April 2009 - openSUSE Security Announce

[security-announce] SUSE Security Announcement: glib2 (SUSE-SA:2009:026)
by Thomas Biege 24 Apr '09

24 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: glib2 Announcement ID: SUSE-SA:2009:026 Date: Fri, 24 Apr 2009 15:11:00 +0000 Affected Products: openSUSE 10.3 openSUSE 11.0 openSUSE 11.1 SLE 11 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2008-4316 Content of This Advisory: 1) Security Vulnerability Resolved: integer overflow fixed Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The advisory was resent because the previous one contained the wrong Announcement ID. The code library glib2 provides base64 encoding and decoding functions that are vulnerable to integer overflows when processing very large strings. Processes using this library functions for processing data from the network can be exploited remotely to execute arbitrary code with the privileges of the user running this process. 2) Solution or Work-Around Please update. 3) Special Instructions and Notes All processes using this library have to be restarted. To be sure reboot your machine. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/i586/glib2-debuginfo-2.1… http://download.opensuse.org/debug/update/11.1/rpm/i586/glib2-debugsource-2… http://download.opensuse.org/update/11.1/rpm/i586/glib2-2.18.2-5.2.1.i586.r… http://download.opensuse.org/update/11.1/rpm/i586/glib2-branding-upstream-2… http://download.opensuse.org/update/11.1/rpm/i586/glib2-devel-2.18.2-5.2.1.… http://download.opensuse.org/update/11.1/rpm/i586/glib2-doc-2.18.2-5.2.1.i5… http://download.opensuse.org/update/11.1/rpm/i586/glib2-lang-2.18.2-5.2.1.i… http://download.opensuse.org/update/11.1/rpm/i586/libgio-2_0-0-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/i586/libgio-fam-2.18.2-5.2.1.i… http://download.opensuse.org/update/11.1/rpm/i586/libglib-2_0-0-2.18.2-5.2.… http://download.opensuse.org/update/11.1/rpm/i586/libgmodule-2_0-0-2.18.2-5… http://download.opensuse.org/update/11.1/rpm/i586/libgobject-2_0-0-2.18.2-5… http://download.opensuse.org/update/11.1/rpm/i586/libgthread-2_0-0-2.18.2-5… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/i586/glib2-debuginfo-2.1… http://download.opensuse.org/debug/update/11.0/rpm/i586/glib2-debugsource-2… http://download.opensuse.org/update/11.0/rpm/i586/glib2-2.16.3-20.6.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/glib2-branding-upstream-2… http://download.opensuse.org/update/11.0/rpm/i586/glib2-devel-2.16.3-20.6.i… http://download.opensuse.org/update/11.0/rpm/i586/glib2-doc-2.16.3-20.6.i58… http://download.opensuse.org/update/11.0/rpm/i586/glib2-lang-2.16.3-20.6.i5… http://download.opensuse.org/update/11.0/rpm/i586/libgio-2_0-0-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/i586/libgio-fam-2.16.3-20.6.i5… http://download.opensuse.org/update/11.0/rpm/i586/libglib-2_0-0-2.16.3-20.6… http://download.opensuse.org/update/11.0/rpm/i586/libgmodule-2_0-0-2.16.3-2… http://download.opensuse.org/update/11.0/rpm/i586/libgobject-2_0-0-2.16.3-2… http://download.opensuse.org/update/11.0/rpm/i586/libgthread-2_0-0-2.16.3-2… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/i586/glib2-2.14.1-4.4.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/glib2-devel-2.14.1-4.4.i5… http://download.opensuse.org/update/10.3/rpm/i586/glib2-doc-2.14.1-4.4.i586… http://download.opensuse.org/update/10.3/rpm/i586/glib2-lang-2.14.1-4.4.i58… Power PC Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/ppc/glib2-debuginfo-2.18… http://download.opensuse.org/debug/update/11.1/rpm/ppc/glib2-debuginfo-64bi… http://download.opensuse.org/debug/update/11.1/rpm/ppc/glib2-debugsource-2.… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-2.18.2-5.2.1.ppc.rpm http://download.opensuse.org/update/11.1/rpm/ppc/glib2-branding-upstream-2.… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-devel-2.18.2-5.2.1.p… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-doc-2.18.2-5.2.1.ppc… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-lang-2.18.2-5.2.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/libgio-2_0-0-2.18.2-5.2.1.… http://download.opensuse.org/update/11.1/rpm/ppc/libgio-2_0-0-64bit-2.18.2-… http://download.opensuse.org/update/11.1/rpm/ppc/libgio-fam-2.18.2-5.2.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/libglib-2_0-0-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/ppc/libglib-2_0-0-64bit-2.18.2… http://download.opensuse.org/update/11.1/rpm/ppc/libgmodule-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/ppc/libgmodule-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.1/rpm/ppc/libgobject-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/ppc/libgobject-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.1/rpm/ppc/libgthread-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/ppc/libgthread-2_0-0-64bit-2.1… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/ppc/glib2-debuginfo-2.16… http://download.opensuse.org/debug/update/11.0/rpm/ppc/glib2-debugsource-2.… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-2.16.3-20.6.ppc.rpm http://download.opensuse.org/update/11.0/rpm/ppc/glib2-branding-upstream-2.… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-devel-2.16.3-20.6.pp… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-devel-64bit-2.16.3-2… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-doc-2.16.3-20.6.ppc.… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-lang-2.16.3-20.6.ppc… http://download.opensuse.org/update/11.0/rpm/ppc/libgio-2_0-0-2.16.3-20.6.p… http://download.opensuse.org/update/11.0/rpm/ppc/libgio-2_0-0-64bit-2.16.3-… http://download.opensuse.org/update/11.0/rpm/ppc/libgio-fam-2.16.3-20.6.ppc… http://download.opensuse.org/update/11.0/rpm/ppc/libglib-2_0-0-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/ppc/libglib-2_0-0-64bit-2.16.3… http://download.opensuse.org/update/11.0/rpm/ppc/libgmodule-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/ppc/libgmodule-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.0/rpm/ppc/libgobject-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/ppc/libgobject-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.0/rpm/ppc/libgthread-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/ppc/libgthread-2_0-0-64bit-2.1… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/ppc/glib2-2.14.1-4.4.ppc.rpm http://download.opensuse.org/update/10.3/rpm/ppc/glib2-64bit-2.14.1-4.4.ppc… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-devel-2.14.1-4.4.ppc… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-devel-64bit-2.14.1-4… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-doc-2.14.1-4.4.ppc.r… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-lang-2.14.1-4.4.ppc.… x86-64 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/x86_64/glib2-debuginfo-2… http://download.opensuse.org/debug/update/11.1/rpm/x86_64/glib2-debuginfo-3… http://download.opensuse.org/debug/update/11.1/rpm/x86_64/glib2-debugsource… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-2.18.2-5.2.1.x86_… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-branding-upstream… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-devel-2.18.2-5.2.… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-doc-2.18.2-5.2.1.… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-lang-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libgio-2_0-0-2.18.2-5.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgio-2_0-0-32bit-2.18… http://download.opensuse.org/update/11.1/rpm/x86_64/libgio-fam-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libglib-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/x86_64/libglib-2_0-0-32bit-2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libgmodule-2_0-0-2.18.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgmodule-2_0-0-32bit-… http://download.opensuse.org/update/11.1/rpm/x86_64/libgobject-2_0-0-2.18.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgobject-2_0-0-32bit-… http://download.opensuse.org/update/11.1/rpm/x86_64/libgthread-2_0-0-2.18.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgthread-2_0-0-32bit-… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/x86_64/glib2-debuginfo-2… http://download.opensuse.org/debug/update/11.0/rpm/x86_64/glib2-debugsource… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-2.16.3-20.6.x86_6… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-branding-upstream… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-devel-2.16.3-20.6… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-doc-2.16.3-20.6.x… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-lang-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/x86_64/libgio-2_0-0-2.16.3-20.… http://download.opensuse.org/update/11.0/rpm/x86_64/libgio-2_0-0-32bit-2.16… http://download.opensuse.org/update/11.0/rpm/x86_64/libgio-fam-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/x86_64/libglib-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/x86_64/libglib-2_0-0-32bit-2.1… http://download.opensuse.org/update/11.0/rpm/x86_64/libgmodule-2_0-0-2.16.3… http://download.opensuse.org/update/11.0/rpm/x86_64/libgmodule-2_0-0-32bit-… http://download.opensuse.org/update/11.0/rpm/x86_64/libgobject-2_0-0-2.16.3… http://download.opensuse.org/update/11.0/rpm/x86_64/libgobject-2_0-0-32bit-… http://download.opensuse.org/update/11.0/rpm/x86_64/libgthread-2_0-0-2.16.3… http://download.opensuse.org/update/11.0/rpm/x86_64/libgthread-2_0-0-32bit-… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-2.14.1-4.4.x86_64… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-32bit-2.14.1-4.4.… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-devel-2.14.1-4.4.… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-doc-2.14.1-4.4.x8… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-lang-2.14.1-4.4.x… Sources: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/src/glib2-2.18.2-5.2.1.src.rpm openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/src/glib2-2.16.3-20.6.src.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/src/glib2-2.14.1-4.4.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLES 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLED 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLE 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLES 11 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSfG7Rney5gA9JdPZAQLCJwf+JsCAbt3cpjd2g4tdu2Cxbd6kG7TyygPi 4s+69atmk886VFlfTlT5dnCyeouzqJa7FAkNRt5JSeIeMqh3KQrCFsCNT95AGzqd yKM4GZX105kQKfo3nsFckjomvA1mWDlrP8oRo6JF6rj/jpAryqAreDXcBnlD5lAg 4nv57cE2UeatYuFe/1xPF3uuKFYHZ74Ic4ufV6jWJp7VQyAQh4wGwVLVBYMEzegr bkskWNdAqA3TNqQmNIAp8FAYm6K1SuOpqeJVAEC4ebQw9w5Z2mlmdNLMw7pmMRtY waGquN75uX/HJKqVT3va8RuL4nBdvjUU0XgACaV1APbXqmYnOyS1Ug== =TPJy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: glib2 (SUSE-SA:2009:025)
by Thomas Biege 24 Apr '09

24 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: glib2 Announcement ID: SUSE-SA:2009:025 Date: Fri, 24 Apr 2009 14:00:00 +0000 Affected Products: openSUSE 10.3 openSUSE 11.0 openSUSE 11.1 SLE 11 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2008-4316 Content of This Advisory: 1) Security Vulnerability Resolved: integer overflow fixed Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The code library glib2 provides base64 encoding and decoding functions that are vulnerable to integer overflows when processing very large strings. Processes using this library functions for processing data from the network can be exploited remotely to execute arbitrary code with the privileges of the user running this process. 2) Solution or Work-Around Please update. 3) Special Instructions and Notes All processes using this library have to be restarted. To be sure reboot your machine. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/i586/glib2-debuginfo-2.1… http://download.opensuse.org/debug/update/11.1/rpm/i586/glib2-debugsource-2… http://download.opensuse.org/update/11.1/rpm/i586/glib2-2.18.2-5.2.1.i586.r… http://download.opensuse.org/update/11.1/rpm/i586/glib2-branding-upstream-2… http://download.opensuse.org/update/11.1/rpm/i586/glib2-devel-2.18.2-5.2.1.… http://download.opensuse.org/update/11.1/rpm/i586/glib2-doc-2.18.2-5.2.1.i5… http://download.opensuse.org/update/11.1/rpm/i586/glib2-lang-2.18.2-5.2.1.i… http://download.opensuse.org/update/11.1/rpm/i586/libgio-2_0-0-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/i586/libgio-fam-2.18.2-5.2.1.i… http://download.opensuse.org/update/11.1/rpm/i586/libglib-2_0-0-2.18.2-5.2.… http://download.opensuse.org/update/11.1/rpm/i586/libgmodule-2_0-0-2.18.2-5… http://download.opensuse.org/update/11.1/rpm/i586/libgobject-2_0-0-2.18.2-5… http://download.opensuse.org/update/11.1/rpm/i586/libgthread-2_0-0-2.18.2-5… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/i586/glib2-debuginfo-2.1… http://download.opensuse.org/debug/update/11.0/rpm/i586/glib2-debugsource-2… http://download.opensuse.org/update/11.0/rpm/i586/glib2-2.16.3-20.6.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/glib2-branding-upstream-2… http://download.opensuse.org/update/11.0/rpm/i586/glib2-devel-2.16.3-20.6.i… http://download.opensuse.org/update/11.0/rpm/i586/glib2-doc-2.16.3-20.6.i58… http://download.opensuse.org/update/11.0/rpm/i586/glib2-lang-2.16.3-20.6.i5… http://download.opensuse.org/update/11.0/rpm/i586/libgio-2_0-0-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/i586/libgio-fam-2.16.3-20.6.i5… http://download.opensuse.org/update/11.0/rpm/i586/libglib-2_0-0-2.16.3-20.6… http://download.opensuse.org/update/11.0/rpm/i586/libgmodule-2_0-0-2.16.3-2… http://download.opensuse.org/update/11.0/rpm/i586/libgobject-2_0-0-2.16.3-2… http://download.opensuse.org/update/11.0/rpm/i586/libgthread-2_0-0-2.16.3-2… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/i586/glib2-2.14.1-4.4.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/glib2-devel-2.14.1-4.4.i5… http://download.opensuse.org/update/10.3/rpm/i586/glib2-doc-2.14.1-4.4.i586… http://download.opensuse.org/update/10.3/rpm/i586/glib2-lang-2.14.1-4.4.i58… Power PC Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/ppc/glib2-debuginfo-2.18… http://download.opensuse.org/debug/update/11.1/rpm/ppc/glib2-debuginfo-64bi… http://download.opensuse.org/debug/update/11.1/rpm/ppc/glib2-debugsource-2.… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-2.18.2-5.2.1.ppc.rpm http://download.opensuse.org/update/11.1/rpm/ppc/glib2-branding-upstream-2.… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-devel-2.18.2-5.2.1.p… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-doc-2.18.2-5.2.1.ppc… http://download.opensuse.org/update/11.1/rpm/ppc/glib2-lang-2.18.2-5.2.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/libgio-2_0-0-2.18.2-5.2.1.… http://download.opensuse.org/update/11.1/rpm/ppc/libgio-2_0-0-64bit-2.18.2-… http://download.opensuse.org/update/11.1/rpm/ppc/libgio-fam-2.18.2-5.2.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/libglib-2_0-0-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/ppc/libglib-2_0-0-64bit-2.18.2… http://download.opensuse.org/update/11.1/rpm/ppc/libgmodule-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/ppc/libgmodule-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.1/rpm/ppc/libgobject-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/ppc/libgobject-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.1/rpm/ppc/libgthread-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/ppc/libgthread-2_0-0-64bit-2.1… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/ppc/glib2-debuginfo-2.16… http://download.opensuse.org/debug/update/11.0/rpm/ppc/glib2-debugsource-2.… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-2.16.3-20.6.ppc.rpm http://download.opensuse.org/update/11.0/rpm/ppc/glib2-branding-upstream-2.… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-devel-2.16.3-20.6.pp… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-devel-64bit-2.16.3-2… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-doc-2.16.3-20.6.ppc.… http://download.opensuse.org/update/11.0/rpm/ppc/glib2-lang-2.16.3-20.6.ppc… http://download.opensuse.org/update/11.0/rpm/ppc/libgio-2_0-0-2.16.3-20.6.p… http://download.opensuse.org/update/11.0/rpm/ppc/libgio-2_0-0-64bit-2.16.3-… http://download.opensuse.org/update/11.0/rpm/ppc/libgio-fam-2.16.3-20.6.ppc… http://download.opensuse.org/update/11.0/rpm/ppc/libglib-2_0-0-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/ppc/libglib-2_0-0-64bit-2.16.3… http://download.opensuse.org/update/11.0/rpm/ppc/libgmodule-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/ppc/libgmodule-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.0/rpm/ppc/libgobject-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/ppc/libgobject-2_0-0-64bit-2.1… http://download.opensuse.org/update/11.0/rpm/ppc/libgthread-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/ppc/libgthread-2_0-0-64bit-2.1… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/ppc/glib2-2.14.1-4.4.ppc.rpm http://download.opensuse.org/update/10.3/rpm/ppc/glib2-64bit-2.14.1-4.4.ppc… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-devel-2.14.1-4.4.ppc… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-devel-64bit-2.14.1-4… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-doc-2.14.1-4.4.ppc.r… http://download.opensuse.org/update/10.3/rpm/ppc/glib2-lang-2.14.1-4.4.ppc.… x86-64 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/x86_64/glib2-debuginfo-2… http://download.opensuse.org/debug/update/11.1/rpm/x86_64/glib2-debuginfo-3… http://download.opensuse.org/debug/update/11.1/rpm/x86_64/glib2-debugsource… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-2.18.2-5.2.1.x86_… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-branding-upstream… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-devel-2.18.2-5.2.… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-doc-2.18.2-5.2.1.… http://download.opensuse.org/update/11.1/rpm/x86_64/glib2-lang-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libgio-2_0-0-2.18.2-5.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgio-2_0-0-32bit-2.18… http://download.opensuse.org/update/11.1/rpm/x86_64/libgio-fam-2.18.2-5.2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libglib-2_0-0-2.18.2-5.… http://download.opensuse.org/update/11.1/rpm/x86_64/libglib-2_0-0-32bit-2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libgmodule-2_0-0-2.18.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgmodule-2_0-0-32bit-… http://download.opensuse.org/update/11.1/rpm/x86_64/libgobject-2_0-0-2.18.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgobject-2_0-0-32bit-… http://download.opensuse.org/update/11.1/rpm/x86_64/libgthread-2_0-0-2.18.2… http://download.opensuse.org/update/11.1/rpm/x86_64/libgthread-2_0-0-32bit-… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/x86_64/glib2-debuginfo-2… http://download.opensuse.org/debug/update/11.0/rpm/x86_64/glib2-debugsource… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-2.16.3-20.6.x86_6… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-branding-upstream… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-devel-2.16.3-20.6… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-doc-2.16.3-20.6.x… http://download.opensuse.org/update/11.0/rpm/x86_64/glib2-lang-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/x86_64/libgio-2_0-0-2.16.3-20.… http://download.opensuse.org/update/11.0/rpm/x86_64/libgio-2_0-0-32bit-2.16… http://download.opensuse.org/update/11.0/rpm/x86_64/libgio-fam-2.16.3-20.6.… http://download.opensuse.org/update/11.0/rpm/x86_64/libglib-2_0-0-2.16.3-20… http://download.opensuse.org/update/11.0/rpm/x86_64/libglib-2_0-0-32bit-2.1… http://download.opensuse.org/update/11.0/rpm/x86_64/libgmodule-2_0-0-2.16.3… http://download.opensuse.org/update/11.0/rpm/x86_64/libgmodule-2_0-0-32bit-… http://download.opensuse.org/update/11.0/rpm/x86_64/libgobject-2_0-0-2.16.3… http://download.opensuse.org/update/11.0/rpm/x86_64/libgobject-2_0-0-32bit-… http://download.opensuse.org/update/11.0/rpm/x86_64/libgthread-2_0-0-2.16.3… http://download.opensuse.org/update/11.0/rpm/x86_64/libgthread-2_0-0-32bit-… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-2.14.1-4.4.x86_64… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-32bit-2.14.1-4.4.… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-devel-2.14.1-4.4.… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-doc-2.14.1-4.4.x8… http://download.opensuse.org/update/10.3/rpm/x86_64/glib2-lang-2.14.1-4.4.x… Sources: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/src/glib2-2.18.2-5.2.1.src.rpm openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/src/glib2-2.16.3-20.6.src.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/src/glib2-2.14.1-4.4.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLES 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLED 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLE 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLES 11 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSfG3yXey5gA9JdPZAQL4Zwf+N9CxoIpYpxnRxa1RWXbGOGq1MsOkOKNb K/NI6n8ItU0avS4y7wGHCbvGsTs4qAcmooSYC9HpQPwZcur8GElCSIbJBUXVM9lx qBus7PiNR9BCjqzOg2LZ/G7ReZvVYYdS8RjGbckTtsoF1vStdohg1clmYNvGDdzq O4MIDj7NxIQL3/EdLpdwEzrCu1x5C/hLx4RjoI56FeCyuafxoqWb8RsTjpuYIXlB 0z29Jv/8AWWwYzj+9udIZxS1uZX8iEvdL1rhSqtqRdONmgn7mgv+FvJC8i+dgoDs vleflkllhITOQcPwpzPxiYrGrF7U2U+YlmFpLBpLPuWO/5k+9bw51A== =sBX9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: udev local root exploit (SUSE-SA:2009:025)
by Marcus Meissner 22 Apr '09

22 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: udev Announcement ID: SUSE-SA:2009:025 Date: Wed, 22 Apr 2009 16:00:00 +0000 Affected Products: SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise 10 SP2 DEBUGINFO SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: local privilege escalation Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2009-1185 SUSE-SA:2009:020 Content of This Advisory: 1) Security Vulnerability Resolved: udev local root exploit - SLE 10 sp2 respin Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion This update fixes a local privilege escalation in udev. We previously released these updates and the advisory as SUSE-SA:2009:020 on April 16. Due to a mistake the patch fixing the security problem was not applied to the udev package, and we did not spot this during the release process due to use of a not fully functional proof of concept exploit in QA. Only SUSE Linux Enterprise 10 SP2 was missing the patch, the updated udev packages of other products released on April 16 contain the fix. The issue fixed: CVE-2009-1185: udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. We thank SGI for reporting the missing patch problem to us. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart the udevd after applying the update, by doing: /etc/init.d/boot.udev restart Alternatively you can reboot the machine to be sure. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP2 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SUSE Linux Enterprise 10 SP2 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iQEVAwUBSe84qHey5gA9JdPZAQK0+wf8DvrmzvVxX2T1gc9RHJEOHXrwjBgqtvO1 EJUnWVB40nI4yzQMP/TLe8Ks4ND2/971qExCHtdELKnHuj5jVattERpb/5n3hHYL VIQlvOvZ5AcFkMh5vBRBNkxf9uTUuXniVk2oLpU8moy7dIOYa0oCf9Wf+hlQh7Le zYdvtiW3FSjD48MzipWKsQVUsUzD07H2npXYEbWoRAvpZrakjAGkbYDSKfC2sOs1 L//EwIShjamz/ofhQKjvqNeuq/B/EcB/wJfs0JZex7m6m3vIQz07velpS7sF8SQW uQpWz9tU7rF1T3L8WYYRmaqfihKy0AKvHoaf2Q9SozcUpRTctcUxxA== =8X6M -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: cups (SUSE-SA:2009:024)
by Thomas Biege 22 Apr '09

22 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: cups Announcement ID: SUSE-SA:2009:024 Date: Wed, 22 Apr 2009 13:00:00 +0000 Affected Products: openSUSE 10.3 openSUSE 11.0 openSUSE 11.1 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 SLE 11 Vulnerability Type: remote code execution Severity (1-10): 8 (critical) SUSE Default Package: yes Cross-References: CVE-2009-0146, CVE-2009-0147, CVE-2009-0163 CVE-2009-0165, CVE-2009-0166, CVE-2009-0799 CVE-2009-0800, CVE-2009-1179, CVE-2009-1180 CVE-2009-1181, CVE-2009-1182, CVE-2009-1183 Content of This Advisory: 1) Security Vulnerability Resolved: fixed remotely exploitable overflows Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Common Unix Printing System, CUPS, is a printing server for unix-like operating systems. It allows a local user to print documents as well as remote users via port 631/tcp. There were two security vulnerabilities fixed in cups. The first one can be triggered by a specially crafted tiff file. This file could lead to an integer overflow in the 'imagetops' filter which caused an heap overflow later. This bug is probably exploitable remotely by users having remote access to the CUPS server and allows the execution of arbitrary code with the privileges of the cupsd process. (CVE-2009-0163) The second issue affects the JBIG2 decoding of the 'pdftops' filter. The JBIG2 decoding routines are vulnerable to various software failure types like integer and buffer overflows and it is believed to be exploit- able remotely to execute arbitrary code with the privileges of the cupsd process. (CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182, CVE-2009-1183) 2) Solution or Work-Around none 3) Special Instructions and Notes none 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debuginfo-1.3.… http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debugsource-1.… http://download.opensuse.org/update/11.1/rpm/i586/cups-1.3.9-7.2.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/cups-client-1.3.9-7.2.1.i… http://download.opensuse.org/update/11.1/rpm/i586/cups-devel-1.3.9-7.2.1.i5… http://download.opensuse.org/update/11.1/rpm/i586/cups-libs-1.3.9-7.2.1.i58… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debuginfo-1.3.… http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debugsource-1.… http://download.opensuse.org/update/11.0/rpm/i586/cups-1.3.7-25.8.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/cups-client-1.3.7-25.8.i5… http://download.opensuse.org/update/11.0/rpm/i586/cups-devel-1.3.7-25.8.i58… http://download.opensuse.org/update/11.0/rpm/i586/cups-libs-1.3.7-25.8.i586… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/i586/cups-1.2.12-22.21.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/cups-client-1.2.12-22.21.… http://download.opensuse.org/update/10.3/rpm/i586/cups-devel-1.2.12-22.21.i… http://download.opensuse.org/update/10.3/rpm/i586/cups-libs-1.2.12-22.21.i5… Power PC Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debuginfo-1.3.9… http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debugsource-1.3… http://download.opensuse.org/update/11.1/rpm/ppc/cups-1.3.9-7.2.1.ppc.rpm http://download.opensuse.org/update/11.1/rpm/ppc/cups-client-1.3.9-7.2.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/cups-devel-1.3.9-7.2.1.ppc… http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-1.3.9-7.2.1.ppc.… http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-64bit-1.3.9-7.2.… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debuginfo-1.3.7… http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debugsource-1.3… http://download.opensuse.org/update/11.0/rpm/ppc/cups-1.3.7-25.8.ppc.rpm http://download.opensuse.org/update/11.0/rpm/ppc/cups-client-1.3.7-25.8.ppc… http://download.opensuse.org/update/11.0/rpm/ppc/cups-devel-1.3.7-25.8.ppc.… http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-1.3.7-25.8.ppc.r… http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-64bit-1.3.7-25.8… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/ppc/cups-1.2.12-22.21.ppc.rpm http://download.opensuse.org/update/10.3/rpm/ppc/cups-client-1.2.12-22.21.p… http://download.opensuse.org/update/10.3/rpm/ppc/cups-devel-1.2.12-22.21.pp… http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-1.2.12-22.21.ppc… http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-64bit-1.2.12-22.… x86-64 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debuginfo-1.… http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debugsource-… http://download.opensuse.org/update/11.1/rpm/x86_64/cups-1.3.9-7.2.1.x86_64… http://download.opensuse.org/update/11.1/rpm/x86_64/cups-client-1.3.9-7.2.1… http://download.opensuse.org/update/11.1/rpm/x86_64/cups-devel-1.3.9-7.2.1.… http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-1.3.9-7.2.1.x… http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-32bit-1.3.9-7… openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debuginfo-1.… http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debugsource-… http://download.opensuse.org/update/11.0/rpm/x86_64/cups-1.3.7-25.8.x86_64.… http://download.opensuse.org/update/11.0/rpm/x86_64/cups-client-1.3.7-25.8.… http://download.opensuse.org/update/11.0/rpm/x86_64/cups-devel-1.3.7-25.8.x… http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-1.3.7-25.8.x8… http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-32bit-1.3.7-2… openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/x86_64/cups-1.2.12-22.21.x86_6… http://download.opensuse.org/update/10.3/rpm/x86_64/cups-client-1.2.12-22.2… http://download.opensuse.org/update/10.3/rpm/x86_64/cups-devel-1.2.12-22.21… http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-1.2.12-22.21.… http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-32bit-1.2.12-… Sources: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/src/cups-1.3.9-7.2.1.src.rpm openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/src/cups-1.3.7-25.8.src.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/src/cups-1.2.12-22.21.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… Novell Linux POS 9 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… Novell Linux Desktop 9 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SUSE SLES 9 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SUSE Linux Enterprise Server 10 SP2 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLES 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLED 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLE 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLES 11 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSe8qrney5gA9JdPZAQI4aQf/e938Hr+O1QYi9y5cm9ycOcaFHWx0oZED yyOc4lUYZrb7qjmErPHfpoMR9c2XZlmESwKY0RZjddxe+vINDrOcMuI4nrp12ObP uYvSAAz3xgpXzVtW5B/90ihHJAqHAnwOsdO8adt6PtKCt7T2gMPuQV0RSz3BRy// qtBHDNyTBRPK7ex/YKUyQAbNENQUa3r9BaHpTHWjscfCoQch4Wz5hmLKv/n7eYdj CFetsr6zu3hn3isKD8EPTIMbkpaYBMxp53UnNiRmVRy0Gb7zlBz5ByYQaYY+YKf/ OZ+ZHRTuDsNbAT03QtkvML3yqr3Yobb39DFa+cSsH2c9xTdwWdzSAg== =ZnS5 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report: SUSE-SR:2009:009
by Thomas Biege 21 Apr '09

21 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2009:009 Date: Tue, 21 Apr 2009 15:00:00 +0000 Cross-References: CVE-2008-4311, CVE-2008-4989, CVE-2009-0193 CVE-2009-0196, CVE-2009-0365, CVE-2009-0578 CVE-2009-0586, CVE-2009-0658, CVE-2009-0698 CVE-2009-0790, CVE-2009-0792, CVE-2009-0922 CVE-2009-0927, CVE-2009-0928, CVE-2009-1061 CVE-2009-1062, CVE-2009-1171, CVE-2009-1241 Content of this advisory: 1) Solved Security Vulnerabilities: - openswan/strongswan - clamav - gstreamer-0_10-plugins-base - gnome-panel - postgresql - acroread_ja - ghostscript-devel - xine-devel/libxine-devel - moodle - gnutls - udev, special instructions 2) Pending Vulnerabilities, Solutions, and Work-Arounds: none 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - openswan/strongswan By sending a specially crafted Dead Peer Detection (DPD) packet remote attackers could crash the pluto IKE daemon (CVE-2009-0790). Affected products: openSUSE 10.3-11.1, SLES10, SLES11 - clamav ClamAV was updated to version 0.95 to also fix some potential security bugs. (CVE-2009-1241) Affected products: openSUSE 10.3-11.1, SLED, OES, SLES9-11 - gstreamer-0_10-plugins-base Specially crafted cover art tags in vorbis files could trigger a heap overflow in the base64 decoder. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-0586). Affected products: openSUSE 11.0, SLE11 - gnome-panel The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services break due to this setting and need an updated configuration as well. Affected products: openSUSE 11.1 - postgresql Remote authenticated users could crash the postgresql server by requesting a conversion with an inappropriate encoding (CVE-2009-0922). This was a minor version upgrade. Affected products: openSUSE 10.3-11.1, SLED, OES, SLES9-11 - acroread_ja Multiple flaws in the JBIG2 decoder and the JavaScript engine of the Adobe Reader allowed attackers to crash acroread or even execute arbitrary code by tricking users into opening specially crafted PDF files. (CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062) Affected products: SLED10-11 - ghostscript With this update the ghostscript-library four vulnerabilities were fixed: - heap-overflow in JBIG2 decoder (CVE-2009-0196) - integer overflow in ICC library (CVE-2009-0792) - crash in CCITTFax decoder - buffer overflow in BaseFont writer module Affected products: SLE11 (packages for other products will be released soon) - xine-devel/libxine-devel Specially crafted 4x movie files could cause an integer overflow in xine-lib (CVE-2009-0698). Affected products: openSUSE 10.3-11.1, SLE10-11 - moodle Special command sequences in TeX files allowed users to read arbitrary files (CVE-2009-1171). Affected products: openSUSE 10.3-11.1 - gnutls The previous security fix for gnutls (CVE-2008-4989) introduced a re- gression in the X.509 validation code for self-signed certificates. This update fixes this problem. Affected products: openSUSE 10.3-11.1, SLE10 (will be released soon), SLE11 - udev update on SLES 10 requires udevd restart The previously released udev update requires a restart of the udev daemon on SLES 10. Either use /etc/init.d/boot.udev restart or reboot the machine. On other SUSE products udevd is restarted by just applying the update already. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds none ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSe3I9Xey5gA9JdPZAQJooggAkJ4yOujpTyBD3cfhyvnmAEJNEpuCNtFZ fliUi+GxxLI3vt8yPzPUM4KqT7ioa8tFCw9pOyvfo/ejdy8P7/+0bsMsNO/WpzEN DbpRMSSUBEqmfN19KCOpKDooK6fLQoSWFCTy6WVMQ6D6LKJpp7uVA5n9i4KyC8z9 nuLkSPDSYm8DdzJnSU51WfzaHtNbQXr2dGsi8nMu8BapBLQMYpDQsiXkaoxyKiBs YViRWGoRA7npdVQWCsnIFJbXNgWWgJLG44IVITdRHc4XtJIBx4AmLVWjt7uiojRr Jfw7diA+On9E+vD9EEZadZ+/FXv7PPUCODkpdskom+xhhZnQuz4T3g== =/QaS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Mozilla Firefox 2 (SUSE-SA:2009:023)
by Marcus Meissner 20 Apr '09

20 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: MozillaFirefox Announcement ID: SUSE-SA:2009:023 Date: Mon, 20 Apr 2009 11:00:00 +0000 Affected Products: openSUSE 10.3 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise 10 SP2 DEBUGINFO SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2009-0040, CVE-2009-0352, CVE-2009-0353 CVE-2009-0772, CVE-2009-0774, CVE-2009-0776 CVE-2009-1169, MFSA 2009-01, MFSA 2009-07 MFSA 2009-09, MFSA 2009-10, MFSA 2009-12 Content of This Advisory: 1) Security Vulnerability Resolved: Mozilla Firefox 2 security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Mozilla Firefox Browser was refreshed to the current MOZILLA_1_8 branch state around fix level 2.0.0.22, backporting various security fixes from the Firefox 3.0.8 browser version. Security issues identified as being fixed are: MFSA 2009-01 / CVE-2009-0352 / CVE-2009-0353: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-07 / CVE-2009-0772 / CVE-2009-0774: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-09 / CVE-2009-0776: Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website. MFSA 2009-10 / CVE-2009-0040: Google security researcher Tavis Ormandy reported several memory safety hazards to the libpng project, an external library used by Mozilla to render PNG images. These vulnerabilities could be used by a malicious website to crash a victim's browser and potentially execute arbitrary code on their computer. libpng was upgraded to version 1.2.35 which contains fixes for these flaws. MFSA 2009-12 / CVE-2009-1169: Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. This vulnerability was also previously reported as a stability problem by Ubuntu community member, Andre. Ubuntu community member Michael Rooney reported Andre's findings to Mozilla, and Mozilla community member Martin helped reduce Andre's original test case and contributed a patch to fix the vulnerability. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Firefox after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/i586/MozillaFirefox-2.0.0.21po… http://download.opensuse.org/update/10.3/rpm/i586/MozillaFirefox-translatio… Power PC Platform: openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/ppc/MozillaFirefox-2.0.0.21pos… http://download.opensuse.org/update/10.3/rpm/ppc/MozillaFirefox-translation… x86-64 Platform: openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/x86_64/MozillaFirefox-2.0.0.21… http://download.opensuse.org/update/10.3/rpm/x86_64/MozillaFirefox-translat… Sources: openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/src/MozillaFirefox-2.0.0.21pos… Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP2 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise 10 SP2 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iQEVAwUBSexH53ey5gA9JdPZAQJ3zAf/SSpl0jtLpBRCI2b366TrRX6dTBtDBLcm lD3FUZMweMlSvLPhgc8hn65vLimY2gUVz3frZNY5gqpnJ6ZVgwkvmVogjuAMChYj XOKPI5euAv/q0SUPTatqiL0cNONbS3vYIBFbDMghLPLd7yBAdN4xrUgJJzZqoG49 rijtz6E/XY+tRENs3Q9gKdfpVM87PgkfWcT5IiVykTYjsukirg9G1dMDRCscRnrH Zxaf+bZlN3tEHrcE/cxmcPNYqdnUI3oDnelq66CzXhBsNbualMWfW6ORAVAWus4k rl8A12toqW+7nHVC//s4OMG/n9Vii9czJXgguFicvHa6I3ZJHBY2CQ== =+Ocz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Mozilla Firefox 3 (SUSE-SA:2009:022)
by Marcus Meissner 20 Apr '09

20 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: MozillaFirefox Announcement ID: SUSE-SA:2009:022 Date: Mon, 20 Apr 2009 11:00:00 +0000 Affected Products: openSUSE 11.0 openSUSE 11.1 SLES 11 DEBUGINFO SLE 11 SLED 11 SLES 11 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2009-1044, CVE-2009-1169, MFSA 2009-12 MFSA 2009-13 Content of This Advisory: 1) Security Vulnerability Resolved: Mozilla Firefox security update. Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Mozilla Firefox Browser was updated to the 3.0.8 release. It fixes two critical security issues: MFSA 2009-13 / CVE-2009-1044: Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer. This vulnerability was used by the reporter to win the 2009 CanSecWest Pwn2Own contest. This vulnerability does not affect Firefox 2, Thunderbird 2, or released versions of SeaMonkey. MFSA 2009-12 / CVE-2009-1169:Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. This vulnerability was also previously reported as a stability problem by Ubuntu community member, Andre. Ubuntu community member Michael Rooney reported Andre's findings to Mozilla, and Mozilla community member Martin helped reduce Andre's original test case and contributed a patch to fix the vulnerability. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Restart the Firefox browser after installing the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/i586/MozillaFirefox-3.0.8-1.1.… http://download.opensuse.org/update/11.1/rpm/i586/MozillaFirefox-branding-u… http://download.opensuse.org/update/11.1/rpm/i586/MozillaFirefox-translatio… http://download.opensuse.org/update/11.1/rpm/i586/mozilla-xulrunner190-1.9.… http://download.opensuse.org/update/11.1/rpm/i586/mozilla-xulrunner190-deve… http://download.opensuse.org/update/11.1/rpm/i586/mozilla-xulrunner190-gnom… http://download.opensuse.org/update/11.1/rpm/i586/mozilla-xulrunner190-tran… http://download.opensuse.org/update/11.1/rpm/i586/python-xpcom190-1.9.0.8-1… openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/i586/MozillaFirefox-3.0.8-1.1.… http://download.opensuse.org/update/11.0/rpm/i586/MozillaFirefox-translatio… http://download.opensuse.org/update/11.0/rpm/i586/mozilla-xulrunner190-1.9.… http://download.opensuse.org/update/11.0/rpm/i586/mozilla-xulrunner190-deve… http://download.opensuse.org/update/11.0/rpm/i586/mozilla-xulrunner190-gnom… http://download.opensuse.org/update/11.0/rpm/i586/mozilla-xulrunner190-tran… Power PC Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/ppc/MozillaFirefox-3.0.8-1.1.1… http://download.opensuse.org/update/11.1/rpm/ppc/MozillaFirefox-branding-up… http://download.opensuse.org/update/11.1/rpm/ppc/MozillaFirefox-translation… http://download.opensuse.org/update/11.1/rpm/ppc/mozilla-xulrunner190-1.9.0… http://download.opensuse.org/update/11.1/rpm/ppc/mozilla-xulrunner190-devel… http://download.opensuse.org/update/11.1/rpm/ppc/mozilla-xulrunner190-gnome… http://download.opensuse.org/update/11.1/rpm/ppc/mozilla-xulrunner190-trans… http://download.opensuse.org/update/11.1/rpm/ppc/python-xpcom190-1.9.0.8-1.… openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/ppc/MozillaFirefox-3.0.8-1.1.p… http://download.opensuse.org/update/11.0/rpm/ppc/MozillaFirefox-translation… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-1.9.0… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-64bit… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-devel… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-gnome… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-gnome… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-trans… http://download.opensuse.org/update/11.0/rpm/ppc/mozilla-xulrunner190-trans… x86-64 Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/x86_64/MozillaFirefox-3.0.8-1.… http://download.opensuse.org/update/11.1/rpm/x86_64/MozillaFirefox-branding… http://download.opensuse.org/update/11.1/rpm/x86_64/MozillaFirefox-translat… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-1.… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-32… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-de… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-gn… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-gn… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-tr… http://download.opensuse.org/update/11.1/rpm/x86_64/mozilla-xulrunner190-tr… http://download.opensuse.org/update/11.1/rpm/x86_64/python-xpcom190-1.9.0.8… openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/x86_64/MozillaFirefox-3.0.8-1.… http://download.opensuse.org/update/11.0/rpm/x86_64/MozillaFirefox-translat… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-1.… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-32… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-de… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-gn… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-gn… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-tr… http://download.opensuse.org/update/11.0/rpm/x86_64/mozilla-xulrunner190-tr… Sources: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/src/MozillaFirefox-3.0.8-1.1.1… http://download.opensuse.org/update/11.1/rpm/src/mozilla-xulrunner190-1.9.0… openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/src/MozillaFirefox-3.0.8-1.1.s… http://download.opensuse.org/update/11.0/rpm/src/mozilla-xulrunner190-1.9.0… Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLES 11 SLED 11 SLE 11 SLES 11 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iQEVAwUBSexHt3ey5gA9JdPZAQJK8gf/aL4srYtd92RWZ8gBYdA7XZE6znO97R7k VosLMQJt7kz3WCkiTD9/KJsjpQWyIiQ/96Me1ZsUuWEoYmLFBjj7OgrJ0qbbzn25 lX/yw5Zdwl2+z4YbR5FcgM9huEi9qHWYFEKBsH/TXixBH/Qm0tmfgCNKdlNvGD6J jEtnF4Wen3brAGtpZ0plB4y8X3PM607V2e8K9Dh3OjyKc0jqRqLtXhpZPFme+hV+ ebEig5Yiw3rBu6xZMhTP7veghNaQeQeZBWPtRAHBEkvXtsq4sRDHigyPPfo8Ymwr Y5g8wx2Gzn3wYRshndvTOcwE83PrNO513HMOTScw/tIuzQBm6vTGJg== =LJLA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:2009:021)
by Marcus Meissner 16 Apr '09

16 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2009:021 Date: Thu, 16 Apr 2009 15:00:00 +0000 Affected Products: openSUSE 11.1 SLED 11 SLES 11 SLES 11 DEBUGINFO Vulnerability Type: local privilege escalation Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2009-0676, CVE-2009-0835, CVE-2009-1072 Content of This Advisory: 1) Security Vulnerability Resolved: Kernel security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Linux kernel was updated for SUSE Linux Enterprise 11 and openSUSE 11.1 fixing lots of bugs and some security issues. The kernel was also updated to the 2.6.27.21 stable release. CVE-2009-1072: nfsd in the Linux kernel does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option. CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request. The fix for this was previously incomplete. CVE-2009-0835: The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod. The openSUSE 11.1 kernel was released before the easter weekend already. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please reboot the machine after installing the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/i586/kernel-debug-2.6.27.21-0.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-debug-base-2.6.27.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-debug-extra-2.6.27… http://download.opensuse.org/update/11.1/rpm/i586/kernel-default-2.6.27.21-… http://download.opensuse.org/update/11.1/rpm/i586/kernel-default-base-2.6.2… http://download.opensuse.org/update/11.1/rpm/i586/kernel-default-extra-2.6.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-pae-2.6.27.21-0.1.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-pae-base-2.6.27.21… http://download.opensuse.org/update/11.1/rpm/i586/kernel-pae-extra-2.6.27.2… http://download.opensuse.org/update/11.1/rpm/i586/kernel-source-2.6.27.21-0… http://download.opensuse.org/update/11.1/rpm/i586/kernel-syms-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/i586/kernel-trace-2.6.27.21-0.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-trace-base-2.6.27.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-trace-extra-2.6.27… http://download.opensuse.org/update/11.1/rpm/i586/kernel-vanilla-2.6.27.21-… http://download.opensuse.org/update/11.1/rpm/i586/kernel-xen-2.6.27.21-0.1.… http://download.opensuse.org/update/11.1/rpm/i586/kernel-xen-base-2.6.27.21… http://download.opensuse.org/update/11.1/rpm/i586/kernel-xen-extra-2.6.27.2… http://download.opensuse.org/update/11.1/rpm/i586/module-init-tools-3.4-56.… Platform Independent: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/noarch/kernel-docs-2.6.3-3.13.… Power PC Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/ppc/kernel-default-2.6.27.21-0… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-default-base-2.6.27… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-default-extra-2.6.2… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-kdump-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-ppc64-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-ppc64-base-2.6.27.2… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-ppc64-extra-2.6.27.… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-ps3-2.6.27.21-0.1.2… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-source-2.6.27.21-0.… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-syms-2.6.27.21-0.1.… http://download.opensuse.org/update/11.1/rpm/ppc/kernel-vanilla-2.6.27.21-0… http://download.opensuse.org/update/11.1/rpm/ppc/module-init-tools-3.4-56.1… x86-64 Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-debug-2.6.27.21-… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-debug-base-2.6.2… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-debug-extra-2.6.… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-default-2.6.27.2… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-default-base-2.6… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-default-extra-2.… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-source-2.6.27.21… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-syms-2.6.27.21-0… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-trace-2.6.27.21-… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-trace-base-2.6.2… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-trace-extra-2.6.… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-vanilla-2.6.27.2… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-xen-2.6.27.21-0.… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-xen-base-2.6.27.… http://download.opensuse.org/update/11.1/rpm/x86_64/kernel-xen-extra-2.6.27… http://download.opensuse.org/update/11.1/rpm/x86_64/module-init-tools-3.4-5… Sources: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/src/kernel-debug-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/src/kernel-default-2.6.27.21-0… http://download.opensuse.org/update/11.1/rpm/src/kernel-docs-2.6.3-3.13.13.… http://download.opensuse.org/update/11.1/rpm/src/kernel-kdump-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/src/kernel-pae-2.6.27.21-0.1.2… http://download.opensuse.org/update/11.1/rpm/src/kernel-ppc64-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/src/kernel-ps3-2.6.27.21-0.1.2… http://download.opensuse.org/update/11.1/rpm/src/kernel-source-2.6.27.21-0.… http://download.opensuse.org/update/11.1/rpm/src/kernel-syms-2.6.27.21-0.1.… http://download.opensuse.org/update/11.1/rpm/src/kernel-trace-2.6.27.21-0.1… http://download.opensuse.org/update/11.1/rpm/src/kernel-vanilla-2.6.27.21-0… http://download.opensuse.org/update/11.1/rpm/src/kernel-xen-2.6.27.21-0.1.2… http://download.opensuse.org/update/11.1/rpm/src/module-init-tools-3.4-56.1… Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLES 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLED 11 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLES 11 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iQEVAwUBSedagHey5gA9JdPZAQL8AwgAifzoYzVs63xUtlcqz8jYKAB3GFoDxQQc FS4TzbljBtoP8VXroTrqmu2bc/MAF38mI/6sPCrSMC9IBnN2FuVzjNJhfvu29/OB LXBmOYWR+MJcAfh65S9W9jphFP1AsU2qilWb5O+5GXWiAvWvbWhdYTdG2AkSJ1PR MKzf4pdKloj5SVq+FWtNqopHtakB9VF3Xw26MKRxXwqZRLVqjXxCTq4R2qIZLJbG 6arrQmLvFPAx/xjFcq9Eg/BOvxEE8YBaAcenmbRKN0BCRUjQacAD8m5ixpHV5MmS hvPfNRwHLDWwPkAV/I9iXGu0Z/loFYHhtbwUWW5HeII2Us2nIlEAlg== =YDqi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: udev local privilege escalation (SUSE-SA:2009:020)
by Marcus Meissner 16 Apr '09

16 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: udev Announcement ID: SUSE-SA:2009:020 Date: Thu, 16 Apr 2009 11:00:00 +0000 Affected Products: openSUSE 10.3 openSUSE 11.0 openSUSE 11.1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise 10 SP2 DEBUGINFO SUSE Linux Enterprise Server 10 SP2 SLES 11 DEBUGINFO SLE 11 SLED 11 SLES 11 Vulnerability Type: local privilege escalation Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2009-1185 CVE-2009-1186 Content of This Advisory: 1) Security Vulnerability Resolved: udev netlink message origin check problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: Fix for buffer overflow in udevd postponed. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Sebastian Krahmer of SUSE Security identified a problem in udevd with handling of netlink messages. Local attackers could inject netlink messages due to a missing origin check where only the kernel should have been able to and so are able to escalate privileges. (CVE-2009-1185) Fixed packages have been released to address this issue for openSUSE 10.3-11.1, SUSE Linux Enterprise 10 SP2 and SUSE Linux Enterprise 11. SUSE Linux Enterprise Server 9 and Novell Linux Desktop 9 are not affected by this problem. 2) Solution or Work-Around There is no known workaround, please install the updated packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/i586/libudev-devel-128-9.7.1.i… http://download.opensuse.org/update/11.1/rpm/i586/libudev0-128-9.7.1.i586.r… http://download.opensuse.org/update/11.1/rpm/i586/libvolume_id-126-17.38.1.… http://download.opensuse.org/update/11.1/rpm/i586/libvolume_id-devel-128-9.… http://download.opensuse.org/update/11.1/rpm/i586/libvolume_id1-128-9.7.1.i… http://download.opensuse.org/update/11.1/rpm/i586/udev-128-9.7.1.i586.rpm openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/i586/libvolume_id-120-13.2.i58… http://download.opensuse.org/update/11.0/rpm/i586/libvolume_id-devel-120-13… http://download.opensuse.org/update/11.0/rpm/i586/udev-120-13.2.i586.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/i586/libvolume_id-114-19.3.i58… http://download.opensuse.org/update/10.3/rpm/i586/libvolume_id-devel-114-19… http://download.opensuse.org/update/10.3/rpm/i586/udev-114-19.3.i586.rpm Power PC Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/ppc/libudev-devel-128-9.7.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/libudev0-128-9.7.1.ppc.rpm http://download.opensuse.org/update/11.1/rpm/ppc/libvolume_id-126-17.38.1.p… http://download.opensuse.org/update/11.1/rpm/ppc/libvolume_id-devel-128-9.7… http://download.opensuse.org/update/11.1/rpm/ppc/libvolume_id1-128-9.7.1.pp… http://download.opensuse.org/update/11.1/rpm/ppc/udev-128-9.7.1.ppc.rpm openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/ppc/libvolume_id-120-13.2.ppc.… http://download.opensuse.org/update/11.0/rpm/ppc/libvolume_id-devel-120-13.… http://download.opensuse.org/update/11.0/rpm/ppc/udev-120-13.2.ppc.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/ppc/libvolume_id-114-19.3.ppc.… http://download.opensuse.org/update/10.3/rpm/ppc/libvolume_id-devel-114-19.… http://download.opensuse.org/update/10.3/rpm/ppc/udev-114-19.3.ppc.rpm x86-64 Platform: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/x86_64/libudev-devel-128-9.7.1… http://download.opensuse.org/update/11.1/rpm/x86_64/libudev0-128-9.7.1.x86_… http://download.opensuse.org/update/11.1/rpm/x86_64/libvolume_id-126-17.38.… http://download.opensuse.org/update/11.1/rpm/x86_64/libvolume_id-devel-128-… http://download.opensuse.org/update/11.1/rpm/x86_64/libvolume_id1-128-9.7.1… http://download.opensuse.org/update/11.1/rpm/x86_64/udev-128-9.7.1.x86_64.r… openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/x86_64/libvolume_id-120-13.2.x… http://download.opensuse.org/update/11.0/rpm/x86_64/libvolume_id-devel-120-… http://download.opensuse.org/update/11.0/rpm/x86_64/udev-120-13.2.x86_64.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/x86_64/libvolume_id-114-19.3.x… http://download.opensuse.org/update/10.3/rpm/x86_64/libvolume_id-devel-114-… http://download.opensuse.org/update/10.3/rpm/x86_64/udev-114-19.3.x86_64.rpm Sources: openSUSE 11.1: http://download.opensuse.org/update/11.1/rpm/src/libvolume_id-126-17.38.1.s… http://download.opensuse.org/update/11.1/rpm/src/udev-128-9.7.1.src.rpm openSUSE 11.0: http://download.opensuse.org/update/11.0/rpm/src/udev-120-13.2.src.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/src/udev-114-19.3.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP2 SUSE Linux Enterprise 10 SP2 DEBUGINFO SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… SLES 11 SLED 11 SLE 11 SLES 11 DEBUGINFO http://download.novell.com/index.jsp?search=Search&set_restricted=true&keyw… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: The fix for the buffer overflow in util_path_encode() (CVE-2009-1186) has been postponed to a later udev release due to the urgency of the netlink problem. It is also rated lower, since local users cannot directly trigger the problematic code path. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iQEVAwUBSedWbHey5gA9JdPZAQJvHwf+JVT2HT2SoqpAH+q2E5dcV8QT4iXV9zsY Q8Lc0ittjD+THmZYi8jlFvr7Z8zWTW5DuZayZS3/qQy71BdBUU+ceKZvz93ilZLL 62+fHGQm2qQURQ/3BtZZufOVrY7EYX707f01hCP2AQRhledzaXPLLMWqwMykdmA9 a4boTzDGZ1lqR+ocC1q8L0SMI5QxFruBljsr9ARrS3cD8UsbfNUfmVXHv7re3m6+ zMnYQ4c2j/2Cna0HGUxsHu+llqWNr7U06xA/DEL+Qyok5c+omH0/63rc2IuqdD/B pJORKlt0tc4Z3772w4sO5bZjXB3emWzs2cRcWqNwyfMjrvhrYakGJQ== =SqVZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: krb5 (SUSE-SA:2009:019)
by Thomas Biege 08 Apr '09

08 Apr '09

1 0