April 2008 - openSUSE Security Announce

[security-announce] SUSE Security Summary Report SUSE-SR:2008:010
by Marcus Meissner 25 Apr '08

25 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2008:010 Date: Fri, 25 Apr 2008 15:00:00 +0000 Cross-References: CVE-2007-6698, CVE-2008-0658, CVE-2008-1102 CVE-2008-1103, CVE-2008-1332, CVE-2008-1382 CVE-2008-1628 Content of this advisory: 1) Solved Security Vulnerabilities: - licq denial of service - libpng crash or potential code execution - asterisk call without authorization - openldap2 denial of service problem - audit buffer overflow in logging - Blender buffer overflow 2) Pending Vulnerabilities, Solutions, and Work-Arounds: None listed this week. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - licq denial of service By starting more than 1024 connections against a remote licq client, attackers could cause licq to crash. licq was fixed on openSUSE 10.2 and 10.3. - libpng crash or potential code execution Specially crafted PNG image files could overwrite arbitrary memory. Attackers could potentially exploit that to execute arbitrary code, depending on the application used. (CVE-2008-1382) Fixed libpng packages were shipped for all SUSE Linux based distributions. - Asterisk call without authorization The opensource PBX asterisk allowed remote attackers to do a call without prior login via the SIP channel. (CVE-2008-1332) Asterisk packages were released for SUSE Linux 10.1 and openSUSE 10.2. - openldap2 denial of service problem Authenticated users could crash the LDAP server 'slapd' of openldap via the 'NOOP' command (CVE-2007-6698,CVE-2008-0658) openldap2 packages have been released for all distributions. - audit buffer overflow in logging A bug in the audit_log_user_command() function could lead to a buffer overflow. No program in openSUSE uses that function. Third party applications could be affected though (CVE-2008-1628). Updated audit packages were released for openSUSE 10.3. - Blender buffer overflow The rendering program Blender was affected by buffer overflows in the RGBE header file parsing (CVE-2008-1102) and some temporary file issues (CVE-2008-1103). Since we do not think that Blender is not used in security critical settings with network input data we fixed this problem only for future products. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed this week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBSBHiR3ey5gA9JdPZAQIS7wf+JrtCuwfJqX6xo/kUbGzb0gPtbMiBHGJW 9N5ltFXxLaBjvOf+32BCybomIDqAGUh5tX8J5N+Qdm4dwW+OzGAnHl3b47YZ6BGF 8Zf2xnYIOyVgnlDj/vrYk6OiuNvSMunC4i7HarBFRFvVAUzgvM1LkVRGRK9LETsl zOgTV3FpbHLg42zy9gx4LxYbYiNaHnHOkASvm04daoyAT6/a0x+WYA7+RwXr66X9 NOoH1any+ujbuTYc0R6oJIc2W0E6Dnlql+Q6J4u8sluYAShRmp7RN9FhZl5+vvAV AOKl4GXuK+A/RFZlSa4nQdHNRIY6vwO7h6JOeuYB6QGVqGXJ9i82EA== =42tg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: IBM Java (SUSE-SA:2008:025)
by Marcus Meissner 25 Apr '08

25 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: IBMJava2,IBMJava5,java-1_4_2-ibm,java-1_5_0-ibm Announcement ID: SUSE-SA:2008:025 Date: Fri, 25 Apr 2008 14:00:00 +0000 Affected Products: SUSE SLES 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-3698, CVE-2007-4381, CVE-2007-5232 CVE-2007-5236, CVE-2007-5238, CVE-2007-5239 CVE-2007-5240, CVE-2007-5273, CVE-2007-5274 CVE-2008-0657, CVE-2008-1187, CVE-2008-1188 CVE-2008-1189, CVE-2008-1190, CVE-2008-1192 CVE-2008-1193, CVE-2008-1194, CVE-2008-1195 CVE-2008-1196 Content of This Advisory: 1) Security Vulnerability Resolved: IBM Java security updates Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion IBM Java 1.4.2 was updated to SR10 and IBM Java 1.5.0 was updated to SR7 to fix various security issues: - CVE-2008-1196: A buffer overflow vulnerability in Java Web Start may allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges. For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. - CVE-2008-1195: A vulnerability in the Java Runtime Environment may allow JavaScript(TM) code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs, This may allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2008-1192: A vulnerability in the Java Plug-in may an untrusted applet to bypass same origin policy and leverage this flaw to execute local applications that are accessible to the user running the untrusted applet. - CVE-2008-1190: A vulnerability in Java Web Start may allow an untrusted Java Web Start application to elevate its privileges. For example, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. - CVE-2008-1189: A buffer overflow vulnerability in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. - CVE-2008-1187: A vulnerability in the Java Runtime Environment with parsing XML data may allow an untrusted applet or application to elevate its privileges. For example, an applet may read certain URL resources (such as some files and web pages). - CVE-2007-5232: A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2007-5274: A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2007-5273: A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2007-5236: An untrusted Java Web Start application may write arbitrary files with the privileges of the user running the application. - CVE-2007-5238: Three separate vulnerabilities may allow an untrusted Java Web Start application to determine the location of the Java Web Start cache. - CVE-2007-5239: An untrusted Java Web Start application or Java applet may move or copy arbitrary files by requesting the user of the application or applet to drag and drop a file from the Java Web Start application or Java applet window. - CVE-2007-5240: An untrusted applet may display an over-sized window so that the applet warning banner is not visible to the user running the untrusted applet. - CVE-2007-4381: A vulnerability in the font parsing code in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. - CVE-2007-3698: The Java Secure Socket Extension (JSSE) that is included in various releases of the Java Runtime Environment does not correctly process SSL/TLS handshake requests. This vulnerability may be exploited to create a Denial of Service (DoS) condition to the system as a whole on a server that listens for SSL/TLS connections using JSSE for SSL/TLS support. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart running instances of IBM Java. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.… http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.… Open Enterprise Server http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.… http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.… http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.… http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBSBHSa3ey5gA9JdPZAQLyMQf+PZW/ZRA0/nfukjmWibMkwVErCHwMGdwd iTrQsOtMVdLG28ffL0u/o5uYOLH0Vu1FOvZwEOZ8M0n5jo7el0BwsFLHFuvHjUPm 9FLeb25ByfPXBRlXZL9it+KJyTdpBEMkkfhrHZQXOPYqcBVCAUWjjfNf2E+hivtL 5lBXZJExs2AinPx50IijIh1NsTJjtRf3Kpv4uaE+I8U0RWSIHbCL9MuTeGA+I+gV Zv+TOxJTSUd3BXmsTDEvTqTVqly6dpT9yVcYsfsQLJpYDbQMGSgjPto9qZnohXy+ E9gQzbSDjZpaLstAqM2DqFUoWzRgdk9abots9bS0heFV43Kv9Ikygw== =IBg2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: clamav (SUSE-SA:2008:024)
by Marcus Meissner 24 Apr '08

24 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: clamav Announcement ID: SUSE-SA:2008:024 Date: Thu, 24 Apr 2008 17:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 SUSE SLES 9 Open Enterprise Server Novell Linux POS 9 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 7 SUSE Default Package: no Cross-References: CVE-2007-6595, CVE-2007-6596, CVE-2008-0314 CVE-2008-1100, CVE-2008-1387, CVE-2008-1833 CVE-2008-1835, CVE-2008-1836, CVE-2008-1837 Content of This Advisory: 1) Security Vulnerability Resolved: clamav 0.93 security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The AntiVirus scan engine ClamAV was updated to version 0.93 fixes a long list of vulnerabilities. These vulnerabilities can lead to remote code execution, bypassing the scanning engine, remote denial-of-service, local file overwrite. (CVE-2008-1837, CVE-2008-1836, CVE-2008-1835, CVE-2008-1833, CVE-2008-1387, CVE-2008-1100, CVE-2008-0314, CVE-2007-6595, CVE-2007-6596) Since the library changed, we also released updated klamav packages for openSUSE 10.2 and 10.3. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes If you use clamd as a daemon, please check that it is running after the update. Due to database changes it might not have restarted correctly. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/klamav-0.41.… 5f062d237d2e2b467c04249d7ab4eaff openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/clamav-0.93-0.3.i586.rpm 5c1208a1568ce8406cffbad97c17d5cd ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/clamav-db-0.93-0.3.i586.rpm cc3797fc934ca8a7d36e951aedfd1205 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/klamav-0.41.1-17.4.i586.rpm 2d4a630d9477ad647c5f043a2061eec9 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/clamav-0.93-0.6.i586.rpm bae48419bbd6d98158b43a27d2e4ae26 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/clamav-db-0.93-0.6.i586.rpm 24c9cee54b8921b2c3896218ebf653fc openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/clamav-0.93-… cb1b5ad1c50971cd67a969641eb09b5b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/clamav-db-0.… 05c5ad3009b29ce730089376c4e94437 Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/clamav-0.93-0… 0e6fd8ae2c47f5cf35671cf268c472a7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/clamav-db-0.9… 67bcdf76348f56ecf7e6e7f44551e58f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/klamav-0.41.1… 9d0be2b87217d54485717178877d0e27 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/clamav-0.93-0.3.ppc.rpm feea77a7898ef22fee24db6990dfcd53 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/clamav-db-0.93-0.3.ppc.rpm c557477dfa4437292b476064b9008ce5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/klamav-0.41.1-17.4.ppc.rpm 465357407c32c4b3f2858923dcf1fa79 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/clamav-0.93-0.6.ppc.rpm aefcb66e85016ea7ffac9ec90f07b941 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/clamav-db-0.93-0.6.ppc.rpm c41dab747d0917115afca974dbf71f56 x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/clamav-0.9… b52b015df19d50ed90d59aaef2359695 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/clamav-db-… 60450bcf1b6e77d9c401f39e53c80b80 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/klamav-0.4… 6889d3a67a917066a36a8f29dea43b60 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/clamav-0.93-0.3.x86_64.r… 6ad977899b59f5dc29c3499b57794fe2 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/clamav-db-0.93-0.3.x86_6… b69ab97fc38e5156fd14997621070521 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/klamav-0.41.1-17.4.x86_6… dfa9b572d5e7756ee3f7c9f515430fcb SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/clamav-0.93-0.6.x86_64.r… d823bff9b6bd7a8363577d452cf32f85 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/clamav-db-0.93-0.6.x86_6… 9fa30054ab60358dd34227fc1ba534c4 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/clamav-0.93-0.6.src.rpm 46330515b9c6195b80df21260727c917 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/clamav-0.93-0… b69d60de1059e37b16f1b8f4b6fdbcb0 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/klamav-0.41.1… e6dc89b046f7cb3649b480d0979d67c4 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/clamav-0.93-0.3.src.rpm 4dfc2359d565c5584eed51fb0b6477cd ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/klamav-0.41.1-17.4.src.rpm 69b4f005d5e1910f817c9a6a2d9fc227 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBSBCjOney5gA9JdPZAQKBPwf+KA5FgDHq0McH8ZuS5GeeE/YC6SxLGUiA fY96vm4aXxDmPBkNyQz0SSR8FJKf+uenpxGQ4FeJP09kWipTODSWGjvd/ilh5U0n BpyRWF3OScFYmTEBuzc9mBRG6m4JFUz/OqTe5wDpcepwPrR1VMttWJx1RQgFh5ih hmE/KXQg5Cnoyr+N4T4uRXKvItO/diZZaP8LXbTct2ViyVVxS5nfdaXZDjg8lsPx LueEUhZKvUD1oWMZvf0huXfwaUwM0I11rsIwwKcwY7UVNo4YGfyduT1Pw4S57Wsc VTKaIxoIs4tDg9hgU1LzHya2NBsU62IXk3f5p6NQ+Dbb1z9kXNAIow== =tQ36 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: OpenOffice_org (SUSE-SA:2008:023)
by Thomas Biege 18 Apr '08

18 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: OpenOffice_org Announcement ID: SUSE-SA:2008:023 Date: Fri, 18 Apr 2008 10:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 Vulnerability Type: local privilege escalation Severity (1-10): 4 SUSE Default Package: yes Cross-References: CVE-2008-0320 CVE-2007-5747 CVE-2007-5746 CVE-2007-5745 CVE-2007-4771 CVE-2007-4770 Content of This Advisory: 1) Security Vulnerability Resolved: various security vulnerabilities Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion This update of OpenOffice fixes various critical security vulnerabilities - heap-overflow when parsing PPT files (CVE-2008-0320) - various buffer-overflows while parsing QPRO files (CVE-2007-5745, CVE-2007-5747) (NLD9 not affected) - integer overflow while parsing EMF files (CVE-2007-5746) - out-of-bound memory access and a heap-overflow in the regex engine of libICU (CVE-2007-4770, CVE-2007-4771) (NLD9 not affected) These vulnerabilities can only by exploited remotely with user-assistance and in conjunction with other software receiving OOo documents over the network (like a kmail attachment). Please note that users of SLED10-SP1 that installed the OOo-2.4 update already have the fixes. 2) Solution or Work-Around No work-around known. 3) Special Instructions and Notes Terminate all running instances of OOo before you install the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-2.0.4-38.12… 43c574c7201d440ee91442dfa5a4dba1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-af-2.0.4-38… 31c5ee83f73c23ac3dbd9c9f30637bd6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ar-2.0.4-38… 6402015cc8512e9317862c8e70dd8f88 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-be-BY-2.0.4… a601d3151f47c7b79f56080dbded03c7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-bg-2.0.4-38… 97d8c9e1fb8deac9b82fbd9eeab9e623 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ca-2.0.4-38… 03479fedeae966712dbcd544c155e62a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-cs-2.0.4-38… 6c0ea85ea8611fb5c3899431033ddbc0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-cy-2.0.4-38… 48ad44c2efb76e2cf390892205f39805 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-da-2.0.4-38… faaf987aab2c2341846fc6ca91257baf ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-de-2.0.4-38… 4e315822a936cee681c8bd0b6ac3bf09 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-el-2.0.4-38… 722dbd6766ca80c5e61699659eda9036 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-en-GB-2.0.4… 60effcc4ea2b5fb17d2756a907b0824e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-es-2.0.4-38… 7ad0b3993b0f7a2e37942a13bd48ec60 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-et-2.0.4-38… 840a930ddd49b6684a058dd94e7ec4d9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-fi-2.0.4-38… b22a7068702d6d6c46698a0a309082e3 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-fr-2.0.4-38… 69dea70431cb60ab00cfd779c270921e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-galleries-2… 50497e3c69634b67869144d71ca7a0c9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-gnome-2.0.4… 8a112890f8149c5b2247c618f644e223 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-gu-IN-2.0.4… b9fb8444d8f1896b2d70679301d11eb3 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-hi-IN-2.0.4… 9b5add2338a1d5a781c75ca97bbf39f0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-hr-2.0.4-38… 70a0b9769743fd6c4f5db240d730fbcc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-hu-2.0.4-38… 49b3a1f23037199bc83cfcafb6f8a74d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-it-2.0.4-38… ebf74603de931fc2fc6aed04fadfba06 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ja-2.0.4-38… b940b61ee061530680cb889123e3145d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-kde-2.0.4-3… f557222301d4bac80a261a286bede6f1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-km-2.0.4-38… 55ec1ebed590e12776f3690621763cfd ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ko-2.0.4-38… 74c191e6c5be69e50c08b489410e32b6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-lt-2.0.4-38… 1dcece613e7e2c213a8b812539af60eb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-mk-2.0.4-38… 74faa6390007d29be968fdb53e468882 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-mono-2.0.4-… 251abb1d97b7df3402c9e7c979215d37 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-nb-2.0.4-38… d41816bec8c45b0471f80f5fb184a3a8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-nl-2.0.4-38… f35222a74aaa48ecd9b00cac55889e1f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-nn-2.0.4-38… 752b97b1eca86c71189cc1db2e27a49c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-officebean-… a6dea251c5a73c5c131928e3b12490e7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-pa-IN-2.0.4… 1ac1e73d1b52f26adb482fba618d92aa ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-pl-2.0.4-38… 0a7096921ed524de5158fac1a04986a9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-pt-2.0.4-38… 2d49b3b23be74fcead9777ee5d9ea7e0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-pt-BR-2.0.4… e48c4c1edb37adc0201e76757b0225e6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ru-2.0.4-38… a83b8b082e922093d5d190e9175ef473 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-rw-2.0.4-38… ce529eec49ec9dc3596e356248a7d6e9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sdk-2.0.4-3… e057b9e18b4c96b3a27546495b204621 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sdk-doc-2.0… f3ba75a0f6ba03f9686086ea07513d2b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sk-2.0.4-38… 2468f483cc5cd8b98b3e1cce7f7a9d4c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sl-2.0.4-38… 79fabae12ecabbed4ff6876027aba6d4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sr-CS-2.0.4… df39383775efa21f7a6097e0eb2c1084 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-st-2.0.4-38… a41ad8076a1a1a08bf0d7f43849bac19 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sv-2.0.4-38… ed237b2d5c6e1bec53fa2c68aaa9ea04 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-tr-2.0.4-38… c796fa4cc5aeb5ce59688a43140b0496 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ts-2.0.4-38… 8628105296e3aba706dc4c562ea5811e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-vi-2.0.4-38… 8d216a964bbdbee295e494f14f63cd0a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-xh-2.0.4-38… c92ca8329b0b8fd4c08e94d1a5015585 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-zh-CN-2.0.4… 1587a419f3eb5d2f442dc392f08c1c8d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-zh-TW-2.0.4… 106bc66f2e4e47685e61eb9ba9e726ba ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-zu-2.0.4-38… 6600ae26771072ec01b3edb76b96ef0c SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-2.0.4-38.9.… 053780c198982bfad538b5b550cc88bb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-af-2.0.4-38… f2bfec2ec35be66dc085a2cfb4fe8ced ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ar-2.0.4-38… 7e6f40c71271f7100b59e11e999398b6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-be-BY-2.0.4… dc05159cd2c9333f6b7d331d2fb8d7df ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-bg-2.0.4-38… 16a6b50632369ab9e00b4400be5a7645 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ca-2.0.4-38… c40ccbe3330d2d6be166977d450fe0d4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-cs-2.0.4-38… 632c10443e1e001e6f6e934cd920000f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-cy-2.0.4-38… d7b5fdfc45f0c5017f878096bf7a66fa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-da-2.0.4-38… aa9b5a7f98b3d82f4ca7beea105e4348 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-de-2.0.4-38… fc8914c846593647521c8073caabc2cf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-el-2.0.4-38… bf6455160157eca3b65b14e3c4437862 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-en-GB-2.0.4… 7b5c2fccb88dbf474a37a0596391863f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-es-2.0.4-38… ca019619917c7406ee30709e3b1a6e13 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-et-2.0.4-38… 0f436ebd6735ebd80d8345c1a060ae11 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-fi-2.0.4-38… 1080689f4afe29602377fca779f5f0d9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-fr-2.0.4-38… 0dfb8e850bbdb52ebb862988fd8e47ea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-galleries-2… 8fa7e9b28e3e71419a9c0699e882ccfc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-gnome-2.0.4… 9d5d7826811f5702aceb71df3b04792f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-gu-IN-2.0.4… c5933f77fd2a2c36ecd49a06603b2d2e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-hi-IN-2.0.4… 56c9492e9fb11480c1d9d2b0e9018331 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-hr-2.0.4-38… d65ce8a9cc61cf5dd0e502f281acce14 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-hu-2.0.4-38… 1951cd5e9ee62dd5de770cc873fe51c6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-it-2.0.4-38… 4c6d4d0b347dd8f4372b43dfc3e8ce10 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ja-2.0.4-38… f40ec1d38f053d94c93a2b2679dde942 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-kde-2.0.4-3… dde6e790f056a84a338d5215c6f11e49 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-km-2.0.4-38… d28e6f3c5bdea1b876e85eba848b133e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ko-2.0.4-38… 7caec251aa3fd3ae98fe96c05d18cf5a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-lt-2.0.4-38… 97abeb2ab70078550bb7a16805ea90ab ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-mk-2.0.4-38… 5ba532564a0619eba5643d06ac691252 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-mono-2.0.4-… c45d13f4e8b9317977fa3a7122bf2ee2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-nb-2.0.4-38… a79e05c3fece09c8865d383062743ac8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-nl-2.0.4-38… 867f3cac0608b79193450632b6e4336f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-nn-2.0.4-38… 8822cf348e5e61efd507534d5d3e7801 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-officebean-… 3c1f1e0649a18462f8b2915835661c0d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-pa-IN-2.0.4… 1a5b83e19eeca06e3bfbf3ca00c1bbf3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-pl-2.0.4-38… bceff0dac645913cc4abaa78b1a0ee20 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-pt-2.0.4-38… e480b5090f7baf50b92beb47e9a0e431 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-pt-BR-2.0.4… b504c06ec243a8f38211d7ef9c86b1b0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ru-2.0.4-38… e8f59413438819890c4a446d14463edd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-rw-2.0.4-38… e3de8838379402fb4566e567a962b522 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-sk-2.0.4-38… ad4a4604efebdfba74deb8bd93391656 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-sl-2.0.4-38… e1d9ce4a2a50db700c382bbebbad3930 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-sr-CS-2.0.4… a50d8070234e94a802aa0ae3023d18d7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-st-2.0.4-38… e78b2f88c7f283d14ca2839661a182ad ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-sv-2.0.4-38… 0e949a5ce18191883945025212ee47cf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-tr-2.0.4-38… 451c8169c4b3ae00ca39b49782a48952 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ts-2.0.4-38… 371bb041edae9156a6087b64358e72c1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-vi-2.0.4-38… 00914c9d326b61aae4e61991f19defcb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-xh-2.0.4-38… 5294331c401940e6983dc7a8996de86d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-zh-CN-2.0.4… 58cfd8712288e3d2088e52aa176cbedf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-zh-TW-2.0.4… 6193946815d208f699fa79b8fd379de8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-zu-2.0.4-38… c7c5c38523e5f9f10631333b4e09c2fe openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… c8686d43ea83c7de0e1b5a275598f7dd http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… be5221029f6f014cd25166ba935af181 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… c1d7764c6a75220e1b5868c64ee867e6 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… ddf7388fe959b2daac02acaa85315eb7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 93ad7b66cf77fbf727f1d2637d134611 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… ce63c5aae2eae7357a201069da15f2bd http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 5ef9990252d9a0e9374a0c61ce0ddaae http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 5aa7a947ff95acb615e77e978c5a836f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… f1f79e587f24e67bb0968e45c24fff0b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 970618b711073706710fd7997ebb0278 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… adb1fee9fc486f9a35954a303d97d663 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 8a019de05dd31e1f041d265426eabec2 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… b049ffa86acc452ecb54c6c733e446ce http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… ac6050b54332c81f76fa903a7652089f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 1ae0ad8f07fae0ba1388b72c078b870a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… c9b102f8ca7518683ba7af79b726fc9b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… 54ca3f707bb7955da172d26e9b235cfd http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/OpenOffice_o… a45d7a39240c44da974e6266fcf8cb17 Platform Independent: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 5eea1d3ddeee8a3c77c3b2d5047f54a9 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 5e95d82ce32aac12cfe74a16d08c13fa http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… ebfc9bd70eb803991ded9f38a712fb34 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 3ea7c119b5cd6fc05ffe4eded854cd47 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 459eb7f6aa000bbbb94de0ed0fec192c http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 76f248e1d09c9f1f3a3dac97f01ae198 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 4c594382769b80d2113ec21498a22670 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 5d4ce6aeab5c278bf3ca156bb596218d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 33809acb76bc2bd189ee899192d8e752 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 95f5f9f7f1d5a9db55d474f4b50872b3 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… f115747588cd81157f06741c6ca2ced7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 7f2c03137c5be623d3b10b82f04bca2a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 6042f32c331c06657a7433662ee58fa1 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 2dbca603b988f59b8ae3603523e633b4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… ba149b14c30d37f02bb91d181f1ca69e http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… cd4a5af18e9c9f631ee5f34cc05b4613 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… be1619f542e25f72225a2f6159b78582 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… d4ec16f11ca8f5d0ee05cd6dd3cd699c http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 767e6f73300d324b5b5e39f335e6d501 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 934d4a50ea7543e5431ff795e9a88158 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… ee25167c4779236ffac3c0fb85705c01 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 6a961cd8b188b6a71e2650e860222b03 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 92c2158dc12b4b31d961330aa3134dea http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 9901e44e661000a7283bc2a98480906d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… a0fabc94dde7bac6b064d9c04c511646 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 43884e5751a31f0f6bb83e232a824118 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 8f8e8ab94be535e7266c16191ff384c1 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 38face8b869bf358d7ac7970a141cd80 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… c603f6a73478d0db80dd5b32e2fbcc42 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 937e9b5c5f2766aa64d2dcac85e01a38 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 0a74a646cb696af2c837d02a221959c3 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… c2821d189c9e7ce229903835d705388d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 572f4e10948f2a2427db2135bc2301ed http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 0d77e787785147b6fbeb20a153b20630 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 50ca18811b67b11eff46add4de68f188 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… eaccae83264bffc98a7de7f2e8196e51 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 2674b2167063397e3a569b319ed0e357 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 1b2f8c9f3b10d971e51a0acc0dcca016 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 42fc9fe0f7e44f891f6fde66de2e57e4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 484d1ce136fec34c1b0fdb6f81b85dbf http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 2b3578883d53a17540807cd34cb0f13c http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… bda184b5f59dc1cab6368da0d0e92d1b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 3fa2509192158f10a67c8170c06bba33 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 1f1f36015357a64d66561011dd1ea88d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 56c3e9a41a3793ec39b7dd64ee64edc3 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/noarch/OpenOffice… 105e3bed2a8aa38abfc371d4521834cb Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 24df5cd13197319f46bce9cb2d34a21c http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… eb32738893bafd2035271c50209a5192 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 1ddf930162365dc110096b171a3dad24 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… a3f734002b6565bbd17e09788fa36a6d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 4900c9cbfc1a6e28db8c3d8bdf6ff3ce http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 04e12349f8b4ad96668618f0cb5a7fa8 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… a55d25b5c8699ce33afdf331f3e2aaa5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… b89bdbd1e62176fad80a4f549825daa4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… b819fa124b3170bef61865e90bf6c59d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 33b4975f052bc47558f986da054f91e2 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 5b0079658bdc38857b5c7a8ad6065596 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… c70565a52b473f1f2fa23fe36f0b99cf http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… adbc3f39af0e192728f9b999e35aa65c http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 74de67e68aaf6971dee294409ab4476e http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 535129dc5e6c983c29b6fdfb5eee1a4e http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… 8be6efc1a971c5b399dcdd3d295cc7a4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… e67ec45e7ca28049c7d8f6a6064a256f http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/OpenOffice_or… d2081eedf5c4dbf4482f0107bb840788 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-2.0.4-38.12.… d961dabd72bceb816f91bdac5150b108 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-af-2.0.4-38.… aa502ccf683c22bd7e095fc94512a4ee ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ar-2.0.4-38.… f4a4792bef94f59878ef3f16f9d84657 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-be-BY-2.0.4-… c910db11ea56eec75b8ab8b5bee62f34 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-bg-2.0.4-38.… f67c175c4df7050a3f32e61e70a33e69 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ca-2.0.4-38.… b45b7c915f315e24c0c283de73f25c5c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-cs-2.0.4-38.… 02eb05dbe9924a62edab71956a280341 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-cy-2.0.4-38.… 3d5faa86f195cf805d272fe56e2640f9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-da-2.0.4-38.… b77581b588253c9817b77877ea43cf0f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-de-2.0.4-38.… 43a4ff9699ef734a3fa8a050489bcfbe ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-el-2.0.4-38.… e4cda13b80d4a6bcfc030e8f79dd7009 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-en-GB-2.0.4-… 119ef9f76f6a82fe57c625e7eee02208 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-es-2.0.4-38.… 105e92c73c23dfd1589e0adf61b79076 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-et-2.0.4-38.… 8d735d5e20a9651d1a457ad9a994adf6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-fi-2.0.4-38.… 0a97af1e299a8fa7782f21fb02a65844 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-fr-2.0.4-38.… 28698af3a83a8aed73b59d76f09f914d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-galleries-2.… f60a2ba24b1fefc172f54321a5b74b98 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-gnome-2.0.4-… 7bc5a9fe51893cfa5f260f2cbfd41fa8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-gu-IN-2.0.4-… 699fb42b02d89d9ba6c5fd71a0966f23 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-hi-IN-2.0.4-… 4669e537ea23577d64822abff358ef2f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-hr-2.0.4-38.… 6ff3d0e4c0ba2f0a4672a635f5efda04 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-hu-2.0.4-38.… 7c00d8bbed381cbde454561a2fb7bd5f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-it-2.0.4-38.… 6426944834c136869bfd277bee5b92d5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ja-2.0.4-38.… 03fa1d78d0e34a7533311825cf1d7e5b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-kde-2.0.4-38… e877b2a01e47ea479de23174dd02b321 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-km-2.0.4-38.… 85970c84a01e489009b42e7853cfe930 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ko-2.0.4-38.… a1bf618c1d39ebaeaec6020b693ce9ce ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-lt-2.0.4-38.… d653e2a3309c5695c8adc5fd9fee5082 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-mk-2.0.4-38.… 15fe6ebf42811be01322cd0e5840e600 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-mono-2.0.4-3… c81ed3344315bac01608041155cd2129 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-nb-2.0.4-38.… 27233e3d4b3946acf4c53335a0bd7a27 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-nl-2.0.4-38.… 751215f39c7fd3696e9b56362b799ba9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-nn-2.0.4-38.… 1508a1df8ffbf3cb0c21ef4ff91b2508 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-officebean-2… 2444ab5d25a9389f82ca98b9c22534b5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-pa-IN-2.0.4-… af54e420a61cf91743b93a8d1608dd5d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-pl-2.0.4-38.… eb06c02fc34aca05fa0da5c8d8883101 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-pt-2.0.4-38.… f897e85535d691b9e7148ecd6b2b1b4b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-pt-BR-2.0.4-… 31ef785922cd35593c2a1e6a133aa6cc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ru-2.0.4-38.… 0633077e1dc611876eb84c78b0353c78 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-rw-2.0.4-38.… 97c6d81a58da85aab84ae08ee7ffc768 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sdk-2.0.4-38… df6a44e57bb0007b593b7fa750d0e043 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sdk-doc-2.0.… 856fd1ebad660c3d313274dff9a9363e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sk-2.0.4-38.… 11ca53eac3f864204e991681d30e1384 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sl-2.0.4-38.… ab809f7117d3f2c86ddf63b732a1d071 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sr-CS-2.0.4-… 931024221d60428f4a04f224018b65cf ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-st-2.0.4-38.… 66a619a3d538c7fa39ed1336a77e691b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sv-2.0.4-38.… 69ec30f99f394d0cdd65a2f2d6b612a6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-tr-2.0.4-38.… 8371143db904b353d304ebbc737b9ec8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ts-2.0.4-38.… ac77d8aa6bd37ad349a8726acca57264 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-vi-2.0.4-38.… 1b3127e6c66313b429106b0c71828b4e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-xh-2.0.4-38.… 15f9175f0cf090eef4d59e8c23d9d61c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-zh-CN-2.0.4-… f7cd80fa316908b7a3b08a879aa90aef ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-zh-TW-2.0.4-… 7118341a7cc7832330d93f998707f543 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-zu-2.0.4-38.… b32baeb62c4083ac050cab4d5233b99e SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-2.0.4-38.9.p… d852db70e250f5a8fdca05a6782b0fed ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-af-2.0.4-38.… 5a35affd722e1d06b37d3bf830663161 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ar-2.0.4-38.… 6509c45270281cbd933a8c3728971e70 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-be-BY-2.0.4-… 254d251d8bb448c2e5c716ca3ea352ec ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-bg-2.0.4-38.… 11e394af947646f9734a5c150354ddf5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ca-2.0.4-38.… ce7b6e60516ced55de621d939019c124 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-cs-2.0.4-38.… e1b907f417b6cf8af00fc982740c824c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-cy-2.0.4-38.… 10a949636cd4928e42e5c8f302624527 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-da-2.0.4-38.… 72a8bdc9eb8956be559f2bafc08be167 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-de-2.0.4-38.… 80fe75eb8c4aef426ac6d2370df33f8d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-el-2.0.4-38.… 7040eba78fa04fdd032fe7b663de668f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-en-GB-2.0.4-… e68d09ebd37dd28e99bf292ed0af5d21 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-es-2.0.4-38.… 5ebf19d8cc5e4400948711af7d4f321d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-et-2.0.4-38.… 4316b427ccff3687925d05c50b29d952 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-fi-2.0.4-38.… 60211f4526905c4a32c65fb6f665f217 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-fr-2.0.4-38.… e7919b6f387773535011b1a3eb017588 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-galleries-2.… 19858640940df10044edf710c6988dca ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-gnome-2.0.4-… 3691f17f0e66f567b1560b0e30c8b06a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-gu-IN-2.0.4-… 4b72a6609d0e3866634d18cf2bc8ddc6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-hi-IN-2.0.4-… e3f04ca460267df3f463f4a2fc1e2048 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-hr-2.0.4-38.… 7113058573abfc3cfb59e66299b84503 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-hu-2.0.4-38.… ff7bc2ab4498475160e099aefcb0ec90 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-it-2.0.4-38.… cc62f0a4af130b48c61e94100613bab8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ja-2.0.4-38.… 8aed99f0432c4519f22fb3eaa322a788 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-kde-2.0.4-38… c2063f3dbf4d9ad2272e0ccf9b4d0be2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-km-2.0.4-38.… ca16d2a75a278827d8e98af9ac47bdaa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ko-2.0.4-38.… 22dc65392d9ddac481343e6b3d6f20b4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-lt-2.0.4-38.… eec41c744dda7c7c4ac2913b56d4993a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-mk-2.0.4-38.… 1a1fe7f422d65f9745324ede5fb75c08 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-mono-2.0.4-3… c04d26377bb6802c753508754cc692fc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-nb-2.0.4-38.… 6ff5af78b0cde8d4c1c01df89a009cde ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-nl-2.0.4-38.… 94ee47f248a90b0bde56083d113edeed ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-nn-2.0.4-38.… fa68fa882c439822616065e995133a74 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-officebean-2… 813ff662c8d63aed6a08a784a9f9dd0e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-pa-IN-2.0.4-… ec59aa47dec2c56943aa8601b361de08 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-pl-2.0.4-38.… fcd63125bcc125803023a16cf6b2d28d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-pt-2.0.4-38.… 54027b48181f227a017ca5669c24974f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-pt-BR-2.0.4-… addbcfd230495b086158175e09ec6720 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ru-2.0.4-38.… 96891dae6dc0f82af5f801a48297aa2b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-rw-2.0.4-38.… f65b021ac9b9e706d23452d95ff689bb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-sk-2.0.4-38.… 2e36284079c996bec89a29e0f1c21ee7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-sl-2.0.4-38.… 78a8f30f9cdeda5158dda31e381d38fb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-sr-CS-2.0.4-… 6ef78585f62a86a0344eb8c20bb36b3a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-st-2.0.4-38.… fc6668341b262f2d89057bc46c858134 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-sv-2.0.4-38.… b6a58b243b4882ac4f3718d9e07e5e89 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-tr-2.0.4-38.… c70b56d0159722df9251904c9851bb52 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ts-2.0.4-38.… 96a5482970c6ec1602d203f6a749f6d2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-vi-2.0.4-38.… 8b868865516bfe4aeed003bb6a4e22b4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-xh-2.0.4-38.… 2a6dc9b065c68bdbb55e801a09f5d15f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-zh-CN-2.0.4-… 0314e6b20ec02df6776eb05f5091803a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-zh-TW-2.0.4-… 2fb62d621155980046217f4dc93fca14 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-zu-2.0.4-38.… fd2e9ad671e106ca47337f3e6a908cb6 x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 2ebed3ff9dbaf7bcffe66c83b2ae2f12 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 6f48bc102e4d74b43fedd40bce829e16 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 3aa5979d63dd1b1e3da0acd11ec26b83 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… a0cbfd4e76067741eca502f2677dbc64 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 3178b2d4cd9213a0a775474aad53d9f6 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 2e25d20f787de6f1a48937106654e465 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… f32252abeb829ca22ab7d602152f8148 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 077c9ab06f979a666f5e85343bcdeca5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 013621f793e0cfc170dc7cd648f6601a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 349866c0e1926b8f526bc1be06c93624 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 9e5733af48f74cb9f7021bbd76e73271 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 2a52fb5278df6052167335d66235ee38 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 2ea5361fd1bf9e7965ed48c41770abcc http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… f7f1b4c3694aa8f5ce7d44ed6a2c8649 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 5a302027535d0f346f7bddbf40f2a46d http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 55ed30939fe85243e90dd48a6b0c748b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… 40ccec9ac7616d8b14f523bddd1109d1 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/OpenOffice… a4071687aab06c971f059dac40575a1d Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/OpenOffice_org-2.0.4-38.9.s… 73d7a831ee773da36bc2e01830e9f503 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/OpenOffice_or… 90df6baf5f12ae3e3b6a4a9d1419e894 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/OpenOffice_org-2.0.4-38.12.… b85623b728dc0637cca5dc01648f2eea Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/14ac798887e3454500d633209764e2c7.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/14ac798887e3454500d633209764e2c7.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/f6a476d94870d717c3a93c69ce56d196.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: Please read our weekly security summary. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSAhUB3ey5gA9JdPZAQJREgf/YqZNmQQfaTf4Sqb27IAEsRmqjO+b419Z 2o0fN2gMUUpgPfcFZiITM9ecSRHrXtmQkMSk5IMghdG0CTbw7AQmk9PLSgkVuIi+ QGBbRYFmhx89pzB7WUy2XKhrInqMyHFy1yJuyyh8CbjMjYYSIlxb/dvP6K1zy1KO psov64CoGl7M3gs8wH6JTZvabA/7ZvLH9G0EtJcsAPn/GuaBumG73EnHOAo/4tbr mSSD+siD7ELns5QexvBypqZMbnEaqSFiu/Fxobfdl8xwFOJguruW2xqc/7jfsLAZ qzLwJc4HIrqHNuoYXgF4AAc1Iv2k/ixrm/zbJbjZ+7/z0ghQF+19sw== =dDmU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2008:009
by Marcus Meissner 11 Apr '08

11 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2008:009 Date: Fri, 11 Apr 2008 15:00:00 +0000 Cross-References: CVE-2008-1483, CVE-2008-1657 Content of this advisory: 1) Solved Security Vulnerabilities: - openssh X access leakage and ForceCommand bypass - opera 9.27 security update 2) Pending Vulnerabilities, Solutions, and Work-Arounds: None listed this week. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - OpenSSH X access leakage and ForceCommand bypass OpenSSH was updated to fix two security problems potentially exploitable by local users. - A flaw in the X forwarding code of openssh allowed local malicious users to steal the X access credentials of other users (CVE-2008-1483). - Due to another flaw users could bypass the option "ForceCommand" (CVE-2008-1657). - Opera 9.27 security update The web-browser Opera was updated to version 9.27 to fix various security issues. A flaw in the image processing routines could crash opera. Attackers could potentially even exploit that to execute code. Opera was updated on SUSE Linux 10.1, openSUSE 10.2 and 10.3. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed this week. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBR/96CHey5gA9JdPZAQI0TggAlmou4cJuxEIhhNfNdKaz94RnXp2U+6zN wY41zM5/5RbBp6G47HrgGw1t+IgPK5NiZTDcvHqRrh4HCYpyIZXetDEu+sy0XsdO X0arp7HnkLR5L6SpPvsGM913d1qRpG9SsYsePMl2y/ClZxclQHiI7l9ssf6AXC2n JdfYNpI0yDqUAFNLUDyQ/90z9lbRDllvTH9V1IWYKjCoS76ChXfQIG/uaS8NFWym WrGi9gbLwoqZ3OHAZjlSPIMIVOew62Kp9rxtzTgiMH1JDRj1TzZNU38mN99AEECg HRznDwLBlRh2DUkCKOn6Mfxe98dO4yqnsgqBxqfG3gh/CS8Fam1/uA== =XuWd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: flash-player (SUSE-SA:2008:022)
by Marcus Meissner 11 Apr '08

11 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: flash-player Announcement ID: SUSE-SA:2008:022 Date: Fri, 11 Apr 2008 10:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-0071, CVE-2007-5275, CVE-2007-6019 CVE-2007-6243, CVE-2007-6637, CVE-2008-1654 CVE-2008-1655 Content of This Advisory: 1) Security Vulnerability Resolved: Flash Player security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Adobe Flash Player was updated to version 9.0.124.0 to fix several security problems. In the worst case an attacker could potentially have flash-player execute arbitrary code via specially crafted files, for instance embedded in web pages. 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/flash-player… b9c97bf21cab1fa52b1c2aed16413436 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/flash-player-9.0.124.0-0.1… f6ff8808238f0b69e5b012742730899b SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/flash-player-9.0.124.0-0.2… d0442d72fca61ab9f38987826340903a Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/flash-player-9.0.124.0-0.1.… b03f34b8495a77399ba7d7881e1c83d7 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/flash-player-9.0.124.0-0.2.… a7b979a6a14a78ac74ec7fa714028f12 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/flash-player-… 6a4713da1a19e68b4aec3b65c6b922ba Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/bf0bfd1ab7b4dfb4cb1cd0bf88a5fb58.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/92503ab21dd7f9850a7611ed8fbb4d0c.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBR/9LUney5gA9JdPZAQLy1gf6Atum3gQ0Kfxd+3UIU3THaPnMRvD95z/X 7Jh/NIp0p5p0UPP1e7YNJiujnVF6wgmxPkbH67SP1rIm3Yegw/3z4v1cmGSlOWW+ 013z3sjw0qaaREwyhmU9LDLXsQhWAgmE0amMoUup5ZBlo3lrzj+5zg4KUqWaR9YN NqjKqRBpKSCpmZZ938GQTGdi1a1QJ5rhahMgoNJk2bVuk7KvZkngw2R+Azh5HCZc +49KfeDQsWMR3+P+rSE3xMKLOJ9hPmJqGMOdlLHwuAWeBolGUYSMMUR+IOMnU3h3 3pv2s2qL4tXjLt1DaMIreUwsJnos+7hT9uMXlIipeUFXY8W8Qxf1SA== =LOug -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2008:08
by Marcus Meissner 04 Apr '08

04 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2008:008 Date: Fri, 04 Apr 2008 16:00:00 +0000 Cross-References: CVE-2007-1003, CVE-2007-5958, CVE-2007-6427 CVE-2007-6428, CVE-2007-6429, CVE-2008-0006 CVE-2008-0553, CVE-2008-0983, CVE-2008-1111 CVE-2008-1270, CVE-2008-1482, CVE-2008-1515 CVE-2008-1552, CVE-2008-1561, CVE-2008-1562 CVE-2008-1563 Content of this advisory: 1) Solved Security Vulnerabilities: - wireshark security problems - otrs SOAP command execution - xine security problems - xgl various X related security fixes - silc-toolkit buffer overflow - lighttpd security problems - tk GIF problems 2) Pending Vulnerabilities, Solutions, and Work-Arounds: None listed this week. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - wireshark security problems Multiple flaws in wireshark could lead to crashes when certain packets are processed (CVE-2008-1561,CVE-2008-1562,CVE-2008-1563) These problems only affected wireshark in openSUSE 10.2 and 10.3 and were fixed there. - otrs SOAP command execution A bug in the trouble ticket system OTRS allowed a remote attacker to get remote access without specifying a valid user name via the SOAP interface (CVE-2008-1515). otrs is only included on openSUSE 10.2 and 10.3 and was fixed there. - xine security problems Specially crafted files could cause integer overflows in the xine library. Attackers could potentially exploit that to execute arbitrary code with the privileges of the user who opened such a file (CVE-2008-1482). xine was updated on all SUSE Linux products containing xine. - xgl various X related security fixes Xgl uses the XFree86/X.Org code base and so was also affected by various integer overflow bugs found and fixed in those. (CVE-2007-6429, CVE-2007-1003, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429, CVE-2008-0006) Xgl was updated on SUSE Linux Enterprise Desktop 10, SUSE Linux 10.1, openSUSE 10.2 and 10.3. - silc-toolkit buffer overflow A flaw in processing PKCS#1-Messages in silc-toolkit could lead to a buffer overflow. Remote attackers could exploit that to crash the server. (CVE-2008-1552) Only openSUSE 10.3 contains silc-toolkit and was fixed. - lighttpd security problems Several security problems were fixed in lighttpd. - Remote attackers were able to crash lighttpd by opening a large number of connections (CVE-2008-0983). - A bug in mod_cgi allowed remote attackers to read cgi source files (CVE-2008-1111). - A bug in mod_userdir allowed remote attackers to read arbitrary files (CVE-2008-1270). lighttpd is only included in SUSE Linux Enterprise 10 (SDK), SUSE Linux 10.1, openSUSE 10.2 and 10.3 and was fixed for those distributions. - tk GIF problems Specially crafted GIF images could cause a buffer overflow and crash the toolkit library tk. It seems unlikely but not entirely impossible that this overflow can be exploited to execute arbitrary code (CVE-2008-0553). Tk was updated on all products. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds none ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBR/Y9fXey5gA9JdPZAQLbRAf+LaIdKdSLhtzoPXrVBEy9NqxnIwwG1cj8 z0HaRkbEOdGAD1olV0HUus9v9rbJXN6evv4HZmoK7FaBJweXwBH093OqlICUEopO DBKzAOVkE7P3w5MXiGEzr5rAfdrgC9gTquscoNQX6ofKJmBQOmbSJO1xdjV3EC3r CA0fJEWb2XZFx2nBAPIkMKbLwsBgscjgf8+KOrSyObj1Dq1l1SNtYlacRhwajxYC K0GKyikzEu/sFa1Bz9E3OWfgKpjsgOWW0pFX22sQQtDqtTbcPAFcNhdDcBGu1iE/ Atrin4WoV9XWL4i6nuLelPwUNLyKyzcid5k1sh1+esF7mPzkBOrYSQ== =nBJe -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Apache,Apache2 security problems (SUSE-SA:2008:021)
by Marcus Meissner 04 Apr '08

04 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: apache2,apache Announcement ID: SUSE-SA:2008:021 Date: Fri, 04 Apr 2008 16:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 SUSE SLES 9 Novell Linux Desktop 9 SDK Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: cross site scripting Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2006-3918, CVE-2007-5000, CVE-2007-6203 CVE-2007-6388, CVE-2007-6421, CVE-2007-6422 CVE-2008-0005 Content of This Advisory: 1) Security Vulnerability Resolved: Apache security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Various minor bugs have been fixed in the Apache 1 and Apache 2 web servers and released as a roll-up update. Security problems that were fixed include: - cross site scripting problem when processing the 'Expect' header (CVE-2006-3918) (Apache 1 only) - cross site scripting problem in mod_imap (CVE-2007-5000) (Apache 1 and 2) - cross site scripting problem in mod_status (CVE-2007-6388) (Apache 1 and 2) - cross site scripting problem in the ftp proxy module (CVE-2008-0005) (Apache 1 and 2) - cross site scripting problem in the error page for status code 413 (CVE-2007-6203) (Apache 2) - cross site scripting problem in mod_proxy_balancer (CVE-2007-6421) (Apache 2) - A flaw in mod_proxy_balancer allowed attackers to crash apache (CVE-2007-6422) (Apache 2) 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Apache after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/apache2-2.2.3-24.i586.rpm f03e4b8274d7152b45efd72e7cde61b5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/apache2-devel-2.2.3-24.i58… ef8e006c4acfea843329bf2fc12b79fd ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/apache2-doc-2.2.3-24.i586.… 51ecfcb9bb6d8c8f08efc97d70b8abbe ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/apache2-example-pages-2.2.… ce37cfd168b627b540e957da18e5ec8f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/apache2-prefork-2.2.3-24.i… 0484c1e9d00bd24b5152c562da9ba047 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/apache2-worker-2.2.3-24.i5… b19e229f483a737b25f2aa53c190f92a SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-2.2.3-16.17.3.i586… 06c0701d4bd315fb0f644b4fb30d8a95 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-devel-2.2.3-16.17.… 45718ef5161e3544321676e3dd8eca64 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-doc-2.2.3-16.17.3.… 65bdf31d9f940c0b96f7732d0eaf9e0b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-example-pages-2.2.… f8e44ce88c837172d82871bebb06ffd4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-prefork-2.2.3-16.1… 526d93881e73786ee7f00ef21936ddd0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-worker-2.2.3-16.17… 1b42cc7478d521000b6566bec22d4109 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-2.2.… 2922d4f0980462aa93cc93f74001f7c8 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-deve… e80c2f655b566a82ebe3a0d8b95b365e http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-doc-… a0f13f91c739c7e8deed206136d710ae http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-exam… 5970a02072fa94016f9317641c66bbf5 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-pref… 5b74451cf3b6d4c82da35b3a20cd6e4a http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-util… fecb129d6f984f502f4b96e6e74a1a4e http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/apache2-work… d5f5ff376fbe11104ee244b5fbbb3e06 Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-2.2.4… a2f1e111c2f22510e37c5c6aa31644c7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-devel… 992fe3cb04a01a3f20ef149f22ad8dec http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-doc-2… 4a1c3ecbd61659cae402818e36c6c849 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-examp… 2fd3d31bea6ac3a624816f96418c8abb http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-prefo… a6b81c7bba5e2ee49132c4e9b04849ba http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-utils… d23423196ff4f33d6f3aafe42a2edb88 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/apache2-worke… 98eae0b512e9758763725ecf48e87154 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/apache2-2.2.3-24.ppc.rpm 01639c47e83d965858231060b99f163a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/apache2-devel-2.2.3-24.ppc.… f0c506948d4662ccf850c3ef784aeb10 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/apache2-doc-2.2.3-24.ppc.rpm 7720848272448f257a9d8a5492d59119 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/apache2-example-pages-2.2.3… bb9a072748358dbd84e9a496a634aa3a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/apache2-prefork-2.2.3-24.pp… 4cab7f565ef9b5ba23c5158b7fa16245 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/apache2-worker-2.2.3-24.ppc… 71774427d3c37bf7dc3dfbdd475a3499 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-2.2.3-16.17.3.ppc.r… f2a8afbab90fbd03ea8f197a5ce8f65e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-devel-2.2.3-16.17.3… 44f8fe684f1eab3f9a6ebb65087de90b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-doc-2.2.3-16.17.3.p… 1fe8f99590d355d60ed4cd653b23a6d7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-example-pages-2.2.3… 2270c3c1dbddf55952d12c00e5e69217 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-prefork-2.2.3-16.17… 81b0ded89d7109bd790081d7e734b780 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-worker-2.2.3-16.17.… d13888fba051f3d508ee8baeca99bf96 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/apache2-2.2.3-24.x86_64.… cb086d72cfa22d69ffb77401a3873b27 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/apache2-devel-2.2.3-24.x… b13ea6a67a114d197e0f97cf83fb1712 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/apache2-doc-2.2.3-24.x86… 6721aef0cdabf944ffdc7917bafa22db ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/apache2-example-pages-2.… 475b95ef58b8078af54e6e0051d340c4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/apache2-prefork-2.2.3-24… 66683396a06e14ab0a6fafd3af1c1cd3 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/apache2-worker-2.2.3-24.… 260c25e62faf98def97d7f227d931545 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-2.2.3-16.17.3.x8… 391a67b5fbcd657e2ecfba1a459057b2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-devel-2.2.3-16.1… e78d919d97960714f0bdff45cf984b70 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-doc-2.2.3-16.17.… 52ee6e668465921cedb8ec6db723180b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-example-pages-2.… 8400d2e78b1c2edc522c65a1b099f396 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-prefork-2.2.3-16… 17eef4da8eb3dd2eccace560d7a14e0e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-worker-2.2.3-16.… da7b31c3508caf37b650e9cf47359098 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-2.… 9ff3ba6a589b6e79f603828937c5c126 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-de… 56b23bc76fbfb0bc0d98b11c63daaf36 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-do… 55ce8aaf6bc7c097999a93efe99da704 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-ex… 1c2d0b400948e83773ba08127ba7fa82 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-pr… 537ef6542894bf7ad0bdc72ea9e73be7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-ut… a9d11f6df973e9e71889acfd36ec49c3 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/apache2-wo… a51618285183cd0b97075be8436ea697 Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/apache2-2.2.4… 9ac4cf97f58360c61b17b177a72df991 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/apache2-2.2.3-24.src.rpm 10a8ee22535b31519d2ba876c31d5271 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/apache2-2.2.3-16.17.3.src.r… 66e2fed2bd179c17fed7b931900ef0dc Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.… http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.… http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.… Novell Linux Desktop 9 SDK http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.… http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.… http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/652745fced1c4af0216a2f3d8430a472.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/652745fced1c4af0216a2f3d8430a472.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBR/Y7HXey5gA9JdPZAQLrCQf+Nem9XN40+NEZSxXuSnJZ+p5R8dde2Jig ba+hLU1QxkS3dfkMrznEMHoaQoi0xT0sK0D0kk9j61Q/MdqbcQPKzsBJU9WUIGmY LqIL9LGRhJt2dpvSFLfM1ddgZFrIXHjwz8iE22TYTr+VAVl6ZvDO83t8akWvbErw T8ZntghD9STMRaUCFw9XL0yRKV9qDOnuPggco2h3Jc26FHRiXuM6xJoYehJRbn3i xdJ4v6u5T1df25iKCS01V4of8JXbOst2DpJlSgXQjybBMf/L8pBwxCpgKyb41/3L IFwyakCbPZso7vg9wPrZPmxi9HSnVgbjXTYIuwTIMSmx5MSxx2ovaw== =+Mrh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: cups security problems (SUSE-SA:2008:020)
by Marcus Meissner 04 Apr '08

04 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: cups Announcement ID: SUSE-SA:2008:020 Date: Fri, 04 Apr 2008 15:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 SuSE Linux Enterprise Server 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 9 SUSE Default Package: yes Cross-References: CVE-2008-0053, CVE-2008-1373 Content of This Advisory: 1) Security Vulnerability Resolved: cups buffer overflows Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Two security issues were fixed in the CUPS printing system, which could be used by an attacker to crash CUPS or to potentially execute malicious code. - specially crafted GIF files could cause a buffer overflow in the printer filter for image files (CVE-2008-1373). - specially crafted files could cause a buffer overflow in the HP-GL/2 printer filter (CVE-2008-0053). 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of cups after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-1.2.12-… 18cea642c984f925c96bdf2c670c0b69 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-client-… 22af2a8e62acc0269f39634df95d6bc4 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-devel-1… f2638a0d4ab5dab7040f32e044c8d1b2 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/cups-libs-1.… 93a8c6dab26c7ec94bc626e7d363052b openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-1.2.7-12.15.i586.rpm 3c6c81aae8361a60199d16aa9cd14277 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-client-1.2.7-12.15.i5… 516cb044ae5bed43c38e5132def5ada1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-devel-1.2.7-12.15.i58… 8c795e12862c111289e5e49740589f51 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/cups-libs-1.2.7-12.15.i586… ea96c6bc1c85437dbaf056d3b8e675c3 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-1.1.23-40.41.i586.rpm b7fb75b7df23619552917517addf47c2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-client-1.1.23-40.41.i… d0e6864f137f194e0281d5fc065a62dc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-devel-1.1.23-40.41.i5… 98241c0b9730f0a6ed95c6e162f96c02 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cups-libs-1.1.23-40.41.i58… 5e363f14bcba3f8cf33c14bb08f005a8 Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-1.2.12-2… 1f954dbd91fedde87e57286db97921d7 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-client-1… 8ca3d4e7e2a442cbbd903b2ce780ddd3 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-devel-1.… bfb3c782d07293da20bf8d3c5e761abb http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/cups-libs-1.2… 20c7b14776638bbbd031c9a970c42bb1 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-1.2.7-12.15.ppc.rpm ccc5124f4585afe5769989699a18285f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-client-1.2.7-12.15.ppc… 8fda39de7f1328da269b14ba8361e4d7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-devel-1.2.7-12.15.ppc.… cbb677d551fd0247321af27ef85ce654 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/cups-libs-1.2.7-12.15.ppc.r… ee4c1e85482e8cf0475c202226f101ff SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-1.1.23-40.41.ppc.rpm 50103b423460e68adb2d19c51d15d628 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-client-1.1.23-40.41.pp… 12571baaba8c2cc29ca7c232b9dd1aa7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-devel-1.1.23-40.41.ppc… d125c908d50a6d1443d592ae0fbd9f3f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cups-libs-1.1.23-40.41.ppc.… 1a2c00747097b3596873b41cb31636d4 x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-1.2.1… b8aea3be0e8567a7c3f7c062764a5911 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-clien… d7fa35148786ffc324a8356618c283a8 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-devel… 5dffd6535fbf4af8269952ad89d944c6 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-libs-… 420002288de29b384af2db7970554614 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/cups-libs-… 49f2dbef0a01fa1995944d16c033636a openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-1.2.7-12.15.x86_64.… 58e8c71d9220834bb3284ce2449ec0c0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-client-1.2.7-12.15.… c85c430593a16837ac4c32cfbc2d28c9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-devel-1.2.7-12.15.x… 5a5914e838e00aa2511eabbc885d77c8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-libs-1.2.7-12.15.x8… db9d0e643f16d8c3c2a42af66a7f4c93 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/cups-libs-32bit-1.2.7-12… c6c3e85f3e72d50c9d937470ede4a495 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-1.1.23-40.41.x86_64… 4b45b1e8f5116a9f088810bf48ddfae5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-client-1.1.23-40.41… a9e5430e730e6446c8143caddc0d3f99 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-devel-1.1.23-40.41.… 6f00e2ce4098984476084684938ddb18 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-libs-1.1.23-40.41.x… 12ea69a8d4d403dd056c331058fe4be5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cups-libs-32bit-1.1.23-4… 1d7c7f549355797231a0fb8dc8969ea6 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/cups-1.2.7-12.15.src.rpm d46517620ea8b5dbcab7006f9e69fea1 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/cups-1.1.23-40.41.src.rpm 43a7db77f490756c83d407c64d404df9 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/cups-1.2.12-2… bec25f21850e1ede3db6f775409ab866 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/b8c1c10ee3584bcc23b201ff91e9ce95.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/b8c1c10ee3584bcc23b201ff91e9ce95.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/b8c1c10ee3584bcc23b201ff91e9ce95.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/b8c1c10ee3584bcc23b201ff91e9ce95.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/916785312077472454e276cd7da157a9.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/e7d36fe2fd0d8b1a9db8e847bc095dd6.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/e7d36fe2fd0d8b1a9db8e847bc095dd6.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBR/Y5mXey5gA9JdPZAQIRMQf9G+bTTxsHh2T3i1EzXm66wV/2KyP6FQ7b GwqmglN8pFuSdZ0lQ19z5M4J8oks3YB+SnR27c9zWkWiXEoVGFSYLQ6ND+VIiQar HghDqhfO+oJ+TznzGlZFSMoD8fUzDXhVIrtwbvbjCU1RzcUFmtmChnCIqgdpOS02 Dhb7QHhx1uwgGwe6AZ22mALWt614J8wa9DDvIRFdww46u0Xz2vFwCqhfBxgSkx6c K+1n2cf/cZLmiBv9gHVDTYAEXBrH9uJANdozT9sMLf6IwfSbkybE0zpWaUb1QAcG 5Sghcy4GzNZHxM4O08ln42uRucuG48ydhW4MMb8bE2yTfPLoRp1XQQ== =P+hn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: MozillaFirefox (SUSE-SA:2008:019)
by Marcus Meissner 04 Apr '08

04 Apr '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: MozillaFirefox Announcement ID: SUSE-SA:2008:019 Date: Fri, 04 Apr 2008 14:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-4879, CVE-2008-1195, CVE-2008-1233 CVE-2008-1234, CVE-2008-1235, CVE-2008-1236 CVE-2008-1237, CVE-2008-1238, CVE-2008-1240 CVE-2008-1241, MFSA 2008-14, MFSA 2008-15 MFSA 2008-16, MFSA 2008-17, MFSA 2008-18 MFSA 2008-19 Content of This Advisory: 1) Security Vulnerability Resolved: Mozilla Firefox security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The web browser Mozilla Firefox was brought to security update version 2.0.0.13. Following security problems were fixed: - MFSA 2008-19/CVE-2008-1241: XUL pop-up spoofing variant (cross-tab popups) - MFSA 2008-18/CVE-2008-1195 and CVE-2008-1240: Java socket connection to any local port via LiveConnect - MFSA 2008-17/CVE-2007-4879: Privacy issue with SSL Client Authentication - MFSA 2008-16/CVE-2008-1238: HTTP Referrer spoofing with malformed URLs - MFSA 2008-15/CVE-2008-1236 and CVE-2008-1237: Crashes with evidence of memory corruption (rv:1.8.1.13) - MFSA 2008-14/CVE-2008-1233, CVE-2008-1234, and CVE-2008-1235: JavaScript privilege escalation and arbitrary code execution. On Novell Linux Desktop 9 the fixes were back ported to the Firefox 1.5.0.14 version. seamonkey, mozilla-xulrunner and likely Thunderbird updates will follow in the next days. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Mozilla Firefox after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-2.0.0.13-0.… 51d8a8c8edb273d218f953594c6ddf3c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-translation… 5e251d0f4081b0a85426c3980dfab1de SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-2.0.0.13-0.… b499f3f8d9ba4256252061aab28f0c6a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-translation… 91503917ccefab19dbc15c1278b74e87 openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/MozillaFiref… 69a8dea7a11bf49d2904ae6f9d97ae6b http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/MozillaFiref… bb6cb21d18921ccbd5beeb3168f9534e Power PC Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/MozillaFirefo… c71b7bfc6208f1325d38709203b4b499 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/MozillaFirefo… e930fd3b905d3e4ffa8700a7fe640de3 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-2.0.0.13-0.1… 0a33a67ae69a50ffbadd8a048faff6b8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-translations… 3fdead7625dc869721a03253d3906792 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-2.0.0.13-0.2… 9216457807f5d91115002460b9e5085f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-translations… 6ac3fddcccee1effd9a50abb3a391a83 x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/MozillaFir… 5400995c1eb085079dbb9a4d481cc532 http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/MozillaFir… d6e6d70d5bc2be14bd3c855826a5a963 openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-2.0.0.13-… 827cf91765f9b3e32642199902199e04 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-translati… 6f637200918e4ef723fe738294d506aa Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/MozillaFirefo… 1d730e60aeea0a130c4f5ffd938e987d openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/MozillaFirefox-2.0.0.13-0.1… fe6559ddb5339d0192bb1dc18e4ad3b7 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaFirefox-2.0.0.13-0.2… 3e764986a1f07439e43d58046333ab55 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/ad3e48b131593041b00e35f46ab10b61.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/582b39035a906e2902717de1327b2cf2.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/582b39035a906e2902717de1327b2cf2.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iQEVAwUBR/Ymd3ey5gA9JdPZAQLXTAf6Ar6dbXnO9jAicSms7TzkXclPGhoKwiN0 kcaQ1A+7TxU3yuI/XFXysN3sKE93WuAdXTvUaVSTIYg2LByDOdcclEvBDb0BiKHY xH9WmrpiPLsRmLXGgz1/cNbm6tTL+t1iI0BlCg3TRpWXLt2kFT2NFAC3gkjauKP4 TFEm5KWelAIU3JQBeFGc8J8ZMcvlG/qBFIk0Fk5VHYvJTkNBDzuRGFUGFmIru5t+ pRUgi5Y9CojnVM5tIHsOvfYP6eyXdjpMI7kGPwcIb9vITkd4O7papSyc3a0y6D3M vcgTCDmvK5/71ezMuZ8h+nRqmPIZfNsz2tvY1CEw6tUWWb8EsxBO1Q== =AQup -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0