October 2007 - openSUSE Security Announce

[security-announce] SUSE Security Announcement: cups (SUSE-SA:2007:058)
by Ludwig Nussel 31 Oct '07

31 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: cups Announcement ID: SUSE-SA:2007:058 Date: Wed, 31 Oct 2007 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 Vulnerability Type: remote code execution Severity (1-10): 9 SUSE Default Package: yes Cross-References: CVE-2007-4351 Content of This Advisory: 1) Security Vulnerability Resolved: cups potential code execution Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion A missing length check in the IPP implementation of cups could lead to a buffer overflow. Attackers could exploit that to crash cupsd or to potentially even execute arbitrary code with root privileges (CVE-2007-4351). On SUSE Linux 10.1 and 10.0 as well as on all SLES based products only crashing cupsd is possible. A cummulative update that integrates other fixes for SLES will be released later. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of cupsd after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-1.2.12-… fe5e0f5b0099ef1077e896fc4a8138a0 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-client-… 69b4d4cad3c0fbe6b0ed860f3096f1c2 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-devel-1… 0d31f2a4e389a7af21ade0de1a37d970 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-libs-1.… f8dde214c471623211f6674b42a2d6e3 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-1.2.7-12.5.i586.rpm bdb1169e9cf5b4be5010494c4ef978a6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-client-1.2.7-12.5.i58… d14d4ee918718c4d6ba028fdaac37019 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-devel-1.2.7-12.5.i586… 7c16813b78df2935e9a0979188d5512f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-libs-1.2.7-12.5.i586.… 9502b104e136a510d0699d35c369ba40 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-1.1.23-40.29.i586.rpm c813be9aac53f1d9e3c0e8f9419314fa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-client-1.1.23-40.29.i… 41fb8c468ab12b5b3beb57b05e87ccbd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-devel-1.1.23-40.29.i5… a58bd5492bc9d5bc4f301b11e52c70dc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-libs-1.1.23-40.29.i58… d5986d1b82b5d4b380cc48b11e183cb4 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/cups-1.1.23-21.14.i58… 93ea977863b7c8641a7417d16b022d60 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/cups-client-1.1.23-21… 107251d4caf6b62c8af134dd05bc390f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/cups-devel-1.1.23-21.… 84bee07754ab9de0b88ad19315ec8626 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/cups-libs-1.1.23-21.1… 93fe59a41332524cf48f3f16c27cd75f Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-1.2.12-2… 951bf61b958376012041c71d6bb9081a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-client-1… ba0e8463a1a53a860c4252087daf158d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-devel-1.… bcd6e08c139cb5ae7a2da3983642cb36 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-libs-1.2… 23a6b874a9be3c2f26696d9588535628 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-1.2.7-12.5.ppc.rpm b3bf7e60454961bb64acb97d4d8f31dc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-client-1.2.7-12.5.ppc.… 0826dfe7405be0396b0bc3a06e6b05fb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-devel-1.2.7-12.5.ppc.r… 79315219721bb2cdde478a61296f3551 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-libs-1.2.7-12.5.ppc.rpm 8a51e1e0996260d327c84a407d945468 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-1.1.23-40.29.ppc.rpm adb4ad098158649bd8fa1dac4b25f144 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-client-1.1.23-40.29.pp… 1b28235f7dfb972a2a05edb561de42e5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-devel-1.1.23-40.29.ppc… 3118d04cdee7bec039fe95628f5642ff ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-libs-1.1.23-40.29.ppc.… 529b452529f7ef92223ce70671bb0fbd SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/cups-1.1.23-21.14.ppc.… e09710312104c868cb3e7d58ca3d211e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/cups-client-1.1.23-21.… 5e1073c0d63fe78f5481a1cf6647e0a3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/cups-devel-1.1.23-21.1… 2875190815f6486c407c19c5ba802ad5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/cups-libs-1.1.23-21.14… 90909d3bd88fc6a1a2650dbf2f76a081 x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-1.2.1… 4abe7c1bdc49af27a4b9a6b54a458af6 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-clien… e0602891495437f0ece837650232eff8 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-devel… a051e26848864271e69227b9d7008379 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-libs-… 657b1f64b0d3936da825274df1f086bd http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-libs-… 5e4f08c31ca4966c460a5260a87b54d6 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-1.2.7-12.5.x86_64.r… c7852fc1ed7641535028f9dbccbb6037 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-client-1.2.7-12.5.x… 9cfb8d6f213f68347d018944e6782a40 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-devel-1.2.7-12.5.x8… 0af8220f3a0596e580ad0f8b167a0871 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-libs-1.2.7-12.5.x86… 90896bf60377fe3c4421a0679c8cdc2c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-libs-32bit-1.2.7-12… 3cf65ace8539dc93a62a29c525638959 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-1.1.23-40.29.x86_64… a43dfb201dd1fc2d3da41532970c59fa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-client-1.1.23-40.29… ed2715561b7a0c5f7ea130531a2f75f7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-devel-1.1.23-40.29.… 39a6035507d2f47905ce4b06541ddd91 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-libs-1.1.23-40.29.x… a52fae450bd66c02aeb6811665ad4286 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-libs-32bit-1.1.23-4… 8813be2ea77f237f7a96e7e2f2ab5060 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/cups-1.1.23-21.14.x… efdb12aefeb27fdb6c5782044d994315 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/cups-client-1.1.23-… 880917450c020222a07cc454fcf6be9b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/cups-devel-1.1.23-2… c06502dc968bb5c7aaba180a213f5fd7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/cups-libs-1.1.23-21… eb245a29f6497aff083150a00fe0c48b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/cups-libs-32bit-1.1… 5bee362bef9be0a4c5ab6b7ecad8ad06 Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/cups-1.2.12-2… b43acb5d7f52eaa69d508b77146aa1aa openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/cups-1.2.7-12.5.src.rpm 9f347989ffd512a0bb92acc8bd3bd7a0 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/cups-1.1.23-40.29.src.rpm 1fbc9ef67357483c8a56a5369b6dcea6 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/cups-1.1.23-21.14.src.… 63df10b69954c95591a86224e1c85263 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRyiSYHey5gA9JdPZAQLajAgAl4VtoZOGjFpRQ7A42m2iFPjMEQqYxVq5 Ygi4ZsqFJRUnT5ytUnFrZicHgx5e9mbKkAOBPs4FxxLSzq4CrSwd1D6qbOaBOw33 Y0tPirG5fb56aYwITqZ84YZkV0Ta8dc+RJsaSn/shGdbptew8lbZH4fETxzY3WgD Jh5QEpjw5ONGql9+jaft2xzf/yXTLCYjjsab/1CzyTOyX4cJb/k0kdl+luPY2zCd HKo/skTEJtF6JWn3owsOEChzgJ1OoYcAKwa67DTcXCxbQ+H5vF5n23mVZ5TnDXYq 05kwWDR6ZCUTtsfpHFNFbdSGarypoP37y4oF87WKZbQUSypn1WCMJQ== =H7Yn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:023
by Marcus Meissner 31 Oct '07

31 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:023 Date: Wed, 31 Oct 2007 16:00:00 +0000 Cross-References: CVE-2007-4029, CVE-2007-4033, CVE-2007-4065 CVE-2007-4066, CVE-2007-4985, CVE-2007-4986 CVE-2007-4987, CVE-2007-4988, CVE-2007-5197 Content of this advisory: 1) Solved Security Vulnerabilities: - mono BigInteger overflow - GraphicsMagick/ImageMagick integer overflows - t1lib buffer overflow - libvorbis crash and denial of service problems 2) Pending Vulnerabilities, Solutions, and Work-Arounds: None listed this week. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - Mono BigInteger overflow Mono was updated to fix a buffer overflow in Mono's BigInteger implementation. This issue is tracked by the Mitre CVE ID CVE-2007-5197 and was fixed for all affected products. - GraphicsMagick/ImageMagick integer overflows GraphicsMagick and ImageMagick were updated to fix several security vulnerabilities. - CVE-2007-4985: infinite loop while parsing images - CVE-2007-4986: integer overflows that can lead to code execution - CVE-2007-4987: one-byte buffer overflow that can lead to code execution - CVE-2007-4988: integer overflows that can lead to code execution They were updated for all SUSE Linux based products containing ImageMagick or GraphicsMagick. - t1lib buffer overflow A buffer overflow in t1lib could potentially be exploited to execute arbitrary code via specially crafted files (CVE-2007-4033). t1lib has been updated on all affected products. - libvorbis crash and denial of service problems Specially crafted OGG files could crash libvorbis or make it run into an endless loop (CVE-2007-4029, CVE-2007-4065, CVE-2007-4066). libvorbis was updated for all affected SUSE Linux distributions. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed this week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRyiYHHey5gA9JdPZAQKcaggAhk4FZu46y3A/LJEbZlZqvqZs15Y12Imm QH+W0fOvqkAbXqNZ7fdBQtrbiYUOSYFNgN+bdz7VI63FBvFmbaEIz9H5RewK05y7 rdoxcOBcTQ7pcYw/fpV8o/7enUQJ55h+IyUNHq1ohGjNFxCEXoEfpYzrD0vJNRgo ArtuiAWqh9Oy8gAj87TZxguNCkj9BwO8eBRc/suuW1GN/tCYSJmjgw7Mhfh9ExPX 4XyCIce9wGHs/INsszLdpHPdEkgiQir6qPlcr8AX71zMVcqXykmF7tDoWnhMawop 9EONZze4oHqm1Fy2WoN5gXYT3OUxWpNKghFf77MD8o17IbVQhR9xaQ== =LchU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:022
by Marcus Meissner 26 Oct '07

26 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:022 Date: Fri, 26 Oct 2007 16:00:00 +0000 Cross-References: CVE-2007-4565, CVE-2007-4619, CVE-2007-4752 CVE-2007-5191, CVE-2007-5540, CVE-2007-5541 Content of this advisory: 1) Solved Security Vulnerabilities: - fetchmail remote denial of service attack - flac integer overflows - opera 9.24 security update - util-linux mount setuid/setgid checking problem - util-linux mount buffer overflow - openssh X11 cookie and SIGALRM fixes 2) Pending Vulnerabilities, Solutions, and Work-Arounds: None listed this week. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - fetchmail remote denial of service attack A remote denial-of-service attack was fixed in fetchmail. This issue is tracked by the Mitre CVE ID CVE-2007-4565 and was fixed for all SUSE Linux based products. - flac integer overflows Multiple integer overflows in flac could potentially be exploited by attackers via specially crafted files to execute code in the context of the user opening the file (CVE-2007-4619). flac was updated on all affected distributions. - Opera 9.24 security update Opera was updated to version 9.24 to fix numerous defects including some security problems. (CVE-2007-5540,CVE-2007-5541) Opera is on SUSE Linux 10.0, 10.1, openSUSE 10.2 and 10.3 and was updated there. - util-linux mount setuid/setgid checking problem Ludwig Nussel identified a problem in the handling of "user" mounts in util-linux. The return value of setuid() was not checked. This can only trigger if a mount point is listed as "user" in /etc/fstab and if helpers are called. But those helpers have to be setuid root anyway, so this problem is only academic in the current setup and so just considered a regular bug. We have fixed this bug for openSUSE 10.3 and future products. This issue is tracked by Mitre CVE ID CVE-2007-5191. - util-linux mount buffer overflow Cryptographic enhancements in the losetup code in /sbin/mount done by us during the openSUSE 10.3 development introduced a stack based buffer overflow, which could potentially be used to execute code. We have a released an updated util-linux package for openSUSE 10.3 fixing this bug. This would have likely have been caught by the stack overflow protection mechanisms, but we have not cross checked this. - openssh X11 cookie and SIGALRM fixes A bug in was fixed in openssh's X11 cookie handling code. It does not properly handle the situation when an untrusted cookie cannot be created and uses a trusted X11 cookie instead. This allows attackers to violate the intended policy and gain privileges by causing an X client to be treated as trusted. (CVE-2007-4752) Additionally this update fixes a bug introduced with the last security update for openssh. When the SSH daemon wrote to stderr (for instance, to warn about the presence of a deprecated option like PAMAuthenticationViaKbdInt in its configuration file), SIGALRM was blocked for SSH sessions. This resulted in problems with processes which rely on SIGALRM, such as ntpdate. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed this week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRyHu0Xey5gA9JdPZAQKb3wgAgT/yI7tnlqGjd2IJ93tdFZFsDvI5WF9F +ozR66g4JGLFzNLSlyFdINCfLZVBX/bcR4uzMFsNH04aqOvJ2xUh7xP9ksEPcdyE njUc/CtqtTAZ0OG4LzJuopgfEHJHxhUql5HVslohxBk+fmzQxArSqgha5a86GrUo C+kuZ6luq20wXsveRPjGST0MdoNsUNObdIGtrb+f1UydxRiSO0O1WZBS+dWesA+M NwsqiyvFLwUOcDE+KKJetQJBrm/mxun1bvwZk/ttkNA1QhgnM9F7MC+t5lq6qgpX oxwhOEWVgXYlT6XCVCBzgVWpzIK2be+Y707bBSXqOAIJFGwJQ43PaQ== =Y9kC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: MozillaFirefox,mozilla,seamonkey (SUSE-SA:2007:057)
by Marcus Meissner 25 Oct '07

25 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: MozillaFirefox,mozilla,seamonkey Announcement ID: SUSE-SA:2007:057 Date: Thu, 25 Oct 2007 18:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2006-2894, CVE-2006-4965, CVE-2007-1095 CVE-2007-2292, CVE-2007-3511, CVE-2007-3844 CVE-2007-3845, CVE-2007-4841, CVE-2007-5334 CVE-2007-5337, CVE-2007-5338, CVE-2007-5339 CVE-2007-5340, MFSA 2007-20, MFSA 2007-25 MFSA 2007-26, MFSA 2007-27, MFSA 2007-28 MFSA 2007-29, MFSA 2007-30, MFSA 2007-31 MFSA 2007-32, MFSA 2007-33, MFSA 2007-34 MFSA 2007-35, MFSA 2007-36 Content of This Advisory: 1) Security Vulnerability Resolved: various Mozilla browser security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Various problems were identified and fixed in the Mozilla family of browsers. The Mozilla Firefox Browser was updated to security update version 2.0.0.8 for SUSE Linux Enterprise 10, SUSE Linux 10.1, openSUSE 10.2 and 10.3. On Novell Linux Desktop 9 the fixes were back ported to the 1.5.0.12 Firefox version. Mozilla Seamonkey was updated to 1.1.5 on openSUSE 10.2 and 10.3, the older products received backports to Mozilla Seamonkey 1.0.9. MozillaThunderbird updates are not yet available. Following security problems were fixed: - MFSA 2007-26 / CVE-2007-3844: Privilege escalation through chrome-loaded about:blank windows Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window). - MFSA 2007-29: Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2007-5339 Browser crashes - CVE-2007-5340 JavaScript engine crashes - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. - MFSA 2007-31 / CVE-2007-2292: Digest authentication request splitting Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a web site. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts. - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input focus stealing vulnerability A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatic by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the attacker knew the full path names to the desired files and could create a pretext that would convince the user to type long enough to produce all the necessary characters. - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the window titlebar Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages. - MFSA 2007-34 / CVE-2007-5337: Possible file stealing through sftp protocol On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server. - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution using Script object Mozilla security researcher moz_bug_r_a4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied javascript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5 Only Windows is affected by: - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to external programs This problem affects Windows only due to their handling of URI launchers. - MFSA 2007-28 / CVE-2006-4965: Code execution via QuickTime Media-link files Linux does not have .lnk files, nor Quicktime. Not affected. - MFSA 2007-36 / CVE-2007-4841 URIs with invalid %-encoding mishandled by Windows This problem does not affected Linux. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Mozilla after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/MozillaFiref… fcd6aebb85486f2fd1f5f21f6be6f7c5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/MozillaFiref… c0a5f55e55819330bbaedb1562d3b3ab http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/seamonkey-1.… e28e54f197e18a1437f7e4e2d61f7716 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/seamonkey-do… 8ce609f4f23e125a3fde4e098c2f8387 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/seamonkey-ir… fc5ef53403ab657af5f3a03cf0dea515 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/seamonkey-ma… 84e622b990a471319a6e155fe78c7a71 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/seamonkey-sp… 5668c7e37f7d3f7ab958659efbf6393f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/seamonkey-ve… 7cab38da286e5c6b61eee35253159b2d openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-2.0.0.8-1.1… 63b9dcf5769346e9fa63cc5bc58cbf2f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-translation… 86c8f71674d54597867bbfef0523f455 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-1.1.5-0.1.i586.r… 56ae1f2a6d01b66e7b828811baef386f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-dom-inspector-1.… f90f8b1a40acb84af586070b2b36a3c7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-irc-1.1.5-0.1.i5… b6f30d4a98dd664f531f9c7b0c5361a7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-mail-1.1.5-0.1.i… 12f05e3f903e3588a33e129ad5afa2ba ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-spellchecker-1.1… 8c5ae9dfe961c2dd22c5858e34f1ddcd ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-venkman-1.1.5-0.… 4b9d7b965de396aba2dae8d44e02d2ed SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-2.0.0.8-1.2… 0c79e6ed846f58ee38f2195899700783 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-translation… 2b1f78a24b7c604e491f874b4ee010eb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-1.0.9-1.5.i586.r… 136302b1383bfa10e6963ac51c487156 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-calendar-1.0.9-1… e1cb5dd0e2f58ddfcf1e6aeba8188f2c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-dom-inspector-1.… 540c5555216bbfb8e083cadacf97cd56 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-irc-1.0.9-1.5.i5… 0289839942737ac0942dd2a9f5eefe9b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-mail-1.0.9-1.5.i… 0795a2047ccf35a566480a9b66de3b95 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-spellchecker-1.0… e85070685e2a7306c942880786261678 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-venkman-1.0.9-1.… 29dba3d7132a130c2a7fe454556ed8a9 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-2.0.0.… b443c59893edc2831856b44cb45d6818 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-transl… ed267848820945045e32a853fee275d9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-1.8_seamonkey… 66fce2adb0f9afae473ef0fe95dced71 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-calendar-1.8_… 2bd9fd5b7441f14d102f67b7dfd59ba9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-devel-1.8_sea… d9f3f1505fcfb25af2980ac738ede92e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-dom-inspector… 60e214cfb4c3a4786e2cd1a3238c5aeb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-irc-1.8_seamo… c17c89b837b176c532dd4df5d5fe208c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-ko-1.75-3.5.i… d4175069e22129dc9355d7db0492f250 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-mail-1.8_seam… 98a94679da3e405c7ed1ff7ae9405224 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-spellchecker-… 2c6a412a94f5912907b0c6bcd07124e5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-venkman-1.8_s… f4f5da1e91972d8d188757389dcb5057 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-zh-CN-1.7-6.5… 5fb2bf8cb496278cc3311c6db64551ff ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-zh-TW-1.7-6.5… 39e86845e27e9923476a8cde8da90eff Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/MozillaFirefo… 9c9ac689cc29aae1488c7ad7b92d0bdd http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/MozillaFirefo… 21e9f77bbb3c20814137327f6eaee9f9 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/seamonkey-1.1… cc32112a9f89abba812147e40d0255d0 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/seamonkey-dom… 2c925817e2a4c98463cb9c09237a6cb5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/seamonkey-irc… facd6df5c71d962063177fc348bb767f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/seamonkey-mai… 03df79f55ac1616296b7e0742013e8ad http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/seamonkey-spe… f06ae78053dd6cf62454fd1f39123633 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/seamonkey-ven… c478ed242f3224ff7fe30d77967e7bee openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-2.0.0.8-1.1.… 6cc2e85621a7f5bd5e4b7d079cf7205b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-translations… f34326ed73827774922995a0091ea4c4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-1.1.5-0.1.ppc.rpm f82ae91873004c2aca4a6886df913ac7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-dom-inspector-1.1… 5e54828377b091f9630628f5b1f22312 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-irc-1.1.5-0.1.ppc… f6fee9249b8b8ed0169f45a31845e54d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-mail-1.1.5-0.1.pp… 0bb3655011a19a1b5c8e20a275151eaa ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-spellchecker-1.1.… 06d93fdc67ea905637258c00a69f0a6d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-venkman-1.1.5-0.1… fdab90f20d0e9603cdde5ae40c59ec78 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-2.0.0.8-1.2.… 04972567fc2d1b3c9a1cd48de0a6a719 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-translations… b221dcecab11e53206be8d2b68af2897 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-1.0.9-1.5.ppc.rpm 4ebcb7702a69f0296fec491e8e06eb8f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-calendar-1.0.9-1.… bd1952ecd073cf8431f2444a3e4d4645 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-dom-inspector-1.0… d3b6f079dd977541fb12b3c931581e49 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-irc-1.0.9-1.5.ppc… 82c041d37045a1eb1faba6a0b793d29b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-mail-1.0.9-1.5.pp… 66c77272f5d36f3b7338afc5b4c7f5a8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-spellchecker-1.0.… 2754235ca272e2f471d23dfe298b976c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-venkman-1.0.9-1.5… 4cb01eb812c293bfadaf636d91ba2f6b SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-2.0.0.8… 53176a31ec82d1433b9c85bdb5e4d55d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-transla… 73cd0d20c927925d0c5fb8313e8e7761 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-1.8_seamonkey_… f2f91a58e1141ef80c23528aca6ea4f7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-calendar-1.8_s… 9d48e1cc4486f0456c85a286acdfdd2f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-devel-1.8_seam… 6ce5464cbf1d814d79f3572735668bc3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-dom-inspector-… dba8224a3018683fb25ef153f5c9216f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-irc-1.8_seamon… d3a6233e9be5b73a13c77116b9be6659 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-ko-1.75-3.5.pp… 6aec834bdb366e4132c14186a8af7a5e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-mail-1.8_seamo… 74db865b27ddf466507a9f53927977f2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-spellchecker-1… 863dfd26f01216c2a355d8a6873509a8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-venkman-1.8_se… 6655b800453b4352a7f0767fbdc16c99 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-zh-CN-1.7-6.5.… 3b1227b6646d573e0b36667cdbf8b431 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-zh-TW-1.7-6.5.… ea3f2ec400ef34feb6181584dd2df51f x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/MozillaFir… 286bc8449e069e29d0185180ae9af95a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/MozillaFir… 423752fd83adb06750f5463ef86c4b94 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/seamonkey-… 535f222a51cf9b2b02b87d1e4662e562 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/seamonkey-… 3e04002a25b7bb9fe4a4219e3a7fd177 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/seamonkey-… 21936c9d7ca8a79e825608ff8ed6e87f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/seamonkey-… f555ef7f3ff24402f806eda5abc0750f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/seamonkey-… c2843979e9fa2e847e48e39b1561fc90 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/seamonkey-… 248795e918196b3b6dd0b74e32747ea2 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-2.0.0.8-1… 6feaf265388a8e0d74f56d0b339c1b7b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-translati… cc00f89ee535e0ead4036646b4a5b8aa ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-1.1.5-0.1.x86_… 8791bfe757b4397d347be1e85be8c92d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-dom-inspector-… 301c934989919c637aa6585c9b93ddaa ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-irc-1.1.5-0.1.… 8391c2b342d00def8fec429bed80597c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-mail-1.1.5-0.1… 56679451877bd2819907849119cae823 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-spellchecker-1… 126d4df4e4cfe9e727572fc3ea29cf6f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-venkman-1.1.5-… 4f93cb97a2eb9e27b28356cd22acc358 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-1.0.9-1.5.x86_… b1b6e0fb86137856bcb99f9eadc8b311 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-calendar-1.0.9… 9022c6152510f336e4a2dfea4be2d2fa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-dom-inspector-… 8369f700d85a46e6cac2a144c0b83eba ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-irc-1.0.9-1.5.… b9996f34dcd09395e11dfe7978136a46 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-mail-1.0.9-1.5… 76404dc283e649d15d12cae9c20479e2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-spellchecker-1… 7822779669eedc3a963cc073339b7ad7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-venkman-1.0.9-… 900c48a2079694f4163efa8e868846a4 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-1.8_seamonk… c6e7c2fb0c20d62384a5705882980246 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-calendar-1.… 100a0e68b16325739f04e37112174ef5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-devel-1.8_s… 1f2f19a68a3bc76920f1acdc1b57f64d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-dom-inspect… a37b87151167c84a2879fa21171f6869 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-irc-1.8_sea… 27bdbef4228a6e38f043fb62d098d6ca ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-ko-1.75-3.5… 0329e13cf39f6b049b0eb6d77e0a5d3e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-mail-1.8_se… bea94ac34f30deba19495135d401057f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-spellchecke… cbf92cb5ba4e9c8f8c759211dd98abb5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-venkman-1.8… 58366db4cf007ece188dc0b684653f43 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-zh-CN-1.7-6… ff54d8d75657211b988c5f066290da47 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-zh-TW-1.7-6… 991b44d1019e1691a226f4c4c34d01e7 Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/MozillaFirefo… 504257c7bb91d92c8c57f1d19a744885 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/seamonkey-1.1… 3084f6f2578a126f4fc2ee09c4e99956 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/MozillaFirefox-2.0.0.8-1.1.… ec010caa558bf186407aa6c01a0c86b9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/seamonkey-1.1.5-0.1.src.rpm 08b9664a84a9cd3e230fc548d1f700fa SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/seamonkey-1.0.9-1.5.src.rpm da54807f0d499f28af2cb1618eead8e0 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaFirefox-2.0.0.8… 1fda55bec5840d4665ad497c29f1a607 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-1.8_seamonkey_… f259a9c634aa3b2a14f8896ce0d34f76 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-ko-1.75-3.5.sr… e7ecbfb4143f47767e179a1f2d9e7c94 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-zh-CN-1.7-6.5.… a5096f53ac8f021e43fb0268c7d33839 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-zh-TW-1.7-6.5.… 6871a8338eb79ad9b0c7f61a53429cef Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/bc8dbb4aea45ba7fac544f7e63f7898b.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/bc8dbb4aea45ba7fac544f7e63f7898b.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/bc8dbb4aea45ba7fac544f7e63f7898b.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/605742757aa7f9e469593be4df1322b6.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/605742757aa7f9e469593be4df1322b6.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/605742757aa7f9e469593be4df1322b6.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/605742757aa7f9e469593be4df1322b6.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/605742757aa7f9e469593be4df1322b6.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/605742757aa7f9e469593be4df1322b6.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/bc8dbb4aea45ba7fac544f7e63f7898b.… http://support.novell.com/techcenter/psdb/94e7e87449ed25841acaf9b535567347.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/60eb95b75c76f9fbfcc9a89f99cd8f79.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/60eb95b75c76f9fbfcc9a89f99cd8f79.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRyDAd3ey5gA9JdPZAQI/owf/RDz3IenjVSKxGZJ+Ve0s8BvQ0z36Q9FY v3cZb8AVmqXT9h0gF6BAm+f5LhgTBuwYCuwz33QrjiVu6Y0CuKwBa/BT8Ie0soxK nogf9IUUaykal3CEO8ReAxTA4u5amPZ7k+biIrYsJSWMaSqyDzwxyXFImPPiFYZf B7WQ3aoQqylMqqEXYUPAy0n8yULVRpDBdOBJIep2HcOpgi4ZPc2DQq1B5xWNWPri Sb9sJ4V2t73RVluHiw1tB/oJ/uneTY5670g1N6VFYvBLEDluzRQPMqA5pejLbN/M K4o+Jp9hjUaySC02RBMCqTzgF3JzznShobMCRHLGhbGNHpW1nvfDEg== =vPDr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:021
by Marcus Meissner 19 Oct '07

19 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:021 Date: Fri, 19 Oct 2007 17:00:00 +0000 Cross-References: CVE-2006-1861, CVE-2006-3467, CVE-2007-4074 CVE-2007-4224, CVE-2007-4569, CVE-2007-4924 CVE-2007-4995, CVE-2007-5208 Content of this advisory: 1) Solved Security Vulnerabilities: - hplip command injection - kdelibs3, kdebase3 security update - NX security update for PCF handling - festival daemon command injection - opal denial of service problem - openssl DTLS problem 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - None listed this week. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - hplip command injection The daemon 'hpssd' could be exploited by users to execute arbitrary commands as root. hpssd only runs on systems that have HP all-in-one devices configured. In the default configuration the problem is not remotely exploitable as hpssd only listens on local interfaces (CVE-2007-5208). This issue has been fixed for SUSE Linux 10.0-10.3, and SUSE Linux Enterprise Desktop 10. - kdelibs3, kdebase3 security update kdebase3 and kdelibs3 were updated on all affected SUSE Linux products to fix the following problems: - Users could log in as root without having to enter the password if auto login was enabled and if kdm was configured to require the root password to shutdown the system (CVE-2007-4569). - Javascript code could modify the URL in the address bar to make the currently displayed web site appear to come from a different site (CVE-2007-4224). - NX security update for PCF handling The XFree code contained in NX was prone to integer overflows (CVE-2006-1861) and insufficiently protected against specially crafted PCF files (CVE-2006-3467). NX has been updated on SUSE Linux 10.0-10.3, it is not contained on other distributions. - festival daemon command injection The festival daemon runs as root (if started). The default config doesn't have a password set. A local attacker could therefore connect to the daemon to have commands executed as root (CVE-2007-4074). festival has been updated on all affected products. - opal denial of service problem The opal library contained a bug in the SIP protocol handler that could be exploited by attackers to crash applications using opal (CVE-2007-4924). Opal has been updated on openSUSE 10.2, 10.3 and SUSE Linux Desktop 10. - openssl DTLS problem A buffer overflow in the DTLS implementation of openssl could be exploited by attackers to potentially execute arbitrary code (CVE-2007-4995). openssl has been updated on all distributions that contain DTLS support. It is questionable if the DTLS support even worked before or used by applications at all, so we were likely not affected. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed this week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRxi+Eney5gA9JdPZAQJLPAf/UMbdLsBuHBCkOTZAfw0EnVg9g9t1lvKe EaRLCzJVcG0UK4vIs+ngcZC0egKVIMBBwJOinZqoWzahPw0t5nd+zPt2Lj29aets EpKaSIRX4jleiGy80Ry2B6HwONU3JYWzAtz6iX+hlpu8IJIoWD4CGvAD1sElz3IV 0tdxAPqcpZtNjOQ9Bt/fZmxSfzblc0p10TiMON+dMZpQWi8KxqhCrKoCvPUL71ub cWf+lHdAmuQVw3Ap3K9jhtoF/i94026KO+KLpmKqw/b96XfTN36/kmSyVq1ALwWI GC5oWsW2jYq6/v2TNWi1+/eFfScoVSJgLR5wmjSVe48Cnfg1fRfFlg== =Hml1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: IBM Java (SUSE-SA:2007:056)
by Marcus Meissner 18 Oct '07

18 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: IBM Java Announcement ID: SUSE-SA:2007:056 Date: Thu, 18 Oct 2007 18:00:00 +0000 Affected Products: UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-2788, CVE-2007-2789, CVE-2007-3004 CVE-2007-3005, CVE-2007-3655, CVE-2007-3922 Content of This Advisory: 1) Security Vulnerability Resolved: IBM Java security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The IBM Java JRE/SDK has been brought to release 1.5.0 SR5a and 1.4.2 SR 9.0, containing several bugfixes, including the following security fixes: - CVE-2007-2788,CVE-2007-2789,CVE-2007-3004,CVE-2007-3005: A buffer overflow vulnerability in the image parsing code in the Java(TM) Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang. - CVE-2007-3655: A buffer overflow vulnerability in the Java Web Start URL parsing code may allow an untrusted application to elevate its privileges. For example, an application may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the Java Web Start application. - CVE-2007-3922: A security vulnerability in the Java Runtime Environment Applet Class Loader may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to. For more information see: http://www-128.ibm.com/developerworks/java/jdk/alerts/ 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/4931a7f4cae4a43064c21ec2362f54e5.… http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/4931a7f4cae4a43064c21ec2362f54e5.… http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… Open Enterprise Server http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/4931a7f4cae4a43064c21ec2362f54e5.… http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/4931a7f4cae4a43064c21ec2362f54e5.… http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/4931a7f4cae4a43064c21ec2362f54e5.… http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/4931a7f4cae4a43064c21ec2362f54e5.… http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/1d3d4cc05bdfc425f875a1d8a7ef9b7e.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/51fd7d03020fe413e43cda8f60442612.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/51fd7d03020fe413e43cda8f60442612.… http://support.novell.com/techcenter/psdb/5544d25cb52fbadcc4de5bfd2d3654a1.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/5544d25cb52fbadcc4de5bfd2d3654a1.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRxeBt3ey5gA9JdPZAQKC/Af/VhaJNxs9RBByvXvQxu0lhEvhpYyvUzx/ AELeO6ijNNivueLwC9moDHFRGOdYgMlKSpiRIYgIULUXv96mUdJu12UCBcDBLf9j S4kz28NDmLwywP8IykokbUivvpFyBkAGaf+l5DmbQPRAjfdEhDK2AyrRKUHP32yt Xgh6ibEcV82adMSh98dldFS6U7Ak4D5X79RN/xX2QLj8gezGJLfUWcoPAKVPf/// Isc7Kat6+ub29Tj531y7tPo3L/iD8Hax/xSV1ZaCU/Fr/2lDbmc7qcrA5z0/woko jKJ1pwjggJuBHI/1M1eCJc4/jQClDKxpw9SoIiw146ZK/MPm6E2l7A== =oC8B -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Sun Java (SUSE-SA:2007:055)
by Marcus Meissner 17 Oct '07

17 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: Sun Java Announcement ID: SUSE-SA:2007:055 Date: Wed, 17 Oct 2007 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 SuSE Linux Desktop 1.0 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-5232, CVE-2007-5236, CVE-2007-5237 CVE-2007-5238, CVE-2007-5239, CVE-2007-5240 CVE-2007-5273, CVE-2007-5274 Content of This Advisory: 1) Security Vulnerability Resolved: various Sun Java security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Sun JAVA JDK 1.5.0 was upgraded to release 13, and the Sun JAVA SDK 1.4.2 was upgraded to update 16 to fix various bugs, including the following security bugs: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1 CVE-2007-5232: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applets outbound connections via a DNS rebinding attack. http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1 CVE-2007-5236: Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted application. CVE-2007-5237: Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka "two vulnerabilities". CVE-2007-5238: Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to obtain sensitive information (the Java Web Start cache location) via an untrusted application, aka "three vulnerabilities." http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1 CVE-2007-5239: Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier does not properly enforce access restrictions for untrusted (1) applications and (2) applets, which allows user-assisted remote attackers to copy or rename arbitrary files when local users perform drag-and-drop operations from the untrusted application or applet window onto certain types of desktop applications. http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1 CVE-2007-5240: Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen. http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1 CVE-2007-5273: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used, allows remote attackers to violate the security model for an applets outbound connections via a multi-pin DNS rebinding attack in which the applet download relies on DNS resolution on the proxy server, but the applets socket operations rely on DNS resolution on the local machine, a different issue than CVE-2007-5274. CVE-2007-5274: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows remote attackers to violate the security model for JavaScript outbound connections via a multi-pin DNS rebinding attack dependent on the LiveConnect API, in which JavaScript download relies on DNS resolution by the browser, but JavaScript socket operations rely on separate DNS resolution by a Java Virtual Machine (JVM), a different issue than CVE-2007-5273. The full set of changes is available on Suns website: - Sun Java 1.5.0: http://java.sun.com/j2se/1.5.0/ReleaseNotes.html - Sun Java 1.4.2: http://java.sun.com/j2se/1.4.2/ReleaseNotes.html 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart all running programs using Java. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… db79c4b7fefdedc43ae31216662089aa http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… aa911ba5a8c0e2fafd45e38164e4af0d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… 3dbd86f1ff61d0dde4de6b874252d0ae http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… 6f35206472e3e321c98e5b0338398525 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… bc934a367636b5eabaa18d0bceb66647 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… 7c4d3fe8bec5086f476e8f7d67519f1e http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_5_0-s… 11c007724936143c8bd3081c7e113f31 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_6_0-s… a7a76e2199b7196d959322d1ede447e4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_6_0-s… 6a0d9549ac0d234d1327060f847f00a2 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_6_0-s… 521979eca3b309fe439218f548b18cf5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_6_0-s… d3fbb5c1cbf2b45e6d9de607182ffa0b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_6_0-s… 88ab5ee341f989038c8b3e350b52025a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/java-1_6_0-s… 2eecb5bd39340350b884bbfce47cdbdd openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-1.4.2_updat… a7efad3e5ad87bfb4f10809459b43b86 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-alsa-1.4.2_… 0fafec8320d1afe966513f22d1473d6c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-demo-1.4.2_… 88cfa97299aaac439cd41e5660f9ed44 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-devel-1.4.2… d7209a3e6b987037f7ff73fce37618b4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-jdbc-1.4.2_… 4a9107905a31e33583c410830795c3cb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-plugin-1.4.… 8c04bfaa1e59161e06b4c905b39f3740 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-src-1.4.2_u… 2767ee2c20a1e82c9e92a429d57bbfc8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-1.5.0_updat… 3e7f6fb52e64f0a1aa0b3bb4360941b1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-alsa-1.5.0_… 666f310b8f72b7e8325a1b2bf3430cd9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-demo-1.5.0_… b662b4746e76e2e80211f9b1530a0634 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-devel-1.5.0… 9bb9d91771e91a5e468d844d0833b944 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-jdbc-1.5.0_… 79576c335b53b7645f4d034030fe364a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-plugin-1.5.… 093e8507edd582053f97ae2c5292f11a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-src-1.5.0_u… b09f8e8cdb00523fd2120260cfaf76ce SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-1.4.2.16-0.… 85abbe35d4fe5b9d46806a30e5724765 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-alsa-1.4.2.… 72a2101f9b44a80859fef741a9568335 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-demo-1.4.2.… f3da91699e32b8f4efed47ab1904deb1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-devel-1.4.2… 63c3f1709c2ddf5c4c5fcf89943d3d4a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-jdbc-1.4.2.… d8cc04eff3e6d30750ef857de41faaa5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-plugin-1.4.… 88b08a78c8c3428fba59b024e5ddf732 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-src-1.4.2.1… ab4ec1f49cf394491ea17a7bb9746b7b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-1.5.0_13-0.… f6e8dacb468b9617ce46c5446705daf5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-alsa-1.5.0_… 296a4397c28146a2387e4cfe9709c525 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-demo-1.5.0_… c01241555425922bc31dde995fa98fa9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-devel-1.5.0… 7964aff93873c0713f55d2949febbff2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-jdbc-1.5.0_… 0a4a38a7d5cbfe00de8a939c894a0797 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-plugin-1.5.… 60c0c9109cf701d1296bde511c62943b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-src-1.5.0_1… f963b9ed78462021302748ff118e63cf SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-1.4.2.… 0b3bddd090547a8674d50562d58cee3e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-alsa-1… 9dee1984300abae07c056fd0b12bfb9a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-demo-1… 11b0264e7ddde51586f86bc574e8d7d1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-devel-… d78f492982b2d6a4c9a1aba4adc8b6a0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-jdbc-1… baacffd2da282a30ffb27fdc90252761 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-plugin… be6892b45b38e800db814040ffe8d71f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-src-1.… c292662e7104be22cbe7be03a326600b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-1.5.0_… 74988aaca3b417bfa46a5d1b7427b5e7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-alsa-1… 593d088ee887455ee6343321458a967c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-demo-1… a7c4737d11727f47d84b426bc78d0883 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-devel-… 29648a2a07b5b94d301adf7e4688cb84 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-jdbc-1… f9ad29f623d6b7bea7eed82db8dc5fdc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-plugin… 126b66bce2f1d100fe04f5d69b4ed86d x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_5_0… 2b3d17258e5c52c79736354025ccc3db http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_5_0… e7ac5c9bc69ff16adf73f96bd5340d75 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_5_0… 2e0a5db66a70d108f2b9f089909f4cd0 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_5_0… 36e4a433ef8618bd16359d5688d6cbb1 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_5_0… 967ac70d8e29fb54b59962efad59b422 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_5_0… ddd051b7bd431e71c1a95254d23fe1b9 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_6_0… 8db5de7456ea27a3d1b1406efde06cf9 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_6_0… 542661a072e69c76aeb7082e93f7e2be http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_6_0… 1bc5403185c10c4e8ba752f19f1e9230 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_6_0… 3e78ec6c9da25d00f8785212f524c4bc http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/java-1_6_0… 77cee98b8e536b626f54f1184dd1ca70 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-1.5.0_upd… f49c281144167f7585352785eeed8b2c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-alsa-1.5.… bb7f3c5019e3df98d43ef77ba4057ffb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-demo-1.5.… 78a5bacc4b2ffaf672be426d0ff4cb45 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-devel-1.5… df154e99311eef828712f92bddc56493 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-jdbc-1.5.… 0536f4ad33b35890c5c7af2ea8bbdaef ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-src-1.5.0… 09bb7442b933182238dad1eac71aa2fd SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-1.5.0_13-… f71266d1ccbd005af6e803cc984a5ae9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-alsa-1.5.… d6fd39e09f164848b3b4c0e4daf14794 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-demo-1.5.… 44e66182712ab0ff589186bfef13624b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-devel-1.5… d12f0248268dabeb02fe49871558bdea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-jdbc-1.5.… 6a5198f6ac0559e74b414ea161029f8c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-src-1.5.0… 0b688823b5ace814b3ad3ebc4d26b435 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-1.5.… 633c0b9b9dac1c5257f4a2a1e4c0a566 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-alsa… f5d8a857bd44d2f7c5bb6039b6565a35 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-demo… 7737177c66ea30965a6db96cac1091ef ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-deve… 4116c82843731dcfa9bd1e945c636e56 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-jdbc… 4cd8e3b461888d8aa89e03ce4f39deb7 Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/java-1_5_0-su… 21b729da38aba2488f508f4cf86657ab http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/java-1_6_0-su… c4f0c86f0b6e92b1cf8e60921db80f4d openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/java-1_4_2-sun-1.4.2_update… 1ae678ae3f162787b90dc599791dfc01 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/java-1_5_0-sun-1.5.0_update… 8c89054e3cb97b2f871b08816839428d SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/java-1_4_2-sun-1.4.2.16-0.2… bcc140caa84525ec7080a68a394b2b93 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/java-1_5_0-sun-1.5.0_13-0.1… db4f03f243b70ad7e153cfc655c8fd1c SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/java-1_4_2-sun-1.4.2.1… a8d79480c516c205452dcf3f991ec509 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/java-1_5_0-sun-1.5.0_1… bea6119a5a9f6836600274d1992e7326 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/9d8cb03291c8cdf9cfec381e38bd6b88.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/9d8cb03291c8cdf9cfec381e38bd6b88.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/9d8cb03291c8cdf9cfec381e38bd6b88.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/9d8cb03291c8cdf9cfec381e38bd6b88.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/9d8cb03291c8cdf9cfec381e38bd6b88.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/9846044890f44374e747f617724ca6c9.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/9846044890f44374e747f617724ca6c9.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRxYgo3ey5gA9JdPZAQKDLQgAjaOUGBXwiXc93rSMP1bpXVFTRz6zjcEA q+nPqqK8HTV+aTVWf5OyMzneyFkqEMx8woXtVggM4Wb8XlwTM6AKOPtNx8rpO0xv xNzgVSybcArvxrzRKbZs//Cu3ouBLnzTEVsZWmsJmb9YOVTDPGKqxg3uwQ2UQEN0 NmqBr3PMDrlSHxN0Y9AaQoXmwGQK52/nDudtpxkEP/PFCyNe56Qbp1pn3itv0lY8 5DjEP22FwB4pW7dWsHdSvf400PhEAItF3n3qSke9m31U34q2QitbGnvEsBy8BPKs NjAa3DV3/wzwv9QHCQJNrBvEkpJOZaZZQq/ecgNE+73r0iUjQXfSxw== =zHuO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] Advance notice of discontinuation of regular support for SLES 8
by Marcus Meissner 15 Oct '07

15 Oct '07

Dear opensuse-security-announce subscribers and SUSE Linux Enterprise customers, SUSE Security announces that the regular maintenance, security and L3 support for the SUSE LINUX Enterprise 8 line of products will end after November 2007. The SUSE LINUX Enterprise 8 line consists of the following products: - SUSE LINUX Enterprise Server 8 - SUSE LINUX Openexchange Server 4.0 - SUSE LINUX Openexchange Server 4.1 - SUSE LINUX Retail Solution 8 - SUSE LINUX Standard Server 8 - SUSE LINUX Desktop 1.0 - UnitedLinux 1.0 All updates published will continue to be available for self-service download until November 2012. We will however be offering Extended Support for 2 years for the SUSE Linux Enterprise Server 8 product only. The extended support has following limits: - The offer is limited to the processor platforms Intel 32bit (i386) and IBM S/390 31bit (s390). - Only critical security problems will be fixed, others depending evaluation. - A certain sub-set of packages is no longer fixed. This list includes binary only software like Acrobat Reader, Java, and also some opensource software (Mozilla, PHP4, ucdsnmpd, snort, SpamAssassin, PostgreSQL). - Additional update rights need to be purchased for the extension to be activated. Please contact a Novell sales representative for more information if you are interested. Following SUSE Linux Enterprise product lines will continue to be available with following end dates: SUSE Linux Enterprise Server 9 - General Support until July 2009 (and Novell Linux Desktop 9) Extended Support until July 2011 SUSE Linux Enterprise 10 - General Support until July 2011 Extended Support until July 2013 To learn more about SUSE Linux business products, please visit http://www.novell.com/linux/suse/ For a detailed list of the life cycles of our Enterprise Products please visit http://support.novell.com/lifecycle/ and http://support.novell.com/lifecycle/lcSearchResults.jsp?sl=suse If you have any questions regarding this announcement, please do not hesitate your sales or support representative or to contact SUSE Security at <security(a)suse.de>.

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:020
by Marcus Meissner 12 Oct '07

12 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:020 Date: Fri, 12 Oct 2007 17:00:00 +0000 Cross-References: CVE-2007-2958, CVE-2007-4727, CVE-2007-4851 CVE-2007-4993, CVE-2007-5135, CVE-2007-5195 CVE-2007-5196, CVE-2007-5200 Content of this advisory: 1) Solved Security Vulnerabilities: - TK GIF image loader overflow - openssl off-by-one overflow - hugin temporary filename - not affected by Xen virtual pygrub escape problem - lighttpd buffer overflow - novell-groupwise-gwclient SSL problems - sylpheed-claws format string problem 2) Pending Vulnerabilities, Solutions, and Work-Arounds: none 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - Tk GIF image loader overflow Updated Tk packages were released to fix a buffer overflow that occurs while processing interlaced/animated GIF images. (CVE-2007-4851) The bug was found by SUSE developer Reinhard Max and could be used to execute code remotely if Tk is used in any way to display remotely supplied GIFs. Tk was updated for all SUSE Linux based products on October 8th. - openssl off-by-one overflow OpenSSL was updated to fix a off-by-one buffer overflow in function SSL_get_shared_ciphers(). This vulnerability potentially allows remote code execution; depending on memory layout of the process. (CVE-2007-5135) Updates were released for all affected SUSE Linux products on 9th October. - hugin temporary filename hugin was updated to disable the use of a fixed temporary file. (CVE-2007-5200) hugin was updated for openSUSE 10.2 and 10.3, earlier products did not include hugin. - Not affected by Xen virtual pygrub escape problem A possibility for a Xen domU guest to escape from its virtualization container was reported, with Mitre ID CVE-2007-4993. SUSE is not using pygrub and so is NOT AFFECTED by this problem. (Note: we usually do not publish "not affected" notes, but for this problem we had several queries.) - lighttpd buffer overflow This update fixes a buffer overflow in the fcgi_env_add() function. Under some circumstances this bug allows remote code execution. (CVE-2007-4727) All affected distributions were updated. - novell-groupwise-gwclient SSL problems A security vulnerability was found in the Groupwise client system that allows a malicious user to intercept authentication credentials through a 'man in the middle' attack. This issue is tracked by the Mitre CVE IDs CVE-2007-5195, CVE-2007-5196. The novell-groupwise-client package is only contained in SUSE Linux Enterprise Desktop 10 and was updated there. - sylpheed-claws format string problem A format string bug in the inc_put_error() function of Sylpheed Claws was fixed. This bug is triggered when error messages from the POP3 server are displayed and can be exploited remotely to execute arbitrary code. (CVE-2007-2958) SUSE Linux 10.0, 10.1, and openSUSE 10.2 and 10.3 are affected. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed this week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRw+RT3ey5gA9JdPZAQImAgf/ebrPxYYxCGcp19bwMR+Ba3lrbMCyqHBA S5/LkKqiGKxqpZXJ7BlAnm1uQArPIa6Brui+4GfR0tYWwG04vIlIJDFu1gVjx8Tq BDiqQgVtMQds6mPSRP5WNIxmPCLBt2rzpKxm7pylqWoTDf45oGkG14OsSOpaMTb/ 3Ktt2jVOFXrhRFG6afHmDt8aF26xAK0bsxpuIoY14viBTKjqIHEfwFygWadgjZfE /RoZs54LUtyhI0pz4rCn2dP5TH9cCg4Qd2dThO5ejQnFUeaN8jKacv7f+FqCDia3 OdIEXDlFlksO3XZKv3ON/PeUO3oRiqs3eHSE4KRBPu15xTr0c4ToHw== =KwZs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Xorg (SUSE-SA:2007:054)
by Marcus Meissner 12 Oct '07

12 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: XOrg Announcement ID: SUSE-SA:2007:054 Date: Fri, 12 Oct 2007 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: local privilege escalation Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2007-4730, CVE-2007-4989, CVE-2007-4990 IDEF2708, IDEF2709 Content of This Advisory: 1) Security Vulnerability Resolved: Xorg security problems in the font server and Composite extension Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Xorg server was updated to fix 2 problems in the X FontServer found in Xorg versions starting with 6.8 and in the Composite extension. SUSE Linux 10.0,10.1, openSUSE 10.2, 10.3 and SUSE Linux Enterprise 10 are affected by these 3 problems, older distributions are not. Following issues were fixed: IDEF2708 / CVE-2007-4989: X Font Server build_range() Integer Overflow Vulnerability. IDEF2709 / CVE-2007-4990: X Font Server swap_char2b() Heap Overflow Vulnerability CVE-2007-4730: A buffer overflow in the Composite extension. These can be exploited by logged in users to potentially execute code in the X server or xfs, which are running as root. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of X after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-7.2… 60debc3a3539e6efa1c07c0a12053ca7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-Xvn… 5773cc75b25867210556f9c5aa409ff9 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-dev… 39375780d4f6b3d9d13e98721bf762a8 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-doc… 45a7a2a4c21006116d9f4f7feb416f4c http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-lib… 45a22aa46e3a35ee4f49b44a5396f702 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-ser… 42b4f144bc139e19d36a7be71e397e73 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-ser… 9f3e56be68b9a3ce9713248b362d54c6 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/xorg-x11-ser… 3828d31f808b24edf628ec23e89bc45a openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-7.2-28.i586.rpm 5384a46c4431130eb279caea81fc568b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-Xvnc-7.1-33.4.i58… 8d294f10951cd83633255cbbd33b5a70 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-devel-7.2-23.i586… 7a8a34b59ca8d921ecd313592cfd336e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-doc-7.2-10.i586.r… f143cbe7cd388300908fd404bf4249b2 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-libs-7.2-23.i586.… 77de2d5cb9081520b283a920f21b137f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-server-7.2-30.8.i… 702197b679a0c57e6e38b87d9069aba7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/xorg-x11-server-sdk-7.2-30… 4a27c90ede919207c14a519d1c309189 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-6.9.0-50.52.i586.… c88902090a61427024d5bbaae7a1660f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-Xnest-6.9.0-50.52… 11f96d90acd3bddd5bc9d3ba6e1fe3c1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-Xprt-6.9.0-50.52.… 797e27292d38e1c7b6f54af5386b0052 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-Xvfb-6.9.0-50.52.… 822bd9883d7502e600bd56a795ce603b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-Xvnc-6.9.0-50.52.… 8292ed022c8a4605e27b145142885a22 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-devel-6.9.0-50.52… a36dca39556c929b144ea5ee34e0a9bd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-doc-6.9.0-50.52.i… 0d9feb7990afac8d55c31cbd7a3cb249 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-driver-options-6.… 39b90521cd74c5c84d95cd85014af267 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-fonts-100dpi-6.9.… aec0e78cfecdaf1647f495064b635290 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-fonts-75dpi-6.9.0… 8640db4e96e458667122eafa17138ffa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-fonts-cyrillic-6.… 36826cba846ebdbcea57169546d334e5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-fonts-scalable-6.… 4d43b6d86679df97e43cbc965d665c29 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-fonts-syriac-6.9.… 562e5902ca8a6b638b5e958802ab7751 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-libs-6.9.0-50.52.… cb89b8124d707a4e15dabe343a5b976e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-man-6.9.0-50.52.i… d706278f404206a9e29b799573fe94b6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-sdk-6.9.0-50.52.i… 37627339cb5c0735c06c54c7e428e7f6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-server-6.9.0-50.5… 2e1ce7fa5ad3592110ff8e422c93457e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/xorg-x11-server-glx-6.9.0-… dffea27a37d634b012c705692a19be05 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-6.8.2-100.13… 458ecf3c3f131007375b95c418157960 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Mesa-6.8.2-1… 9a952a662575a0b0d251b781a1ece44e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Mesa-devel-6… 127b5be788631676ed47ee2713ae49f2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Mesa-devel-s… 957545e668b111e3bdbfdc9c09515566 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Xnest-6.8.2-… bd4af18b0b8e5810b025cff17dc0240c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Xprt-6.8.2-1… 071033bb8714aa1fbd780aa25a6b7b65 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Xvfb-6.8.2-1… b1d9f0bfd6afb440847d1a41a726dc57 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-Xvnc-6.8.2-1… fded05d76461d2ac55ac201fadfe66c4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-devel-6.8.2-… 8769a5a05bc1792b33e763ddec505b33 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-doc-6.8.2-10… 3af64e9804f59737c66096cc0afbabd5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-driver-optio… 2b1fa2993b32c20c69f736d3624a5c11 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-fonts-100dpi… a483cd1471daa864593fe2707606d808 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-fonts-75dpi-… 09e883c544d83893e65c791a4665e8d9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-fonts-cyrill… 0823a1271e0500e447e59e215b76da78 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-fonts-scalab… e6da363f5d554fcb0949b466369f1512 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-fonts-syriac… d5637d20ecc470a9a6c5f565d041f12e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-libs-6.8.2-1… 2fc326240a2603fb7046f71444a9bc7d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-man-6.8.2-10… 365ca632260697ce20c3252f700f4378 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-sdk-6.8.2-10… 0545d8432dc41c6407eb1b42d4c3242d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-server-6.8.2… b30da944b732b82c24a15a470c36ade0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-server-glx-6… 8711c30b91c1f0be29602f7f2c7cd623 Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-7.2-… e54927714bb52597907a32b6d57789e4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-Xvnc… 34ee9b2b7a6f1feecc219037bfa674dd http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-deve… b4f19eb498c2601b4545998bbcc550af http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-doc-… b6b96b92fa14a652ece95bff3bfea745 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-libs… 07769c6ba847d67e38259bf698475ba8 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-serv… 794fb95a92c168293d30abe820344a05 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-serv… b5cf737cb4900b3d68b59ec4a876b18f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/xorg-x11-serv… 644b9a6134e7830ea3c3dfbeb7522163 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-7.2-28.ppc.rpm dc179bd7706e68400ea16a9f1e8fa833 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-Xvnc-7.1-33.4.ppc.… fe42d5acfbb265c0daca556770b35e2b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-devel-7.2-23.ppc.r… cca396f77c50eb29ca4a0de79f5f407d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-doc-7.2-10.ppc.rpm 02ef9c03a58a864da6fee4e60ce8bf63 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-libs-7.2-23.ppc.rpm 1b3e9c94a18813725f23b9e9aeffc38f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-server-7.2-30.8.pp… c30318fa808aeedf91bf7a53113d9fff ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/xorg-x11-server-sdk-7.2-30.… de55cbc336fc0e5f9ab6b0253864951b SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-6.9.0-50.52.ppc.rpm 889344cc3d0709d86d01b08a8bf34fc7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-Xnest-6.9.0-50.52.… 19515bad314e603f8988d8dcb2dcd0c2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-Xprt-6.9.0-50.52.p… 74e8dfba32e43949ecb7581d5928fd3c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-Xvfb-6.9.0-50.52.p… 7594c0696ac98ad557802aaabe16f5b7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-Xvnc-6.9.0-50.52.p… 6c13100390b309175162713987dbdf57 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-devel-6.9.0-50.52.… e064d188739706c6c95ce214b0b3249c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-doc-6.9.0-50.52.pp… 06140e3e2bb4ad721e334327e70af24c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-driver-options-6.9… eac0eddcc6cf3785497faf528e1ebd7d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-fonts-100dpi-6.9.0… dc15572fd15edb61b5afa790b719d553 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-fonts-75dpi-6.9.0-… 17da298e4106c1300d708d8daab286ac ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-fonts-cyrillic-6.9… f018f0a279434fd15f284576ebb7ee94 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-fonts-scalable-6.9… ac6a1a7e8f9de25a96d9273c21c986df ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-fonts-syriac-6.9.0… 7e2ecabab5fb0be813c2c75b493c5d58 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-libs-6.9.0-50.52.p… 2f807fadbbe09f85f523da6e09e1fdc9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-man-6.9.0-50.52.pp… 4c37b4e58a908db76fd5283d85fb68c7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-sdk-6.9.0-50.52.pp… 97c1321c51c699d834b91104549c4860 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-server-6.9.0-50.52… 226ec6328d9339af474c27088445e2ad ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/xorg-x11-server-glx-6.9.0-5… 27d4f77b3f2273d5e13caae1a8822c9b SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-6.8.2-100.13.… a15c80f62499f2f4aa4eff9de163593e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Mesa-6.8.2-10… b52acc1882801ef6cc4f254d3f10e60f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Mesa-devel-6.… 677a9be65d75eeae9f41c1d28704dfd8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Mesa-devel-st… 87e52369963ee90f69bd43e5e62523c7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Xnest-6.8.2-1… 5beb0822439ad464eadde078668e5158 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Xprt-6.8.2-10… 13ac95bc286aafa8710f98783b59409a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Xvfb-6.8.2-10… 984d632a4c20c56b256344c43a403d77 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-Xvnc-6.8.2-10… fcf5deb9498122e1cd70fd3ef60e70ce ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-devel-6.8.2-1… 5b9348aadcb4ee58da9c46015780e21d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-doc-6.8.2-100… 88a74e462a02ce2dd123d24eab7d7c2e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-driver-option… 26b2dc89c01c5c56086fc028132a7b48 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-fonts-100dpi-… 3a7f1c5945564ac463d30f7a687cc59f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-fonts-75dpi-6… b5845b11fcfcdb38022df27d3ceceef4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-fonts-cyrilli… 8320bb9c02bf24a8475acedd682b48d8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-fonts-scalabl… b38c7001a3bea430079ba8abb585ea69 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-fonts-syriac-… 329c0bcabfd799b740bdd8150a2c7403 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-libs-6.8.2-10… 8cd08d7ce5f99bbf6d4cab846310135b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-man-6.8.2-100… a2ed3694ca8f45574d2da2d6b8d048ec ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-sdk-6.8.2-100… c8405e3e8c15dd347bbf54ffe35bd6dd ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-server-6.8.2-… 3328a1b0d6a6348e5d135095d2ded689 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-server-glx-6.… 07ddefc02024c5948be2a655d4ce6762 x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-7… 3d144710b9b3f26a9326ec2e75450328 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-X… 753c06014a0c57e3f416408d7d3514bf http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-d… 1bf2d8df7994fce841033b70fbf7504d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-d… 4c512382cbcd04805f49f16e123c68f5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-d… 53fdc94bbabf3cff952e7e3be1eeea1f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-l… 000b422fd89aad827c193287de9b91ae http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-l… 0d5e5ab979697946c6c57638e6c8b3e5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-s… b4c871a26884ad52d846e585b67ed63d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-s… 81d786ad739563e1155d1d1c1de501bf http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/xorg-x11-s… 6e7b2a8f0bc88c6c742a55de3a13a9e7 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-7.2-28.x86_64.r… d7f784eaa02ed6c6ac7dd6b08722fded ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-Xvnc-7.1-33.4.x… f6bf321d36f291aac36219477e216aab ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-devel-32bit-7.2… 889e84bc3bef33e603f93135ce6cab98 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-devel-7.2-23.x8… 97d576fe19e3188574dfc434f6bd3e5f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-doc-7.2-10.x86_… b1938466125c46ac24d1612e7e785402 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-libs-32bit-7.2-… 91847a96b8fd9fd165f44a6f63bc22a8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-libs-7.2-23.x86… 0e9885cad2d04688f9e3209f19ec1453 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-server-7.2-30.8… 8e48236329a5123f0660dfe99cc2924a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/xorg-x11-server-sdk-7.2-… cd126c2ea02e512c351c086ae39faa08 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-6.9.0-50.52.x86… 73b9cca09e610b8236775fd167622672 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-Xnest-6.9.0-50.… 166c341529f1c50884a9e24be5f2e1bc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-Xprt-6.9.0-50.5… 08121d10e8895f3815e5532cf81057d9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-Xvfb-6.9.0-50.5… 3df52f001419a6edfd0c176990f3a31b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-Xvnc-6.9.0-50.5… 1c2cfe0603cdbb6615b9b7f59279743b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-devel-32bit-6.9… 2d1e3cad93a40ba835f43ac61db4cb59 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-devel-6.9.0-50.… af9b8df2e657fb4c811445770a07107b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-doc-6.9.0-50.52… b32595e9a93d6de43aefbb146f2c4fc3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-driver-options-… fca47dc009e0114d51ce7ca43347a629 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-fonts-100dpi-6.… 372801e618273f309fa04e97ffe966c2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-fonts-75dpi-6.9… ad445cc7bfe969d21ee2ad1f37bf4c84 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-fonts-cyrillic-… 5d43c607a9f36144df8a1c8b2be582c3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-fonts-scalable-… 7165a8f7f916d14ef1f5f1fe9345e8ad ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-fonts-syriac-6.… af6e45b844e9e18981e57afb78805e0f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-libs-32bit-6.9.… aba3677fc93140853c401c5791b92ea2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-libs-6.9.0-50.5… 75176349453a01f447ff70925fd831dd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-man-6.9.0-50.52… ce77ec91ee1d4daca620138a4b8fe007 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-sdk-6.9.0-50.52… 81f47f043be8490d654bf4d4785ef749 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-server-6.9.0-50… 18e4aacec21bc641b57955ced636be84 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/xorg-x11-server-glx-6.9.… c0ffba4acb5e555473234f0388d31271 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-6.8.2-100.… 4b053f1c5065356e733940c07fced8e4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Mesa-32bit… 6579d0096e21633f6ab8b0e57a332b14 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Mesa-6.8.2… 00b1d31ec611186498e04c4a82fa1246 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Mesa-devel… ccbb0005ec7ef431c341f78fb93c9f42 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Mesa-devel… 312591ccd275f4bc9172df9fae3d5e22 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Mesa-devel… 8a33636299c78615121fcf45bf1c2f27 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Xnest-6.8.… 530622be36bb39f325a4979a8bc193d5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Xprt-6.8.2… 3fc51291c75b2bc8d9e578b531fc39e3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Xvfb-6.8.2… 2154da6709046dc98ed510874ec74174 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-Xvnc-6.8.2… bf966c74c64ece16baa11a153d393315 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-devel-32bi… 678d16cfecdc20731ab2cbc7c843e226 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-devel-6.8.… d421e60c08c64aa9f603d1c211020ec1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-doc-6.8.2-… d4f008c6eb989315931d98851a3b5f2a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-driver-opt… c181214b6cf79ffbfc78ea850a64b880 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-fonts-100d… df79ddc295eb367b388673e8ad20c7a6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-fonts-75dp… 234792cbc4d83807554ca6af98ab8f55 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-fonts-cyri… e6db69382f8b1779829b4bed8b503761 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-fonts-scal… 60f97183d256d1894ae2d2540b0086f0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-fonts-syri… 87ada8e32ecec247b50dd098b4d129ac ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-libs-32bit… 9f1d53c74d7ac70b21d56b843946a27c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-libs-6.8.2… 606ce860f60444a3152653a3ce1ca049 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-man-6.8.2-… bcbc4a7da2825b5464de932eab57510b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-sdk-6.8.2-… 2090e697b030e39cd9cd8b4747a738b1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-server-6.8… 23f3920f5235b70e5a3b766b9c9ab111 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-server-glx… 8150bbbe430a6bbf3728dc943bf13a5a Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/xorg-x11-7.2-… 8a8fd9f59dbe574b54df2e710fb599d6 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/xorg-x11-Xvnc… a72e334e807881413f5c01ab49702dab http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/xorg-x11-doc-… 31d78d3091f98c0a4599fa631ff0673f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/xorg-x11-libs… 2b8485a663b2bd3f63c64e4e64d17a12 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/xorg-x11-serv… c2706c31ad1084bc59d966f1f5056870 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/xorg-x11-7.2-28.src.rpm f9d68a5e374389662d12fa4c223cb4f3 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/xorg-x11-Xvnc-7.1-33.4.src.… 9809825034d90af6507327ea8ac605dc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/xorg-x11-doc-7.2-10.src.rpm 0444663e4371b82fcdfd0eb0fa6dfbc1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/xorg-x11-libs-7.2-23.src.rpm e823516cc0aaed7426818eac275fdc14 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/xorg-x11-server-7.2-30.8.sr… f54f848469db8b819fe79dd8fe1fde65 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/xorg-x11-6.9.0-50.52.src.rpm c4678294fd5e147ed85e285ca70eeba4 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/xorg-x11-6.8.2-100.13.… 397d989a9cf440bd98265f31adab38f9 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLE SDK 10 SP1 for IBM zSeries http://support.novell.com/techcenter/psdb/eebff351cff842b2f46d22f48d3f2009.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/eebff351cff842b2f46d22f48d3f2009.… http://support.novell.com/techcenter/psdb/0cc76d0c57cd2d52b1a7ca3945562d1d.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/eebff351cff842b2f46d22f48d3f2009.… http://support.novell.com/techcenter/psdb/0cc76d0c57cd2d52b1a7ca3945562d1d.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/0cc76d0c57cd2d52b1a7ca3945562d1d.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBRw+HdHey5gA9JdPZAQIOdAf6AgNkSUEl/vceGc8hpEAJHyVBPh3ZC+kS 7Rp/OtaViTQwbRxUB8IRBTpvNCXp6lPXr7QtGkZSM3qYriFhHlh5O1H/H2+HdtE9 raoFCfv2QxFpib/uZ7TTa1KyaiVy15gFNM7v91+4wGcsdv4G7KLVebBJU2XMFy2b jfZUJ6PB3SZtpDXTJn22hbsGEqVAyeKxZYiKfGRiT3CStwK6G3nMoWtKJ1tYlHKu 1/FWVGMXsL8uSMCWMtcMmmY1SCPrRzpK2yEZGKt8/nu25orMcSRz0q7cH8Y3Swfc TlmeHg7GXZl7bDFN5ZIC/BU9ZPTCZGikahVtIddLkupoWk6nX/AM3A== =6M8F -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0