d21df50df08db5b53782ca490136c948 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-soap-5.0.3-14.27.… dc4b016345d833349787788cfa6bd9dd ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-wddx-5.0.3-14.27.… bbfeb1b11813dc28a468b8212b892a71 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-xmlrpc-5.0.3-14.2… 8125577c0c43264ff0f244932451de8a SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-mod_php4-4.3.8… 5af4e60fd1a4f1f443cfb2acd86ad050 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mod_php4-servlet-4.3.8… 5dc929f21f27c0bb7fdb673eb8ccd3eb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-4.3.8-8.31.i586.r… 583483410677adbf026d8d0e44eeb560 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-curl-4.3.8-8.31.i… 9ae866d2c1ff8854c87f57c9a45846f1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-devel-4.3.8-8.31.… 6bef4d818184a299b1d014cd85a2c4c4 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-exif-4.3.8-8.31.i… 20b1a0bd5ecdd28b713d8a6af8882da1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-fastcgi-4.3.8-8.3… 7c9b3f6f35a6534df08379c9fdafc4ed ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-gd-4.3.8-8.31.i58… 79f244100af155718887d877d1e62e92 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-imap-4.3.8-8.31.i… 2a053d094afe319654f22bfecdc2d4ea ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-mbstring-4.3.8-8.… e8720c7a439175885ee6454957828a7a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-pear-4.3.8-8.31.i… 82ca1fc363a45ce02531f673d298c2c5 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-pgsql-4.3.8-8.31.… 1397f82a2a646c3f429d60f6b76d68f7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-session-4.3.8-8.3… 49bce690abd49902c607e71267e16281 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-sysvshm-4.3.8-8.3… 58b51de1fea6746c6a3087ad7fed660e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-wddx-4.3.8-8.31.i… c5e15449174214584ae39e043aff0ba3 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-mod_php5-5.1.2-29.1… e44782596c9566f10cd796758f5f2492 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-5.1.2-29.14.ppc.rpm de38d51552b0581329c2fc6e527bdb70 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-bcmath-5.1.2-29.14.ppc… 744a0385fed08aba4242eb3511c1145a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-curl-5.1.2-29.14.ppc.r… 30cfdb26b5c49be06800bae8261a5682 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-dba-5.1.2-29.14.ppc.rpm 43655495b072178d7fdf0a0572bfa882 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-devel-5.1.2-29.14.ppc.… 495f303f7d5f6a0b8e1308d6480ab3ac ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-dom-5.1.2-29.14.ppc.rpm 918a7cd5c71cdd7afbc35b864e7ccdbc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-exif-5.1.2-29.14.ppc.r… 84de48e086c002201ae9617e210bb4c3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-fastcgi-5.1.2-29.14.pp… cc9355935650154d165a93beeb25e3c3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-ftp-5.1.2-29.14.ppc.rpm 64ddb79c4122d7b1f90670c027980346 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-gd-5.1.2-29.14.ppc.rpm 8a774f4d905dbc8b6e649a4c6b2e76f2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-iconv-5.1.2-29.14.ppc.… f5081c53b3da57310ddd12882b889081 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-imap-5.1.2-29.14.ppc.r… 17019512414445db407b47785229450a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-ldap-5.1.2-29.14.ppc.r… 1ab95c75666d4233fa7accfc7b0d3f25 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-mbstring-5.1.2-29.14.p… a8108e71ac630fb34c80acc358000e6b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-mysql-5.1.2-29.14.ppc.… 3618e09622602954225283728017e3b8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-mysqli-5.1.2-29.14.ppc… 4923b14525ae9585ce4d10a59d4cdb82 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-pdo-5.1.2-29.14.ppc.rpm 2bd07d15c736a085bfc057be6380bc12 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-pear-5.1.2-29.14.ppc.r… e458770bfa337decc9fb796f0e902619 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-pgsql-5.1.2-29.14.ppc.… 356eee743b3de8456206cbd8ab9c85ba ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-soap-5.1.2-29.14.ppc.r… 8d2f92da449ba43c9e26fd12210a5f57 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-wddx-5.1.2-29.14.ppc.r… af0ae8d5df013408c7518f56fc12bef8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/php5-xmlrpc-5.1.2-29.14.ppc… a3276f7216fbf6ffdb105a42398e0afb SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php4-4.4.0… 72fe9cafc840c3bf263f34fd75e35647 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php5-5.0.4… 369933c15ad6bccf69e3873917f4fad0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-4.4.0-6.18.ppc.rpm 50da99e08212b520b9a5764aa2323b8a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-curl-4.4.0-6.18.p… 2f97d8e802d53e1019431257d715651b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-devel-4.4.0-6.18.… 1932be4a73932851a7c49e02e52f8a6f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-exif-4.4.0-6.18.p… 920cc44062cdc86109b3212ee0e6eb70 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-fastcgi-4.4.0-6.1… 05c99491b1a68813f2fb961fa4dab443 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-gd-4.4.0-6.18.ppc… 9d1d97698a62e8e9874c6de0b885b0fe ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-imap-4.4.0-6.18.p… 1320e5f539719fc243aef980534479f2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-mbstring-4.4.0-6.… ca4d474b8bcc9fce33308797227fdbf9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-pgsql-4.4.0-6.18.… d1ac42264737362ae871c87036b1173b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-session-4.4.0-6.1… b5313070ba11766494707dc6f61ac34b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-unixODBC-4.4.0-6.… 6bcb647e7e997f5b1614347a0ac5914c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-wddx-4.4.0-6.18.p… d51890bc820e65b5173f8ed5e720ee8b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-5.0.4-9.17.ppc.rpm f1a301b836b26095943289736e951bff ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-bcmath-5.0.4-9.17… 50a93a9379a1e808741b1cb18cb7e3bc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-curl-5.0.4-9.17.p… 80a76e4ea7531bed800462e7bcf2ebd4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-devel-5.0.4-9.17.… 19bd457805a0d46642b62ade9aabc4ca ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-dom-5.0.4-9.17.pp… c32d7cbe32c512e621f9a83e241b3aec ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-exif-5.0.4-9.17.p… e3b8c81ab76ff16c67fa8251c8b508cf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-fastcgi-5.0.4-9.1… 361e36d56208cdeda3a07467fb0bfec0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-ftp-5.0.4-9.17.pp… f979cd44ecf9ef88f2626bb09cb09c78 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-gd-5.0.4-9.17.ppc… faee9f356101b5f3a6017eba4932e510 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-iconv-5.0.4-9.17.… 8224547de7e45db8dd6954558d8a8bc1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-imap-5.0.4-9.17.p… d40dc2d0753d88ec8a34bd80d3d47421 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-ldap-5.0.4-9.17.p… b287ecb14869d587a4b840b5192bbf04 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-mbstring-5.0.4-9.… 5ba9c28b72780c83d14c757cef22f42c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-mysql-5.0.4-9.17.… 915406b3b839ed800d0a67f027d2c518 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-mysqli-5.0.4-9.17… e5136b2c63e3effa8ed14e61c86a3242 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-pear-5.0.4-9.17.p… ace1bb9ac86fa3ce9ff9b87af1e5b738 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-pgsql-5.0.4-9.17.… 8d054b6ba8fa10d4ee540f014ba363a4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-soap-5.0.4-9.17.p… 8dd35b2e3b21491567e71b8f6d5dc3ae ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-wddx-5.0.4-9.17.p… a2a926d5f14286377a3e0a885d6de710 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-xmlrpc-5.0.4-9.17… ab92969b2dd34a11ff340d6d6ad5ed40 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-mod_php5-5.1.2-2… 1aa541e819f0cf28bcae7cfa3d8faf83 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-5.1.2-29.14.x86_64.… 5f46c8aed17fd6e21e3c4cefe98e3068 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-bcmath-5.1.2-29.14.… a002c66e3044a4e9cb2c503e72b70312 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-curl-5.1.2-29.14.x8… 45e191689c242220dccc0720027491d5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-dba-5.1.2-29.14.x86… f66e5133a464380c2c3f7c667f67eb8b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-devel-5.1.2-29.14.x… fdc8032851821193be1d35dbc404fb3d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-dom-5.1.2-29.14.x86… ef7451b939c38b8d5a64c26030b84be9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-exif-5.1.2-29.14.x8… 953a2f7a589aeef0ffa321426fe6d489 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-fastcgi-5.1.2-29.14… 36b14c01fc02286389f33249ff6c4e85 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-ftp-5.1.2-29.14.x86… 76a38d8ad279f5fdbbbca7e1ac30fcac ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-gd-5.1.2-29.14.x86_… 199b4078f06f55020c67f1d375b8f02e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-iconv-5.1.2-29.14.x… 23ec993e1268fdaffc045f9bd948f07b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-imap-5.1.2-29.14.x8… 687b9609eb63ce03eb9166b21fb1bc71 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-ldap-5.1.2-29.14.x8… fc12530e303870ac7d5f53ff0aaf2520 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-mbstring-5.1.2-29.1… c0b8cc5d14ab5fe1a14b60b7f10621f3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-mysql-5.1.2-29.14.x… 9217c9cae9cd4e7cbb20fa0977e79ec9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-mysqli-5.1.2-29.14.… 75f713cdd88895ae0819c534049b718d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-pdo-5.1.2-29.14.x86… 1d775a0b2e85c4b491977fdbef9903ed ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-pear-5.1.2-29.14.x8… 7a6987c24ec2a2bfe2aefa469f53a9ce ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-pgsql-5.1.2-29.14.x… 5e1358157e851c58f33c55f1baa1832b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-soap-5.1.2-29.14.x8… 7d7f980a9815c495f5eb404b96a1f579 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-wddx-5.1.2-29.14.x8… 65f19a5398080254a9d4b021cd441ba6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/php5-xmlrpc-5.1.2-29.14.… 857341c4894c1c3edc41a53ff74bf377 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php4-4.… 738cad0418d599c7a1d312b5f2f1d28e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php5-5.… 8cbd4a61479a5d449896e82f8f2747fe ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-32bit-4.4.0-6.… 898843d16262891dfe844ad919c0d76b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-4.4.0-6.18.x86… 7ccb40a0d55e4b4d6065856e2c113e65 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-curl-4.4.0-6.1… 7da624b820d113eacdbd42939938445e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-devel-4.4.0-6.… 2034f854b6e4fe1562eaa83fb182388f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-exif-4.4.0-6.1… 8c7cf607c306dd861b4424937bcf283f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-fastcgi-4.4.0-… 31d3a4d79590037f76a6d401653e32f1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-gd-4.4.0-6.18.… 6f845e6fbb8e6f70a7e5b3b01972dcd7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-imap-4.4.0-6.1… d83e51da60e5e63b1ad97f3e5503482a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-mbstring-4.4.0… 1888c18a14af916e80faccedff8e897e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-pgsql-4.4.0-6.… 47060c9a21a567c6373e2b5ff498caaf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-servlet-4.4.0-… 7e9cbe4e6686c7caa87158f034059a8c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-session-4.4.0-… 347dddeda126106310ed6efd6b76e299 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-unixODBC-4.4.0… 73eb755575178471ee1d33ed6a109eb9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-wddx-4.4.0-6.1… 3f6c5a35c5dfef203cee21dc30ea538b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-5.0.4-9.17.x86… b3a37b64873b7563b4d7f6432a3ed7a2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-bcmath-5.0.4-9… 0bab9e455e6cfa7b638546b54d3b5c75 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-curl-5.0.4-9.1… 3eee340684d32666d73ee1713f74ebf6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-devel-5.0.4-9.… 0bebfb61fe5cd8726b500aa38323808b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-dom-5.0.4-9.17… 3920509afaec41428e740376595da363 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-exif-5.0.4-9.1… 9039f96ef34aae6880b91bdba6cc93b0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-fastcgi-5.0.4-… e9a9c15bbef5c26aaca323414b470966 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-ftp-5.0.4-9.17… c8bc4b48067456bfe277dafe1203ba7a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-gd-5.0.4-9.17.… 92e76709003bbd17b2c81ad096e46c1e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-iconv-5.0.4-9.… 3e8678b95fbb33d22e86c16820570192 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-imap-5.0.4-9.1… 6e8f16a31ffe8c8f0fcdecd810ce3432 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-ldap-5.0.4-9.1… 9f36ce3da24be5c0d49e48bb9624c3bc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-mbstring-5.0.4… eb45dbd62fd552cfab866cddb306c938 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-mysql-5.0.4-9.… e88f41dc4c31d791d07a3864743d29b3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-mysqli-5.0.4-9… e13790c9ba16d2d7232139ff4dde5723 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-pear-5.0.4-9.1… 9a5454e33e9f330344ed71b8fe67a147 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-pgsql-5.0.4-9.… 90ce9c190ffc7d46fe2c7c4807abfc6e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-soap-5.0.4-9.1… c9c0a3ab4cde46bb182c0b258f40f67f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-wddx-5.0.4-9.1… a51e3555b16e1564284a22aeacb4a321 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-xmlrpc-5.0.4-9… 5170a261b511700b1a1bfc48011abc62 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php4-4.3… d0a8a3a10f0a0e1528c8d77fc10c711c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php5-5.0… 7d29734d93a9b2ed929031622395231f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mod_php4-servlet-4.3… b71cee2d6754b6ec0329820a009723f8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-32bit-9.3-7.12.… 9a3b87a6d90dbea3150c0a39d7a200ea ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-4.3.10-14.28.x8… f134257c894e6fe5e3b2842948b1af7e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-curl-4.3.10-14.… 19a627cbaa97f89faf6769a16dccad8d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-devel-4.3.10-14… 4170c084e22ffa5d11ab0cc9ae09f7d7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-exif-4.3.10-14.… 3a767ddce824622d83e916ffed713e0f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-fastcgi-4.3.10-… 1faa67b197837f9123fcfd92b2a8ee54 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-gd-4.3.10-14.28… fa57f12cdc283627f22b8d7d9e37e124 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-imap-4.3.10-14.… cc4ecc9f1cf7cc20027c4c03031eaef3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-mbstring-4.3.10… 310e97e460a58d2d8a16860ff0562849 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-pear-4.3.10-14.… 369f7c7d308ff0c0bcbd4bbb8e1ba174 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-pgsql-4.3.10-14… e3ddfd378729a1fb4e4749080a7f3b22 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-session-4.3.10-… 395f137bf64d793b7cafbcf6b40a48e2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-sysvshm-4.3.10-… efc1e13c901ac3aad866926b667e8d0e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-wddx-4.3.10-14.… 9116ce650ca923dc5e3c245f64424fb9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-5.0.3-14.27.x86… f42c1125f4d246541bb86af8a42261ae ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-bcmath-5.0.3-14… 217967576f061dd2f2bb4135948d76f2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-curl-5.0.3-14.2… f1ebe9ca5aa9057c1f9c155f04ab5c6e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-dba-5.0.3-14.27… c34eaf8ea0d7298befd9109c09e6422d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-devel-5.0.3-14.… 5e93c7e38e3456b53d4f10453fd4f8c2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-dom-5.0.3-14.27… 70ad91d6fdc379b2ce82af3e88f61a63 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-exif-5.0.3-14.2… 3eab67e86e9fc85f61120e0e159e8ba5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-fastcgi-5.0.3-1… 190b50aa354868d7c2bdeafc96bd27a3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-ftp-5.0.3-14.27… 7df97d4bd29f15a2bcb0785488d11cd7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-gd-5.0.3-14.27.… 852f121f64f4fc0ffe416ede92231855 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-iconv-5.0.3-14.… 64dbbfeb780a97a52a9f7112fe35a81e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-imap-5.0.3-14.2… 03120cc85fe4d7d8f01f323fbf9b722c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-ldap-5.0.3-14.2… 26dc97e48c71c249390e33637290b6e8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-mbstring-5.0.3-… 32999e42b6d869f6be42adc8f27ebb96 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-mysql-5.0.3-14.… ee8817f6729c0896d58b7dbf495d1a43 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-mysqli-5.0.3-14… b934c51a66c6c12e102f840f30e98f16 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-pear-5.0.3-14.2… 55f80a7d9c9a5a49497ae4a6674678c7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-pgsql-5.0.3-14.… 39dce7bded0c42ecb553f6d4023720d7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-soap-5.0.3-14.2… f049e62ca4d37a4e5b39103e3fca6eb2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-wddx-5.0.3-14.2… 44b03ea63d1f4defcf602f31a2a1abb2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-xmlrpc-5.0.3-14… fdb5249957116875254fd2ba2c7074fc SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-mod_php4-4.3… d73e48ecbb07f2c3565538679c4567aa ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mod_php4-servlet-4.3… 04d9cd428d4063efd70838e6f59af30c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-32bit-9.2-20060… 90b01223363a94ba71d1b1bca9d540b8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-4.3.8-8.31.x86_… f057ae228a13e614f1b38cb779dccb34 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-curl-4.3.8-8.31… ec53972396dc14c8c558a98df0cbeceb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-devel-4.3.8-8.3… a30419b780f105eca02b425088d8d298 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-exif-4.3.8-8.31… 3a5761b011c9ab9ceecb5ef297f0c315 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-fastcgi-4.3.8-8… aa0b9085bddc24a57dbf86717eb4a949 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-gd-4.3.8-8.31.x… 561f2af2986fa8142b1a010bc05d4f57 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-imap-4.3.8-8.31… e7faded463239ea340ae8850f0384057 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-mbstring-4.3.8-… 41bbfe96f9f82d3580475006041ab951 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-pear-4.3.8-8.31… bb6b941448f4313a2a356560db82109f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-pgsql-4.3.8-8.3… f931b7c36b56611a2bb0c75c13bc059e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-session-4.3.8-8… fc189ca0a3fd1f075d38b33a9f76a483 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-sysvshm-4.3.8-8… 47833784a0f26da1e7d3877141815a61 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-wddx-4.3.8-8.31… e4cdfb0e2d47b1c7ada7d916e47c1407 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/php5-5.1.2-29.14.src.rpm ff5694ea382b4c274f5acf8b30b308f1 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php4-4.4.0-6.18.src.rpm 499a6a4ef22c2a5b1a68c6843894a5d4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php5-5.0.4-9.17.src.rpm 42a34d8b69b925212a8650a63f00c188 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php4-4.3.10-14.28.src.r… 89de4fdc12856ca8c029360a4adc6d8f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php5-5.0.3-14.27.src.rpm 1cdee4108fcd07b473054d1b59cb2c59 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/php4-4.3.8-8.31.src.rpm 2f499cff806e484b10946bf6b00f02f3 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE SLES 10 http://support.novell.com/techcenter/psdb/4158cb40947679b415df74f09e98ea02.… SLE SDK 10 http://support.novell.com/techcenter/psdb/4158cb40947679b415df74f09e98ea02.… SUSE CORE 9 for Itanium Processor Family http://support.novell.com/techcenter/psdb/47a19c67fad7fcec4d91c5a44208bcc5.… Open Enterprise Server http://support.novell.com/techcenter/psdb/1a2f0555d36498842c2e883d8fb6e27e.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/1a2f0555d36498842c2e883d8fb6e27e.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/47a19c67fad7fcec4d91c5a44208bcc5.… http://support.novell.com/techcenter/psdb/1a2f0555d36498842c2e883d8fb6e27e.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRRJjzXey5gA9JdPZAQLadQgAmt5bOA9XpsDM0FLb6QekE3KjhEWeh8Un VjiUUsCQCwx8rWlybHCo/LE7jpG0A4gIxWnKJfN1jBAAOLz9myPuLG/PsKexZw7+ 6Z5kV9iZopdY9jM6a6NVD9NSedOHk1Csu5cvtkmA9PB4ThY2AuYBnlxNz8uq3tAh YDiPqkhnZBHZBmHeo3QE0+12Urt6Y/zis9lQTN3RNWxC1VHbWuSrNoqvAaAecGIL ZR3DbsJxEoeL0amuHP29Mcp1pFFToBaxJytSRXF9lCZpR4/243Hk3oIMTM94l/dC G4dlVyhQPkLN/b6Qj7UQzrh6bnoVGRWxDoN6w1/cmjnBTIgPWYSpXQ== =aY9D -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2006:022
by Marcus Meissner 08 Sep '06

08 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2006:022 Date: Fri, 08 Sep 2006 17:00:00 +0000 Cross-References: CVE-2006-2563, CVE-2006-2658, CVE-2006-3083 CVE-2006-3468, CVE-2006-3745, CVE-2006-4020 CVE-2006-4093 Content of this advisory: 1) Solved Security Vulnerabilities: - heimdal potential setuid return value checking problems - xsp directory traversal 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - php4/php5 security update - kernel security update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - heimdal potential setuid return value checking problems A potential security problem was fixed in the heimdal tools. Missing setuid return checking might be used by local users to escalate their privileges to root. This is similar to the MIT krb5 problem as tracked by the Mitre CVE ID CVE-2006-3083. - xsp directory traversal Insufficient path checks in the Mono/C# web server component 'xsp' allowed remote attackers to access arbitrary files via relative path names in the HTTP request. The affected code is only used by mod_mono. This issue has been assigned the Mitre CVE ID CVE-2006-2658 and affected Open Enterprise Server 1 and SUSE Linux 9.2 up to 10.1. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - php4/php5 security update We are currently QA testing fixes for several security problems in PHP4 and PHP5. These include: - The CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow. - ext/wddx contained a buffer overflow. - memory_limit() lacked checks for integer overflows. - A bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) - Corrupt GIF images could crash php. We expect a release of the updates early next week. - kernel security update We are currently QA testing a kernel update fixing the following security problems: - CVE-2006-3745: A double userspace copy in a SCTP ioctl allows local attackers to overflow a buffer in the kernel, potentially allowing code execution and privilege escalation. - CVE-2006-4093: Local attackers were able to crash PowerPC systems with PPC970 processor using a not correctly disabled privileged instruction ("attn"). - CVE-2006-3468: Remote attackers able to access an NFS of a ext2 or ext3 filesystem can cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only. We hope to release the updates early next week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRQF/dney5gA9JdPZAQJDAgf+N09wLpdaAxjcPOVtLwx2iGG5GlEbsdma IKVc369B9g+FvWTYKAmEg4ljDxaLccGyf9k8XNNyJ8n5QGInwCEpB5lpj3GXZdQ1 sarm6L+hOLQ8cvIkWFj92gIilPE8gNYaHGEM31ARUlL89tBVybI7H7OSk1tnE78T mjdkC6KthGaqbpfebj3oXAzp+RJxrm2jR15Aj7SdNOX7vD77Kt5yeHyTtf4eG4lA U4tAhWp5FCTorD5FUhMuHdIhSwQho6f+FKIFbYJ0ZkPKu9z4+eVqvKgN3HBfDb69 Be6wk5bXj6zMVqxxdax777EA6QI8bQS4Yxwh6BNzWElAFMzf4N3iVg== =6HQM -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: Apache2 security problems (SUSE-SA:2006:051)
by Marcus Meissner 08 Sep '06

08 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: apache2 Announcement ID: SUSE-SA:2006:051 Date: Fri, 08 Sep 2006 16:00:00 +0000 Affected Products: Novell Linux POS 9 Open Enterprise Server SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE SLES 9 Vulnerability Type: cryptographic problems Severity (1-10): 5 SUSE Default Package: no Cross-References: CVE-2005-2700, CVE-2005-3357, CVE-2006-3918 Content of This Advisory: 1) Security Vulnerability Resolved: Apache2 security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The web server Apache2 has been updated to fix several security issues: The security fix for CVE-2005-3357 (denial of service) broke the earlier security fix for SSL verification (CVE-2005-2700). This problem has been corrected. Additionally a cross site scripting bug with the "Expect" header error reporting was fixed (CVE-2006-3918). The Apache foundation does not consider this a security problem. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-2.0.54-10.8.i… 4e5f7482e476e85e92df04868fda661c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-prefork-2.0.5… 56fc5c08895d0a9a3c2cc6015b3dd34b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-worker-2.0.54… 8b1c3a66cbad2f102b1569f3e0333501 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-2.0.53-9.15.i5… a2aa08e4ddd70859ec542aed22ccdee9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-prefork-2.0.53… bf0ceb6357957c5e0565857dbf544ea3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-worker-2.0.53-… eddf464f0073f6d1b3576fa5ef0b5c8b SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-2.0.50-7.17.i5… 3d7ae24eeb12d37484db873829cad192 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-prefork-2.0.50… 7ac171bd3c9fe75cb96d18038b63c1f6 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-worker-2.0.50-… 9e6cecbb28ae31c0693e3cb849a75f8f Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-2.0.54-10.8.pp… c0690dee4b47c8ece321996832397915 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-prefork-2.0.54… 4cb7734bcf6c5c1de524ac1b3bc183b2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-worker-2.0.54-… c1e262a0f1dd27c7d4da0919070f53a1 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-2.0.54-10.8… 5a11e9b78e0f946403c47797fb4e49b9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-prefork-2.0… b05190443513cea99aafd1a15baf3ddc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-worker-2.0.… 9248815b04fc1a26950d33c5bcc6b85f SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-2.0.53-9.15.… 6ce32141596325584f13a18f0271269c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-prefork-2.0.… dfddc46d4b6feab89f35a579d5471533 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-worker-2.0.5… de9fb2bd70949d79cc5f020f72beca37 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-2.0.50-7.17.… 632e9b785b32694a141d0b89d27ac489 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-prefork-2.0.… b63783a1c93a875064f56f55151acf81 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-worker-2.0.5… 43ffab89ba259f707edc199ed54eee57 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/apache2-2.0.54-10.8.sr… ae34902816649e317fd03afd1a185565 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/apache2-2.0.53-9.15.src… a4da14a77b4c58a07cd0fcf9e324b3ed SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/apache2-2.0.50-7.17.src… ab9adcf8c71117ed3cb9f1ba75b2138a Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/798e9e22eaf4a4eed570f26abfab9f02.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/798e9e22eaf4a4eed570f26abfab9f02.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/798e9e22eaf4a4eed570f26abfab9f02.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRQF+Wney5gA9JdPZAQL4xgf/bJgMILVNpcXkn3msRPwtvbPJUzN5TFCX Ye1tRguj30nFkxbVnWFGjP2wlqL4WV4gAUh71ua33bX0D01ZJhQZjjAupf74RkoW 2izoJHLO7MX7nefGs6NQ9R3tViWlDN2k61nFe3xbk8BVtIIGmjnfpQeoHCs2kunU WVwTeZiHvi12bImJ6Tk5NJoQPM4ZH9Wsd1BKfdZCa7tWIn2myL6ufbvQyWllT1EZ 2ESzjxU+OItb18oQzAcOVPzz86SQJXjeKPVZNpPzKyN5PTeILaTePAvxFGZmrXS7 fy8F/32k5ZrFRMk/s0B51I0j/NGSt3pJXqnfvab6wLKOPivwfqV8Ig== =6cVC -----END PGP SIGNATURE-----

1 0