- openSUSE Security Announce

SUSE Security Announcement: kdelibs3 (SUSE-SA:2006:003)
by Ludwig Nussel 20 Jan '06

20 Jan '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kdelibs3 Announcement ID: SUSE-SA:2006:003 Date: Fri, 20 Jan 2006 15:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SUSE SLES 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2006-0019 Content of This Advisory: 1) Security Vulnerability Resolved: buffer overflow in kjs JavaScript interpreter Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Maksim Orlovich discovered a bug in the JavaScript interpreter used by Konqueror. UTF-8 encoded URLs could lead to a buffer overflow that causes the browser to crash or execute arbitrary code. Attackers could trick users into visiting specially crafted web sites that exploit this bug (CVE-2006-0019). 2) Solution or Work-Around JavaScript can be disabled in Konqueror's settings dialog to prevent exploitation. Some websites may no longer work with disabled JavaScript though. It is recommended to install the update packages. 3) Special Instructions and Notes Please close and restart KDE after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdelibs3-3.4.2-24.2.i… 4da8595fe0d3c701e806032625d67062 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdelibs3-devel-3.4.2-… f65fe6cc710958987d7f1091e495e78d SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdelibs3-3.4.0-20.10.i… c39e37cec38e079d5b1151c6adeb8d43 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdelibs3-devel-3.4.0-2… 45143c3f3f9255e11b6f6847d1cf4cde SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdelibs3-3.3.0-34.11.i… c391743607a2172222a507ef14d932cd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdelibs3-devel-3.3.0-3… 277ac4cbb60108065e238ba69687c30e SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-3.2.1-44.65.i… 6ea9bf914237736465798eb49159f505 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-devel-3.2.1-4… 468d28e2f0197338547ebc47043dbfaa ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/kdelibs3-32bit-9.1-2… 518250500bc4273fd9a1dfa58dd50fb9 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdelibs3-3.4.2-24.2.pp… 645ce5753fcaced95e7045e4ba2baa73 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdelibs3-devel-3.4.2-2… 803b30418ecad1605c01c0acaa762f90 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdelibs3-3.4.2-24.2… 08d09df2cfbac860b8f45981bd1a8579 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdelibs3-32bit-3.4.… 5bb97f9539926bb53e02940b5e20ec31 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdelibs3-devel-3.4.… e69607737e2bcdcecc8022e9bbda9182 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-3.4.0-20.10… da3a139ef5d48d2d74a4d7765cd2c9ef ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-32bit-9.3-7… 3aa26c0f85df70264adb2f2728efe354 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-devel-3.4.0… 7759332a6d673e473396caf58fc37809 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-3.3.0-34.11… 09c2ac4f36551962cc6913d91d9d5cc8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-32bit-9.2-2… f1ff64a1e623352959f4fcdd70063224 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-devel-3.3.0… 807cb8a5e80bd370e0da572a30c7afb8 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdelibs3-3.2.1-44.… 23bfa7a97403484f3ebe61fd052ec3af ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdelibs3-devel-3.2… 58e71b33071f76606ebfba5e47787631 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kdelibs3-3.4.2-24.2.sr… 8ffd6e0aa985efac9b20ee7b6b2f17d3 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kdelibs3-3.4.0-20.10.sr… caae379e491c53dd3d9bfd0076fed8e7 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kdelibs3-3.3.0-34.11.sr… 9c92bfa995b6eb4ac817c1245b45394c SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdelibs3-3.2.1-44.65.sr… d9ace2e104ffd4683c340fc8f145e1d1 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdelibs3-3.2.1-44.65.… 85ff708f506a4820e6d2b3b4e3d239fc Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c529411b083519d… http://portal.suse.com/psdb/c529411b083519d0efa17dd55af4ae8c.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ9D8D3ey5gA9JdPZAQKylgf8CB7k8gi+61B1kUw74vb3fTDgfNk/IDX0 PJmAbzUydzVcRsQSjgJqmsbZylpIsgh00Wszqt4VaE02QdtBolhlf6BFe2fDur33 UqNQlg/nfTrCn4H9SnBbAaD6kLO9hw6N6oW4yIgjf37b84I+/u6GwN460XRjyYxB PoNbSWOL3Ad6n0txDzd+Ayu3XNISYJcLht8mfwFsUVo5fJdXsDr9Q5WYmB2LevjQ r5sWuKch5vpfPtQU3QzH40sLVr/0iQd5h4Jj+3oihvxLwcr7zZGRQDK/wB2Xwjv2 H9U6mGPhujTH13zoWUN3tXqJJu7IZzp736+DUcwS4vGrDw7PFooFZg== =FLaD -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2006:001
by Marcus Meissner 13 Jan '06

13 Jan '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2006:001 Date: Fri, 13 Jan 2006 14:00:00 +0000 Cross-References: CVE-2005-3191, CVE-2005-3192, CVE-2005-3534 CVE-2005-3597, CVE-2005-3904, CVE-2005-3905 CVE-2005-3906 Content of this advisory: 1) Solved Security Vulnerabilities: - mailman crash during UTF-8 decoding - pdftohtml - xpdf problems - Mirror overload - Sun Java JRE security problems - nbd buffer overflow - clamav 0.88 UPX heap overflow 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - none listed. 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - Mirror overload We are currently experiencing bottle necked mirrors. This will make some security updates appear hours if not days later after they are released. We are working on resolving these problems. - clamav 0.88 UPX heap overflow The virus scan engine clamav was upgraded to version 0.88 to fix (among other things) a security relevant heap overflow in the UPX decoder. This is tracked by the Mitre CVE ID CVE-2006-0162. All SUSE Linux based products containing clamav are affected. - mailman crash during UTF-8 decoding The mailing list manager mailman could be crashed due to a bug while decoding UTF-8. This is tracked by the Mitre CVE ID CAN-2005-3597. All SUSE Linux based products containing mailman are affected. Additionally the dependency on python-xml that was introduced by the previous update has been removed again. - pdftohtml - xpdf problems pdftohtml was updated to fix integer overflows in the contained xpdf code that potentially allowed to execute arbitrary code via specially crafted PDF files. This is tracked by the Mitre IDs CVE-2005-3191 and CVE-2005-3192. - Sun Java JRE security problems Unspecified vulnerabilities within the Sun Java JRE allow attackers to execute arbitrary code outside the sandbox. The IDs CVE-2005-3904, CVE-2005-3905 and CVE-2005-3906 have been assigned to this issue. The Sun Java packages for the affected products have been upgraded to the current minor patch level. For 1.4.2 this is patch level 1_4_2_10, for 1.5.0 this is patch level 1_5_0_06. - nbd buffer overflow Buffer overflow in the Network Block Device (nbd) server allows remote attackers to execute arbitrary code via a large request, which is written past the end of the buffer because nbd does not account for memory taken by the reply header. This issue is tracked by the Mitre ID CVE-2005-3534. Only SUSE Linux 10.0 includes the nbd package. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds None listed today. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ8fNkney5gA9JdPZAQLjAgf+NTcuAB5WK96zKJOXM6UFBQWk9Gvnt9Rv Tv3IGga5Bkp+q4YhTZiSdBzjEBIrEBoBWpkBEb9aux6aW5GwKSWWcgVMqPnWAwrf qDyoqeZYPDBDAIDTew+LPjybt0gAQskrvfTlZcPie9k7UnNt4hCC+lN3bS1bdI+c 8i1MIKfDNN5mZjsiIrj8C9MQHJkC/cCC32w0INt3GoUROIEfEX/BDwoaV+XdC286 4rvS2yN5oMSnoxfNhM/elYBYONrO8w+1mTNfkEOb++3QghADggkG/gn+FlUdIkEl 2Bss26yIzPozYVdJyUXq+SaQIoZsAt/ZTo+gI9In7bFC4KmdVuu6gQ== =5u5U -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: novell-nrm remote heap overflow (SUSE-SA:2006:002)
by Marcus Meissner 13 Jan '06

13 Jan '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: novell-nrm Announcement ID: SUSE-SA:2006:002 Date: Fri, 13 Jan 2006 15:00:00 +0000 Affected Products: Open Enterprise Server Vulnerability Type: remote code execution Severity (1-10): 10 SUSE Default Package: yes Cross-References: CVE-2005-3655 Content of This Advisory: 1) Security Vulnerability Resolved: remote heap overflow Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion iDEFENSE reported a security problem with the Novell Remote Manager. By passing a huge or negative size via a HTTP request header to httpstkd it was possible to corrupt heap memory and so potentially execute code. We have released updated packages for this problem. The affected novell-nrm package is only included in the Open Enterprise Server. This issue is tracked by the Mitre CVE ID CVE-2005-3655. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None 4) Package Location and Checksums The preferred method for installing security updates on Open Enterprise Server is Red Carpet / ZLM. The packages are also offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/1af470a99a736eb… http://portal.suse.com/psdb/1af470a99a736eb966cc0e52fb71ee98.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ8fIWXey5gA9JdPZAQK6Ewf/c8DGMFZVm1SH3KY6FgkS/LvwF8jYwJed TyF3kt/IPndQzUmlcyitRsWn5jlVUKxqXvP+PZOEnKt1WSC72h7XioDLteTXE7O9 3kISvDwtAE3IwQV2mhpck6ZNKwiMbtovnViXi5i2KT2ZZkhrqT5ukKWVm0OwCjjS ygtIqSPJE+WPCHpJVVLmWqnpLRutjiMXuZxdQz02XP58bivcOw0XxbdVo8A99Od3 BZKEJJWLjtmPfWRaXT7KOGonO4kVxxUdEFd7g/uNZ4Oe1oV3RzoY+5tJ0zpgraEi aKex7lSlIaeIcNRn6I1QwUtiIoGzV+wFPCB+ww5rLGgFXPCf3zkDkg== =MUKi -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: xpdf,kpdf,gpdf,kword (SUSE-SA:2006:001)
by Ludwig Nussel 11 Jan '06

11 Jan '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: xpdf,kpdf,gpdf,kword Announcement ID: SUSE-SA:2006:001 Date: Wed, 11 Jan 2006 11:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux 9.0 SuSE Linux Desktop 1.0 SUSE SLES 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 CVE-2005-3624, CVE-2005-3625, CVE-2005-3626 CVE-2005-3627, CVE-2005-3628 Content of This Advisory: 1) Security Vulnerability Resolved: xpdf overflows Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion "infamous41md", Chris Evans and Dirk Mueller discovered multiple places in xpdf code where integer variables are insufficiently checked for range or overflow. Specially crafted PDF files could lead to executing arbitrary code. Copies of xpdf code are also contained in cups, kpdf, kword, gpdf, libextractor, pdf2html, poppler and tetex. Updates for those are in the works. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpdf-2.10.0-12.2.i586… d18bb30f0ca16745731347cf0650fc68 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kdegraphics3-pdf-3.4.… e4bc5e4b5b7c0f70af4683fa15dff3f4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/koffice-wordprocessin… 3389b3f042f62184857839fd7c67cbd7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/poppler-0.4.2-3.2.i58… a75a1bacec1403b217cf581b99765fc3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/poppler-devel-0.4.2-3… 681b3dcab91a337aeb7f3f0af12bdd0b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xpdf-3.00-92.2.i586.r… 7f32bfdf4bdb028357677ff17b1d9f6f SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpdf-2.10.0-4.4.i586.r… d8a93bc1adec7f15afb2e8b541488c2b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdegraphics3-pdf-3.4.0… f2e7cb3dbc8b436c4c4a867a5c94958c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/koffice-wordprocessing… cd950553c21d251276ca84ba028a2b9e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/xpdf-3.00-87.2.i586.rpm 8102a9958b2bc28c0e8a60671f4d519b SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gpdf-0.131-11.10.i586.… df9f74620e84ea4c11b84cfb10e69306 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdegraphics3-pdf-3.3.0… 722e74750d3bf72e605b9d8eb0023c80 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/koffice-wordprocessing… b0b429206f01244d13a9a7d1a16b6143 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/xpdf-3.00-78.11.i586.r… 1a7a20419afc0d6c4959a15aa1f976d1 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.10.i58… 49949f0f26639500de85de9c0dd70df7 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1… acf919d3d0ce4ab1a16da290656677d9 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/koffice-wordprocessing… 94c2dda6e2ea25fe045118d26856a514 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.35.i586.r… 3974f2efa05de1594ceeaa3ad57a6b74 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/koffice-wordprocessing… 883ba0b73d70a21d6ed897b4b0b3c1a4 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-150.i586.… 86c771eb44dc3833fdbce3bed0716262 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gpdf-2.10.0-12.2.ppc.r… bbaf5a0eac9a4d5d2467bc9d77439210 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kdegraphics3-pdf-3.4.2… d0484799ace3a8aeeb38c86ce58e85bf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/koffice-wordprocessing… 363a3440a5dff8ed64bfba1a0cd531ff ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/poppler-0.4.2-3.2.ppc.… 430d091aa4c9a1f2c391f552aaaa8c75 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/poppler-devel-0.4.2-3.… 47d6a93ae2f99f39f55d9afd72f36e94 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xpdf-3.00-92.2.ppc.rpm 04b7afc835bacd1f02fa192d24815472 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gpdf-2.10.0-12.2.x8… fc2932006570d4c15f030bf43ed09bb0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kdegraphics3-pdf-3.… 49700f1c6ed9ffbf77976bcffa35303a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/koffice-wordprocess… 8799f1a0189347188d19c2a9b20152b3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/poppler-0.4.2-3.2.x… 61ea84a3c56cbacb29c6dd636483b187 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/poppler-devel-0.4.2… 07181a86914c6068a2e60283c83bfb71 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xpdf-3.00-92.2.x86_… ce55cb6845c4f584c0b7101b898d8d9d SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gpdf-2.10.0-4.4.x86_… 0a68dfd24957d96c06b6952893a7382d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdegraphics3-pdf-3.4… 12e673d22f441de69b1e0c4ce5448663 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/koffice-wordprocessi… 300c5490408a63405a9e0efab35af15a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/xpdf-3.00-87.2.x86_6… 6d81863cc8083a5a3cc1a7bae94b7841 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/gpdf-0.131-11.10.x86… 66662232ac294a8745a57f685ba44363 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdegraphics3-pdf-3.3… da7070a2fff9e8a169d7f3d5151c1d62 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/koffice-wordprocessi… 4308395ca9e996171d3bd56aea06c85b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/xpdf-3.00-78.11.x86_… 7e903dc92b38b84c52a7b02b9f34cea8 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.10… d38ce78c6436b1f63bc207e16cb21c70 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3… 65594cc258627443e91db9bfaaab972d ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/koffice-wordproces… 0aea7880cc737a580c540b4510ce3378 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.35.x8… 5dc6cbd898fe28a0533b6aae6cac55e6 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/koffice-wordproces… b03b33882aedc36cb42d88ae17370aa5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-150.x… 41c6b26f17f1272302d379cc2c83f5db Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpdf-2.10.0-12.2.src.r… 7dc880c705ebc6ae4b2a0d9236a8d141 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/poppler-0.4.2-3.2.src.… e98a835e0c0ed817314ded34391a7d13 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/xpdf-3.00-92.2.src.rpm aedde31d92e0d54d60837c282965a830 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpdf-2.10.0-4.4.src.rpm 95dc124c8e7a648111f8f9ff6b13284a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/xpdf-3.00-87.2.src.rpm 359b372d95dde9bedc52f56fe3f8c405 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/gpdf-0.131-11.10.src.rpm a0dd3601769947d84eae417d9df3a874 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/xpdf-3.00-78.11.src.rpm 5575ff90d0dd66fc6230f75e58ade6ea SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/gpdf-0.112.1-26.10.src.… 3cdaff2b9a6083bc68ae7e7ab150ab95 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/xpdf-3.00-64.35.src.rpm 09494433e9255b6b69a25b253f2b5ce4 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/gpdf-0.112.1-26.10.sr… 290c84ee7d0865a3a3205fe8042cbf2d ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/xpdf-3.00-64.35.src.r… d643371e4a437f8275e5436f0250840e SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/xpdf-2.02pl1-150.src.rpm eaa4940e318b5725d310d58acf16278e ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/xpdf-2.02pl1-150.src.… 11bc3011e0c4d74e326ce9b08fb49f4f Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e23e62fac6f33fa… http://portal.suse.com/psdb/e23e62fac6f33fa5f59d848e60edc2b7.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/72f39a257a21ca2… http://portal.suse.com/psdb/72f39a257a21ca2bd6825d3200ac3f97.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ8TzS3ey5gA9JdPZAQLVJwf7BJ7sfp0/DlPAYFoWJGwphtHxLEQpCsWy bYW2R9d8SrMbZiuaKYqHjjfxFD4Bu69A5ZaIo7ib6ksRh2+Sl5AKPHTcyo6pinda cj5eSn2kJkuG7KlfAw72RvuybuICZHVtd6XVzvr9Bb2OcUv2EehL5QLQ4wGaIkrY VJcZPKGzv5zDROIWcZFotOe0A0mOLMeJ5Fbw69a1Yu31dUoPFZ9XhZ95o+tWLCp3 hB0awpUDy/WvmK60RmaplOVbkskCrbL3Iew4HGpbhn5O30s33Zuy8wdhMuwphOtz HXMtk8xxTdemGa3PkbKH2S7UUEvJpbkSwDNmjAxilSPRQRAX8I0Vkg== =xykU -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: perl integer overflows (SUSE-SA:2005:071)
by Marcus Meissner 20 Dec '05

20 Dec '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: perl Announcement ID: SUSE-SA:2005:071 Date: Tue, 20 Dec 2005 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux 9.0 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE Linux Enterprise Server 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2005-3962 Content of This Advisory: 1) Security Vulnerability Resolved: perl integer overflows Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Integer overflows in the format string functionality in Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap. This requires the attacker to be able to supply format strings to the application, which unfortunately is true for some web applications. This issue is tracked by the Mitre CVE ID CVE-2005-3962. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of daemons or web services using perl after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/perl-5.8.7-5.3.i586.r… 4de87a1baabaca72b1d043f5802b55e8 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/perl-5.8.6-5.3.i586.rpm bf2673a0102d07e3498ebb608a6bf86a SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/perl-5.8.5-3.5.i586.rpm 7f3e5f07cdf3e5adcb2bb4a1a70fcd66 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/perl-5.8.3-32.9.i586.r… 39e0469e1e258ce2a762f44010eeed44 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/perl-32bit-9.1-20051… fcb5e777e342dc3cf7e80f25b79d6002 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/perl-5.8.1-133.i586.rpm 4f689e4779e62911c6707325c04bb8c7 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/i586/perl-32bit-9.0-5.i58… 3dccbba55f989dac7c1ceaeba1c15aa5 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/perl-5.8.7-5.3.ppc.rpm ec6e2f878cfa801f66f7b61d68c7452c x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/perl-32bit-5.8.7-5.… a113b1b20c1df8328bc7baff457e9e11 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/perl-5.8.7-5.3.x86_… a159900f0c1d25eff753cbead86c1a9e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/perl-32bit-9.3-7.1.x… 785b553f17cd5b4ee0926a90937493e5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/perl-5.8.6-5.3.x86_6… 301a89dfea1b345a6753601c75e7b010 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/perl-32bit-9.2-20051… 5f3c243a01d669afe1c1682f55eb857d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/perl-5.8.5-3.5.x86_6… e484649b779194349e596203be509956 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/perl-5.8.3-32.9.x8… cd955e730ce66e9d4ba47fbcd8ecb973 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/perl-5.8.1-133.x86… 36fe8f513fe87de69647c822f0c3d9b3 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/perl-5.8.7-5.3.src.rpm c9b1fa3cdf5c114d04445adde820062b SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/perl-5.8.6-5.3.src.rpm 34b2ee13c4b71864af2ee166d4cee5cb SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/perl-5.8.5-3.5.src.rpm fdaa01f4114cffa02a248a93c9d6c2d1 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/perl-5.8.3-32.9.src.rpm 3d448ecc6dea15f0f80791f38cdb9f55 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/perl-5.8.3-32.9.src.r… f56950501a81a8317330251c49ef9e68 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/perl-5.8.1-133.src.rpm 76462aa014e8f9f26d227bb3974281e6 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/perl-5.8.1-133.src.rpm 96e52a75014166fffdf1c926179fca72 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/f1f7d27ae5fa188… http://portal.suse.com/psdb/f1f7d27ae5fa1885e9f8997fbfd489de.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQ6gcjXey5gA9JdPZAQHmCgf/bnIE6/9MGhAca2TCOzRTZtIs3vgvto9r KStkCeq0cr9F5quOyEDooTH56Faq+NJY3jcrri2MF3z0TFT1ExtyI6k03VK3Tedl F0H3O59iGvxaHObkCUP7VflLD5YBsoKMHOcc6YUssImNlxXGmZ5H3tOz1DcjWOTO Vm129f64tT3/+UwmEdOh5Cu1F53IQ9ysAZTWg1IsCoWsTzqygBevsW9QMfIj7o+n 8jZdiGD4N9P+Dmy+BTahUMPm/Kt5AO1VE20YYoYdLIaP+DR9nHFURRGs6SiEJ+Cm D29yx6B2ufuHo+4vpu1ZBMv/mGsquvECOjXg0V9+/xJH378NT2F8Eg== =QxhO -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: openswan,freeswan,ipsec-tools denial of service (SUSE-SA:2005:070)
by Marcus Meissner 20 Dec '05

20 Dec '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: ipsec-tools,freeswan,openswan Announcement ID: SUSE-SA:2005:070 Date: Tue, 20 Dec 2005 11:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SUSE Linux Enterprise Server 9 Vulnerability Type: remote denial of service Severity (1-10): 5 SUSE Default Package: no Cross-References: CVE-2005-3671, CVE-2005-3732 Content of This Advisory: 1) Security Vulnerability Resolved: Internet Key Exchange v1 problems in various IPsec implementations Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Openswan, Freeswan and raccoon (ipsec-tools) have been updated to fix crashes in aggressive mode. An attacker might send specially crafted packets that can crash racoon or Pluto. The ipsec-tools / racoon crashes are tracked by the Mitre CVE ID CVE-2005-3732. The openswan / freeswan crashes are tracked by the Mitre CVE ID CVE-2005-3671. SUSE Linux Enterprise Server 8 and SUSE Linux 9.0 contain freeswan 1.x and seem no to be affected by this problem. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of openswan, freeswan or racoon after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/ipsec-tools-0.6-4.2.i… f82b5941ca8143a7f81315f2309c28e9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openswan-2.4.4-1.1.i5… 9d2318b4da837ae3175547ba261235c5 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ipsec-tools-0.5-5.2.i5… 57b586b7aaa612c6250a8b037afe9335 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openswan-2.2.0-12.4.i5… 6c152ba37641677fc4c59c44199a9225 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ipsec-tools-0.4rc1-3.4… ca1ffa39b311744976bc9754f003c71f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openswan-2.2.0-8.4.i58… 88dedfd8ad12456158b0f60d0a4714f4 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/freeswan-2.04_1.5.4-1.… 64b2fc324586f4af0060b8dd0c6597eb ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ipsec-tools-0.3.3-1.9.… c523ed28073d5d76a1468763cc3820ea Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/ipsec-tools-0.6-4.2.pp… fc12c770db47d6a51b7cfc7e92b0f003 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openswan-2.4.4-1.1.ppc… 6a0c80ce5f3a489221e605ea7ee724d5 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/ipsec-tools-0.6-4.2… 7550e022c5557841a06c6334d1a2632c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openswan-2.4.4-1.1.… b25da775ec60a014febb111179a42e91 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/ipsec-tools-0.5-5.2.… 8ee673f4f3386e6e0a5ea123cad19064 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openswan-2.2.0-12.4.… b65ee8de2eae744f40b7d33ae912995c SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ipsec-tools-0.4rc1-3… 8e4f8794e3f8322b4b5c301d964cfabd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openswan-2.2.0-8.4.x… 30af3b8e87fe2018ae2b4a1a884887e2 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/freeswan-2.04_1.5.… dbdf3e6c1d45a0e42f0facfd78edc29c ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ipsec-tools-0.3.3-… bcf17a5cd915276de386e8181c87ec99 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/ipsec-tools-0.6-4.2.sr… 6ecfb0963c478d0962fad9146110466c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/openswan-2.4.4-1.1.src… e8f841c893e062f2e378eb269ba7d128 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/ipsec-tools-0.5-5.2.src… 0944add00587f50f20c5f7a38fac5b4f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/openswan-2.2.0-12.4.src… 5d89968ca8f4b1718f0018c8c466ddf9 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ipsec-tools-0.4rc1-3.4.… 26d12b6a99b2723272a74f402ba4ff58 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/openswan-2.2.0-8.4.src.… f097a1113a838a007c586c72bb7e43a2 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/freeswan-2.04_1.5.4-1.2… 362067f9c39a902c433af5f998b4eecf ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ipsec-tools-0.3.3-1.9.s… b7443b44f2ee6cab65f214e6e983f113 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/freeswan-2.04_1.5.4-1… 95d18a7cf39acaabb747edfc7b5411cd ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/ipsec-tools-0.3.3-1.9… 517f4afbe1f3d1b3ad554582d4463bb2 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9f8549c0fdb4c32… http://portal.suse.com/psdb/9f8549c0fdb4c32ce15be24ba50f632b.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/b009511f6a95df1… http://portal.suse.com/psdb/b009511f6a95df19e9a44b526dd24358.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ6fbyHey5gA9JdPZAQKFpAf/UFb+/A6Rz6FPhCW1qO7a01mnnJRhL+WA hRh8vFHu6Ct0XpjWwRLcbkDRmaFifiLfuYAcJU6PpgNlB1DGlxfNigBhK17TBMQD DlAbLYIGdLDxXx5ZcT1I2Uza9REY7htJp8JvXwv0qXXibxdmMCXf62hDcc3UCxfR uNxML6AkjQaPLzVC5NKDIa10PHE7Tj6JWh3qKPzkVMhtoB1rTdp/7t0fTaF/btJQ OAtLshFIHTUwWFQy3Omjsb87vxKXzgQviUIpEfJChAw+jmN2ejDq8ZyiviRjTant pn57z0Uw7cv8YlWMWZroV7bR6Bs+ouK+oFb1Q4CwcYFuUbcVat8Tsw== =q68S -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR:2005:030
by Marcus Meissner 16 Dec '05

16 Dec '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2005:030 Date: Fri, 16 Dec 2005 16:00:00 +0000 Cross-References: CVE-2005-3893, CVE-2005-3894, CVE-2005-3895 CVE-2005-3912 Content of this advisory: 1) Solved Security Vulnerabilities: - webmin format string problem - otrs various problems 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - xpdf various integer overflow problems - perl denial of service and potential code execution 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - webmin format string problem A format string problem in webmin was fixed, where a remote user could crash the webmin mini web server or even potentially execute code. webmin was only shipped on SUSE Linux 9.0 and 9.1. This issue is tracked by the Mitre CVE ID CVE-2005-3912. - otrs various problems The CMS system OTRS was updated to the current stable release of the particular major OTRS version shipped with SUSE Linux. This update solves the following issues: CVE-2005-3893: Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action. CVE-2005-3894: Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2) Action parameters. CVE-2005-3895: Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML. NOTE: this particular issue is referred to as XSS by some sources. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - xpdf various integer overflow problems Various integer overflows in xpdf and programs using xpdf code potentially allows to execute arbitrary code via specially crafted PDF files. This is tracked by the Mitre CVE IDs CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193. Affected are the packages: xpdf, gpdf, koffice-wordprocessing, pdftohtml, kdegraphics3-pdf, tetex, poppler, libextractor, cups on all SUSE Linux based products. We have finalized patches this week and have started preparing updates. - perl denial of service and potential code execution perl scripts that allow user supplied format strings to printf style perl functions can be used to either crash the perl interpreter or to possibly execute code by preparing a specially crafted format string. We received final patches from the perl porters team and are now preparing updated packages. All SUSE Linux based products are affected. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ6LXW3ey5gA9JdPZAQItTQgAjOBKq9sLZrp46Bi2duvw+zYglOnh7WZQ XbKLfkapVDrSGPTCW/wjYDRZUsmc14S0ePBGYntjmGIBiuGw+Z2YZgXlLBEscYFd m6E/QiMlIjVbo9ngZswtKnbSxcHZRPURg5ECqDaku8e7LZejPTEu4fSbdJwANdtB mYDoO+FHxp/38a18lWrAJ4D1RFVSBimC1YxqJzJK/90pp//CAF0aRjrXkOaMPG48 8PUl0uNFdRbRSoamvviws67IQCZJ5KI6+/7Sr4Vx2DWqAUqNVyxQQIkfiDBjtZUD 3SEZ2uvon2WavtuSACBmqRIC/r7JJhT45ZhRQo2SfD36lsxR1cXsww== =/RB5 -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: php4, php5 (SUSE-SA:2005:069)
by Ludwig Nussel 14 Dec '05

14 Dec '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: php4,php5 Announcement ID: SUSE-SA:2005:069 Date: Wed, 14 Dec 2005 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux 9.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10): 5 SUSE Default Package: no Cross-References: CVE-2005-3353, CVE-2005-3389, CVE-2005-3390 CVE-2005-3391, CVE-2005-3392, CVE-2005-3883 Content of This Advisory: 1) Security Vulnerability Resolved: various php issues Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Updated PHP packages fix the following security issues: - Stefan Esser found out that a bug in parse_str() could lead to activation of register_globals (CVE-2005-3389) and additionally that file uploads could overwrite $GLOBALS (CVE-2005-3390) - Bugs in the exif code could lead to a crash (CVE-2005-3353) - Missing safe_mode checks in image processing code and cURL functions allowed to bypass safe_mode and open_basedir (CVE-2005-3391) - Information leakage via the virtual() function (CVE-2005-3392) - Missing input sanitation in the mb_send_mail() function potentially allowed to inject arbitrary mail headers (CVE-2005-3883) The previous security update for php caused crashes when mod_rewrite was used. The updated packages fix that problem as well. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart your web server after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php4-4.4.… 93ccea4a7fbf020f9dbc2d8e7e30f187 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php5-5.0.… 68c9297edac3cf40f63de9ab86a78204 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-4.4.0-6.6.i586.r… cbe4216ab9aeaa46edfec82f4ec83add ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-exif-4.4.0-6.6.i… 7350c203d1da7cef4f707c1bd05b1fe4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-fastcgi-4.4.0-6.… 2cbedde45de41d2a4c6a04a70151ef87 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-mbstring-4.4.0-6… 89b18c2b44043b00ca2a5e0ecd952ea1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-servlet-4.4.0-6.… aef612df7108ac49bc4671d48a522cd4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-5.0.4-9.6.i586.r… 89b36c0207d77a276574acb917979c6c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-exif-5.0.4-9.6.i… 9cd086bfd7f2460f560283d116335809 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-fastcgi-5.0.4-9.… 86a99ad87a84ca890d7f0812d84ea443 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-mbstring-5.0.4-9… 91d317da31a61e8b892e04fc22533465 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-pear-5.0.4-9.6.i… d84a4b1979db6a704e0e68e3cd0c4123 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.1… 2b0004354040ee46589579bbe9a10b7d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3… 256ffe4b0adcbdea070c31199d927b8b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.1… 2f011176ba78e8d9e6d6705e3c520d77 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.16.i586… 1fda5a79328ad176ba4f76c3125a216c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.1… 9d95adc9956ad6c9aeb55395e5802a28 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-exif-4.3.10-14.16… b78bda5c1bc4a445980c85263ef4e6b6 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14… 65d8d310cddf9eec6bf86f247d916924 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-mbstring-4.3.10-1… 83b6fb72b0235ef975e0b5dc3add6ba0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pear-4.3.10-14.16… 5b35e2b85d62841bfb4ef753a1befff4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14… e2e4396e3332d8127521e7208174b761 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14… ec7b2caaf0b6f75a67bcf59df581faf0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.16.i586.… e4680ce4c81fe741acace8396270f73a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.16… b77193abb614a761fc8efb4ac3e30f38 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-exif-5.0.3-14.16.… efd60d4c38cee0570d91da4ded07241d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.… da933de9fe8c6b51ba8a1037bb51270a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-mbstring-5.0.3-14… 306ffc5f200768e241045b9feb841ff0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-pear-5.0.3-14.16.… 4f6a0c426370c2ed0163ba5a210b3b18 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvmsg-5.0.3-14.… 3debbdb828fd9b62f84e9aca19cbc911 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvshm-5.0.3-14.… 18c017cc066aa5ef10b8676e3abb39cc SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-mod_php4-4.3.8… 3ef70addd7a8dbefe0369ff5657c572f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mod_php4-servlet-4.3.8… 7424b1900e37eb48927e937f6f46a754 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-4.3.8-8.19.i586.r… 4fcf09657edc278dc1300beb99b2be23 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-devel-4.3.8-8.19.… 3240c192c6d3a2861c61fafc6f1e3dbe ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-exif-4.3.8-8.19.i… bd21b0c6a8787c055bce1b4a0832e9c6 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-fastcgi-4.3.8-8.1… a15b1e13e8d4c508b20a0d9cb8db0e9a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-mbstring-4.3.8-8.… 29cb0b7455d85e855cdcff7ed3cf362a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-pear-4.3.8-8.19.i… 378fbc8b49f96936c4a803dd2fcd9150 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-session-4.3.8-8.1… 3e8482cdec483a0d97336d7ff875aca4 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-sysvshm-4.3.8-8.1… 0e8aebcd5576f652c5460b8b5eb0eb59 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-mod_php4-4.3.4… 03e74cf5c21690096b5c3c6d73db5edf ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-core-4.3.4-43… f3ff33b1c66c60e512668d071c2865a2 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-servlet-4.3.4… 8ef9861fc1154dfb13b1a856d97ede58 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.46.8.i58… 4f44dbff22b3e61ded0cafa05e5dd8a4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-devel-4.3.4-43.46… 1e61d5c750ceb6e5ca0155da26ad9d56 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-exif-4.3.4-43.46.… 352b80414193b6e759a087a00e961f9e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-fastcgi-4.3.4-43.… a7dbbc68d8088e1c9446f5b3aa3efdf6 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.46.… 2d65af58903d5b57eb1a5c9da7a4d12c ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mbstring-4.3.4-43… fcca537fe7a10ffbc983631586af80e1 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.46… 3f089876cee98edb6ca744ec16e8b348 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-pear-4.3.4-43.46.… c12867220bc31711bf858488ecf82652 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-recode-4.3.4-43.4… 2b13e53d9f834eae4c7f8f5dcd0309e6 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.… 35a0ed7a8ed2680f6795b55a17286a44 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.… 467cc0aecaeff74e01794a9796d7ae5b ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-sysvshm-4.3.4-43.… d00467ec2ea75c736257ec747dbce964 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.46.… fec07399b7946aa6fa282fdf3a11b7b5 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-mod_php4-4.3.3… 7e7f3acd96bd4ccfa449fa627d238e61 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-201.i58… 6ad974a6ef73c055042f2791511324a4 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-aolserver-4.3… 8062597ee1d901295f50ef7f3b210fd8 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-20… a26e3da082bb7af529bfe6a8863d3bea ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-devel-4.3.3-2… b0c65694138fcc7e358a23578c81fc0f ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3… a575ef3d3585d52457277fa1b1f52fc9 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php4-4.4.0… b6fc10ae85b52c9fa8dfc1391cb5c42e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php5-5.0.4… 64b0b1929db34126fef1fe45477721c8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-4.4.0-6.6.ppc.rpm 32e5df4ad82710e942229b352001062f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-exif-4.4.0-6.6.pp… 5731166b070555e3b12977f17c807164 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-fastcgi-4.4.0-6.6… 2d5ab0d77fbeb8b4c2c2eb0054ef95db ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-mbstring-4.4.0-6.… e88e8df2e390d4f1de0420144120ffba ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-5.0.4-9.6.ppc.rpm 54988beb5795ec69b9477fb17bd05570 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-exif-5.0.4-9.6.pp… 9f060cbb31f36448bf51baedd817dd95 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-fastcgi-5.0.4-9.6… 3970e52026e0de1d22bcb1f0044fc7f4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-mbstring-5.0.4-9.… 97a445e95bbbffc0b73b8e5d812e3a7c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-pear-5.0.4-9.6.pp… 7a0713faac36b75d0c360a81ec1cd902 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php4-4.… c19815f1d3dd1837db7d084d40c0bd5f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_php5-5.… e6f97e4a7f21ac06648b7687ae44c9c0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-32bit-4.4.0-6.… 97b0538d2f776379b9ed53603e7c7c02 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-4.4.0-6.6.x86_… 6910814d7b4f55e46e56fcbfc2605e7a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-exif-4.4.0-6.6… 93fc59c57c83d493d9b75735b53f59dc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-fastcgi-4.4.0-… 84357282e66154125e738f958c5f8a1d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-mbstring-4.4.0… a61b2ef113fa1bc4d95d18a2de10c037 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-servlet-4.4.0-… c1d603229a890d512c6965a9bf93e0ae ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-5.0.4-9.6.x86_… 3258488c43c3ceba6cac3e079adfd9dc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-exif-5.0.4-9.6… 07f02223a220056e989f1ffcdb5bb301 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-fastcgi-5.0.4-… f04093dc74fc362b775a76826c4e5b70 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-mbstring-5.0.4… b47b507bb86fc499b57a50ea8d96cf4e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-pear-5.0.4-9.6… 8998ff285408d6aa7194631b9158bc95 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php4-4.3… f572808e11f11e832d5af73789639d13 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php5-5.0… 78b816f654dba3203f59574403c5b015 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mod_php4-servlet-4.3… b89d13e866e3331a909acac41032856b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-32bit-9.3-7.7.x… 24f56083bfec12dfa8f81d122ce76b59 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-4.3.10-14.16.x8… 04feac8fb5cca0eb1b2a63c09712d2a1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-devel-4.3.10-14… 96b5f6889bfd704b35bee5b503037f98 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-exif-4.3.10-14.… a0543150af489560130081c8f8bc00a5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-fastcgi-4.3.10-… e1e5f5cb50bbc96ac619c06bd9b40c6c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-mbstring-4.3.10… 9e71c63f8f77220d264675a93d9be64e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-pear-4.3.10-14.… 77f30df59a934c9097e1ff5ca2f9ef82 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-session-4.3.10-… 0763a366fa64f3a9f9451ecf8092060a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-sysvshm-4.3.10-… e4b848f275c2720f0ea9a583245bdfd4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-5.0.3-14.16.x86… a5f4693e50e97ba9b2abc4a74fcfc433 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-devel-5.0.3-14.… 318c22c0cc73fc23e1521ebf90614d49 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-exif-5.0.3-14.1… 1204d8a49841ee632afb3a31ea6786d5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-fastcgi-5.0.3-1… 9673ca446863d44d8b3070f4b4605c8d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-mbstring-5.0.3-… 777c96c8250371403af09dc8ce68578e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-pear-5.0.3-14.1… 4843edaf660f33f032bf06f9a0c70e0d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvmsg-5.0.3-1… 75326499903800ea00ccef6de32df243 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvshm-5.0.3-1… 10fcaf8375a8d3d53b2b4d6c6799fb5c SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-mod_php4-4.3… 995add6961cbaaa3e93ecc3fd4d4414e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mod_php4-servlet-4.3… 29be09a1b44c9de9475184043915f9d3 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-32bit-9.2-20051… d56c620f8e0f47b86b644bf35a2fb218 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-4.3.8-8.19.x86_… 9904439aebaa54e0a32738ca6d914671 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-devel-4.3.8-8.1… 78e991160557cef261f93b867d3e3506 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-exif-4.3.8-8.19… 4c0d5054c3fc50eff7f6f1e28cca84f2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-fastcgi-4.3.8-8… cd555396599de66c5b8bb69bbf531c01 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-mbstring-4.3.8-… 25495dcc55f44a5a87b7523a18bd547e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-pear-4.3.8-8.19… 0142a90e52aad3f21a9957d5e657ceb1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-session-4.3.8-8… 9bccf3bdf6c86e25e1472e740096d4a1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-sysvshm-4.3.8-8… 6cb88042269a72253f474311f1ddf2ab SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-mod_php4-4… c518162fd01a4dfbcd67826b43b04d1c ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-core-4.3.… 963d63c4c9ccedd60d78066056021da5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-servlet-4… 43f29e791ecde3421a6160a5efef1460 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.46.8… 9f148f7b01206e4064e31c5bf1126e3a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-devel-4.3.4-4… 31c00f890667c18d9f4b5d6db8e34c23 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-exif-4.3.4-43… 280203830ba42b1883eb9a0488d1a51a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-fastcgi-4.3.4… a150e72f55d123e82445d8584c8580af ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43… 955c5212e05129555e4f669e29abf206 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mbstring-4.3.… c4b625a5b45cd9c1cf983b96a5eb5857 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-4… a42f92a755f2a27f30d365e987fc07c0 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-pear-4.3.4-43… 5fe41e7a9ce219521abb7118e06acd06 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-recode-4.3.4-… 4e7c18b9c384f9925be4475b2a58d7ae ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4… 409cd0a641f4af01bcec0eee89d730ed ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4… 2c8027c2e1b13ba79684d22599441f98 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-sysvshm-4.3.4… 60f76ba962ff878a122c9713b3648acb ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43… 9eb2f1367e1a24552a8cedfb6bc506f0 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-mod_php4-4… 201cdcb6ac370ba24bf028ff973e2d78 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-201… 200e27434b84dda66a8d7072639d50d3 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-aolserver… bebf84684f3d4e2e246e9e0968e1c9e9 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.… c13dd768ed49a6b356fea34b0bee22b7 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-devel-4.3… 76402dba0b5cd93d01121f7cdaccf0a8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4… 911132503ce437c56fc149ceaca84fc0 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php4-4.4.0-6.6.src.rpm df71d97d15a80d697e2bb4bde7045f7e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/php5-5.0.4-9.6.src.rpm b8982a91a4434d6d8a5e6682d156ec89 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php4-4.3.10-14.16.src.r… 4fda8297cdd055ca5ea5f25c5fd34f7f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php5-5.0.3-14.16.src.rpm 00bbae3e2df2e260419636d09124072f SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/php4-4.3.8-8.19.src.rpm 2ffe97003b66122df2c66282df7c191f SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.46.8.src.… 976c480089d6bbb93c8382024befa2b0 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.46.8.sr… 254dafb4323f39a6d5833b5821888be3 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mod_php4-4.3.3-201.src.… 1ac608916ba50d061a5d0a9dcc5bf5f1 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mod_php4-4.3.3-201.sr… 55aeee3d79a95d4b77c1c9491b6a0216 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9c27c9e8baf6b3b… http://portal.suse.com/psdb/9c27c9e8baf6b3b225a13c66f8f9a95f.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/8c18bdf6bfa820f… http://portal.suse.com/psdb/8c18bdf6bfa820f30d97b67dccd437c4.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/10622a3ab7ed704… http://portal.suse.com/psdb/10622a3ab7ed7045185b273ec250fa88.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ6A6NXey5gA9JdPZAQIHcgf+JDbAxIYJViu5do5Ucri/EtihLeczQUuz u0ODqPC1MPe4cJR0y2P1C2qNb4+/S0gfb1W+LlAgD1bVSqdT5YEiRAA4mZB9h+iQ r4YHObbW0/JH5pFt1nwlGsPKah+3WkE0+rdt7fJ0zFb4mEx+tKgDroXEpr8w5hju NuJW4IJg/kEBxCuqYM4u+WzJGU2olM2NGKBd3egjFHU1VgdsGZBSt9uX50rx+h0B 6KqJau0u+t20FYlLVPAWTDDve78aDBm8HiX8WtQpxUPI1vkH97CPt7n73NE2ZRcN 9gVFvEOLIWkA5qTl1Sx672cnbMFfR6Lg0FUvU/jcalccMEmscV6Lyw== =Y2/s -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: kernel various security and bugfixes (SUSE-SA:2005:068)
by Marcus Meissner 14 Dec '05

14 Dec '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2005:068 Date: Wed, 14 Dec 2005 16:00:00 +0000 Affected Products: SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux 9.0 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE Linux Enterprise Server 9 UnitedLinux 1.0 Vulnerability Type: denial of service Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2005-1041, CVE-2005-2457, CVE-2005-2458 CVE-2005-2459, CVE-2005-2490, CVE-2005-2492 CVE-2005-2800, CVE-2005-2872, CVE-2005-2973 CVE-2005-3044, CVE-2005-3055, CVE-2005-3110 CVE-2005-3180, CVE-2005-3275, CVE-2005-3527 CVE-2005-3783, CVE-2005-3784, CVE-2005-3805 CVE-2005-3806, CVE-2005-3807 Content of This Advisory: 1) Security Vulnerability Resolved: Linux kernel security problems and bugfixes Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Linux kernel was updated to fix several security problems and several bugs, listed below: Security fixes: - CVE-2005-3783: A check in ptrace(2) handling that finds out if a process is attaching to itself was incorrect and could be used by a local attacker to crash the machine. (All) - CVE-2005-3784: A check in reaping of terminating child processes did not consider ptrace(2) attached processes and would leave a ptrace reference dangling. This could lead to a local user being able to crash the machine. (Linux kernel 2.6 based products only) - CVE-2005-2973: An infinite loop in the IPv6 UDP loopback handling can be easily triggered by a local user and lead to a denial of service. (Linux kernel 2.6 based products only) - CVE-2005-3055: Unplugging an user space controlled USB device with an URB pending in user space could crash the kernel. This can be easily triggered by local attacker. (Fixed for Linux kernel 2.6 based products only.) - CVE-2005-3044: Missing sockfd_put() calls in routing_ioctl() leaked file handles which in turn could exhaust system memory. (All) - CVE-2005-3180: Fixed incorrect padding in Orinoco wireless driver, which could expose kernel data to the air. (Linux 2.6 based products only) - CVE-2005-2490: A stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 and 2.4 allowed local users execute arbitrary code by calling sendmsg and modifying the message contents in another thread. (All) - CVE-2005-3806: A bug in IPv6 flow label handling code could be used by a local attacker to free non-allocated memory and in turn corrupt kernel memory and likely crash the machine. (All) - CVE-2005-3275: The NAT code in Linux kernel incorrectly declares a variable to be static, which allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time. (All) - CVE-2005-2457: A problem in decompression of files on "zisofs" filesystem was fixed. (All) - CVE-2005-2458: A potential buffer overflow in the zlib decompression handling in the kernel was fixed. (All) - CVE-2005-2459: Some return codes in zlib decoding were fixed which could have led to an attacker crashing the kernel. (All) - CVE-2005-3110: A race condition in the ebtables netfilter module (ebtables.c), when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked. (Linux kernel 2.6 based products only) - CVE-2005-1041: A race condition when reading the /proc/net/route virtual file could be used by a local attacker to potentially crash the machine. (Linux kernel 2.6 based products only) - CVE-2005-2800: A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error. (Linux kernel 2.6 based products only) - CVE-2005-2872: The ipt_recent module when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force. (Linux kernel 2.6 based products only) - CVE-2005-2492: The raw_sendmsg function in the Linux kernel allows local attackers to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input. (SUSE Linux 9.2 and 9.3) - CVE-2005-3805: A locking problem in POSIX timer handling could be used by a local attacker on a SMP system to deadlock the machine. (SUSE Linux 9.3) - CVE-2005-3527: A race condition in do_coredump in signal.c allows local users to cause a denial of service (machine hang) by triggering a core dump in one thread while another thread has a pending SIGSTOP. (SUSE Linux 9.3) - CVE-2005-3807: A memory kernel leak in VFS lease handling can exhaust the machine memory and so cause a local denial of service. This is seen in regular Samba use and could also be triggered by local attackers. (SUSE Linux 9.3) Non security bugfixes: - Fixed the "treason uncloaked" kernel messages that were caused by a stale pred_flags variable when the TCP snd_wnd changes. - a lot of other small fixes not listed here. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes SPECIAL INSTALLATION INSTRUCTIONS ================================= The following paragraphs guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, make sure that you read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed must be run as the superuser 'root'. Each step relies on the steps before it to complete successfully. **** Step 1: Determine the needed kernel type. Use the following command to determine which kind of kernel is installed on your system: rpm -qf --qf '%{name}\n' /boot/vmlinuz **** Step 2: Download the packages for your system. Download the kernel RPM package for your distribution with the name indicated by Step 1. Starting from SUSE LINUX 9.2, kernel modules that are not free were moved to a separate package with the suffix '-nongpl' in its name. Download that package as well if you rely on hardware that requires non-free drivers, such as some ISDN adapters. The list of all kernel RPM packages is appended below. The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that correspond with the binary kernel RPM packages. This package is required to build third party add-on modules. **** Step 3: Verify authenticity of the packages. Verify the authenticity of the kernel RPM package using the methods as listed in Section 6 of this SUSE Security Announcement. **** Step 4: Installing your kernel rpm package. Install the rpm package that you have downloaded in Step 2 with the command rpm -Uhv <FILE> replacing <FILE> with the filename of the RPM package downloaded. Warning: After performing this step, your system may not boot unless the following steps have been followed completely. **** Step 5: Configuring and creating the initrd. The initrd is a RAM disk that is loaded into the memory of your system together with the kernel boot image by the boot loader. The kernel uses the content of this RAM disk to execute commands that must be run before the kernel can mount its root file system. The initrd is typically used to load hard disk controller drivers and file system modules. The variable INITRD_MODULES in /etc/sysconfig/kernel determines which kernel modules are loaded in the initrd. After a new kernel rpm has been installed, the initrd must be recreated to include the updated kernel modules. Usually this happens automatically when installing the kernel rpm. If creating the initrd fails for some reason, manually run the command /sbin/mkinitrd **** Step 6: Update the boot loader, if necessary. Depending on your software configuration, you either have the LILO or GRUB boot loader installed and initialized on your system. Use the command grep LOADER_TYPE /etc/sysconfig/bootloader to find out which boot loader is configured. The GRUB boot loader does not require any further action after a new kernel has been installed. You may proceed to the next step if you are using GRUB. If you use the LILO boot loader, lilo must be run to reinitialize the boot sector of the hard disk. Usually this happens automatically when installing the kernel RPM. In case this step fails, run the command /sbin/lilo Warning: An improperly installed boot loader will render your system unbootable. **** Step 7: Reboot. If all of the steps above have been successfully completed on your system, the new kernel including the kernel modules and the initrd are ready to boot. The system needs to be rebooted for the changes to be active. Make sure that all steps have been completed then reboot using the command /sbin/shutdown -r now Your system will now shut down and restart with the new kernel. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/Intel-536ep-4.69-10.4.… d500c2c08b8b7526d74023f65e59b85c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-2.6.11.4… 6b7433eb3db4d6e0ee762966418e4dd9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-bigsmp-nongpl-2… c9915592a80dd81d26d7664887bf553d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-2.6.11.… 061bdddcee1a455b618990358fb6e9ed ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-default-nongpl-… 71109400fe245a1d9c927b51a886570c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-2.6.11.4-21… 7814126834bc779f3b3f6c06ed2d9967 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-smp-nongpl-2.6.… 68ecf601f54b61f15df7ed7fb532816b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-source-2.6.11.4… 636f844e141e1f13d96ecc1fa1b0b083 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-syms-2.6.11.4-2… c68dea8979d7917a1d33d51ae5448c78 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-2.6.11.4-21.… 181375a1e7fb6ff0ac19f1eeec1094df ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-um-nongpl-2.6.1… 60d9c119d1754e7e722c20eebd1d8402 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-2.6.11.4-21… 188852e931d1f4ad7efc8ac35b258181 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kernel-xen-nongpl-2.6.… ce1e7f2365eec087c735921b5e6d9ccf ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ltmodem-8.31a10-7.4.i5… 9fd2310063f308691a70d32e4f028549 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-install-initrd… bbedfc44ec6b5d44feaec1466171a6c5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/um-host-kernel-2.6.11.… 2234c7a82681b61a75b5009f10ce47c7 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/Intel-536ep-4.69-5.12.… 8a47d92a848db8bdb55d6f0a6ab227de ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-2.6.8-24… dace3bcedb831f4170055dc6f75cdabd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-nongpl-2… 6e8c44794300272c7b285aac7f3454f0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-2.6.8-2… 61641b758f379ce5fb5c6d9b775860cb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-nongpl-… 213170a1d5d872439f696d8489c4df8d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-2.6.8-24.19… 75340371878caf30a19b0c0884e7c4b3 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-nongpl-2.6.… a319f80f554dc548f615258116c5eb82 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-source-2.6.8-24… f1307e25b9b03bd8bd31576a2dde93c8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-syms-2.6.8-24.1… 8ce4843272595ef052f3bcc106307c17 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-2.6.8-24.19.… 32c20befc06f9b5c6c21f675d7f27524 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-nongpl-2.6.8… c8e2e9d1f020f8e76cc5ca8df852e6e2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ltmodem-8.31a8-6.12.i5… 67170602966f4e3f948b5d247fe527c5 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-install-initrd… 5194a3b506192b7cea330c45f1015116 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-kernel-2.6.8-2… 495f10410d45b5198a035afad1ab7060 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.… 498b6452f6e80c2168fc18e9aaa171ca ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7… 9cdcc381aa3fe9c38883af5ae50fe566 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.202… 5b6910b080ddaebb52ba01a77e64cda5 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.… f492f72cf5cc3039a02b0b809688ca49 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-syms-2.6.5-7.20… 4613e41ca201515ae803966ecd7b0b93 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ltmodem-2.6.2-38.19.i5… d21af772ba56053116b350a1970777aa SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/Intel-536ep-4.62-27.i5… df3caf24c8ece33169c54ff4672d373a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/Intel-v92ham-4.53-27.i… d0c7cfb40d369de915536fe376669731 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-303.i5… c85728e06562a696414f9bb6bc0441bc ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-303.i58… 87d35dea039633533ce97976902adc24 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-303.i586.… 313ed7c9eb5c96d5d60f31a72cef1b1c ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-303.i58… d05c3ff5c412f82fb90434ad902ab076 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-303.i586.r… ea4422ee2da49a37626ab80c92c869a1 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-3… 8aa09607425053cc73fb11af0f08f107 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ltmodem-8.26a-216.i586… 39189597f72fd29c7bd95d25453a634c Platform Independent: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/noarch/kernel-docs-2.6.11.4… 47d5b58910d7890c56b49c5f0a051edb SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/noarch/kernel-docs-2.6.8-24… d7d6524760444a7007b33614f7438d18 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/noarch/kernel-docs-2.6.5-7.… 1c8fe8bd02541c36268c8bdd9ae52408 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/noarch/kernel-docs-2.6.5-… 4ccf9f952bf7bdf81535fae998ebcecf x86-64 Platform: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-2.6.1… ba425257f4863c3609218ffb97d88ad5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-nongp… 4c5ce7b9a10a1befe1055e5dda1f8cf3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-2.6.11.4-… 3cbe380b73ab0582f272389241ed3387 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-nongpl-2.… 4b42629c3bed66cacb1a984c5e26f9d4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-source-2.6.11… 06a6903d738d08d889486fd37fd356a8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-syms-2.6.11.4… 8e68e2009d0a7f75c844e66770d4c812 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-2.6.8… 205edc94cdc1efd47dcd5a3c207ed8ea ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-nongp… d165d199a24c2531ffb66bf8559f94d0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-2.6.8-24.… 3741cd730f4d74fdd942df421dcd70c8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-nongpl-2.… a944dadc1c00f35e0311cc1e059f2ef7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-source-2.6.8-… 10d243b42b080caf2b35a203d37e054b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-syms-2.6.8-24… 476f6d22a5f9b985c6ff637b47560902 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6… b842f83ea73c098b06264255c448a369 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7… 67348b7d9c74d517652340c1b195d350 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.… 32a9ffb2b0907f4110ed577cc19f588e ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-syms-2.6.5-… 5f466140ede81eb3cf45a883c1a4283e SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-303… 995456b107b5a11541c441c01285c69f ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-303.x… 1330055b72a360e1e9d95f55446565c6 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.… bfd3f18af242371f001ab3badb6886b6 Sources: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/Intel-536ep-4.69-10.4.s… f2864724ba6060f3eca93a52915f85d6 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-bigsmp-2.6.11.4-… eb7b914b71b3a1a4714a40aeaf2fbcf9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-default-2.6.11.4… a747522cc3e547960f53cc56c7e8e25c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-docs-2.6.11.4-21… 33e9bdcde94a6aa836fdf2939b2c3595 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-smp-2.6.11.4-21.… d4b7a95149a614365f3c52a5536cb165 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-source-2.6.11.4-… d3a5f22fed880743addd67a900e010ab ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-syms-2.6.11.4-21… b76a34c01bf1da3ca175cfef88b62c47 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-um-2.6.11.4-21.1… f5250e8c30889890e95f7ca39a5379b7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kernel-xen-2.6.11.4-21.… ea9714e45fafb92ac59de3e0ee10c1b2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/ltmodem-8.31a10-7.4.src… fa31903dd77cab3c3f3f1e08bc288ae2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/um-host-install-initrd-… 69bad0f07871a0e14bcfd6a5faba33d1 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/Intel-536ep-4.69-5.12.s… 9cf828d9073188230d7d975eeb963e04 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-bigsmp-2.6.8-24.… be8c729e22ca7e1e9a6ed5b7f833f84a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-default-2.6.8-24… bd66bc651a343c08045e22fe6156d416 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-docs-2.6.8-24.19… d83c27d1443592adfb6a5324c3fb2513 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-smp-2.6.8-24.19.… e9d751c304baba54601fb4be6f7cbe58 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-source-2.6.8-24.… b7812ba431b9a0781268d022d70a9f6d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-syms-2.6.8-24.19… ff9b86dd54d8ee09a06cb08505750c06 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-um-2.6.8-24.19.n… 46c82f4078918d1230299becee64a34a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ltmodem-8.31a8-6.12.src… 22a1dc94736e4c1a401410d589eb69d8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/um-host-install-initrd-… 52621db970964619aa26e2c9cf9a9a8f SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.2… 00c430ebd996bee1e05479314963cb64 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.… 665f6cd53c7cd95240cc78b1b3e47ac3 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-docs-2.6.5-7.202… 89426852c558f249079da018691c3d78 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.202.… 9600effe6b950e0fd644381aadf33892 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.2… b81693fea5e535732ce38b6355f2039e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-syms-2.6.5-7.202… 6045f8cd31f5fadc64fc64f1a85a4dde ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ltmodem-2.6.2-38.19.src… ca58518645ab07e0b15bca6d46fadab2 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-… bc4bf7caf9f40724fb6c8acbfaebc83e ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-docs-2.6.5-7.2… d880cc8a4074451b58c837ad2ea89a62 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.20… 91562eee5d7cd6bf85005525196a9ada ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7… 95b8fb67131984469558424c0311fe2c ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-syms-2.6.5-7.2… 8cf7cb56943e24cc4dacaf61e03deef0 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/Intel-536ep-4.62-27.src… c8be7e60349bfbd91c4fb380c7e5b6e2 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/Intel-v92ham-4.53-27.sr… dc26ab35f0c4c1de451a41e39d8477f0 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-303.src… 28603ac54a74a10f119b19dac4f70877 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-303.src.… bcd1ffba1492ca58fb972e762c92d55d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-303.src.rpm f8ef5667f2350a4dfa9d86ab1e75b71d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-303.src.… 54a593469f9631cd3cdd82a01b49b81f ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-303.src.rpm 2e116575b9de0e58e68fcca09a3c19f1 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-30… 992f6a2e95ec3d2c6c3b0d5a1f8e85c3 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/ltmodem-8.26a-216.src.r… 6870024817df87fdb801108bbee2d2d5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-303.sr… 1a15fb38887d1f051594688ec17da243 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-303.src.… 49ba0ba47e2dc4443ca5962fad818c5e ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-… bb0660431c5fc18b52675b3394f63079 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/0efbd4214ff63cd… http://portal.suse.com/psdb/0efbd4214ff63cd671f6ac22674becbe.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/20c5e4c2a0fea32… http://portal.suse.com/psdb/20c5e4c2a0fea3202c966fa44c89b13e.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9fc2ed050cb64aa… http://portal.suse.com/psdb/9fc2ed050cb64aa9c37f32a689e98703.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/79a129621653571… http://portal.suse.com/psdb/79a129621653571f9f612232ddd69857.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/77fd150f1962b32… http://portal.suse.com/psdb/77fd150f1962b32355a96affeee048ed.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/93d7c163efacc06… http://portal.suse.com/psdb/93d7c163efacc0665439a7d2c93341d1.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/fcd8a24f5457e2a… http://portal.suse.com/psdb/fcd8a24f5457e2ac521ea89935681fa3.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c7050141b370283… http://portal.suse.com/psdb/c7050141b3702832a32e74185b621254.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/fa8599c9b2c6f42… http://portal.suse.com/psdb/fa8599c9b2c6f42f6125cdff8246eb01.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/f43a8157eaa3cc5… http://portal.suse.com/psdb/f43a8157eaa3cc5d6ad4e782c86273d5.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e400e6279f02255… http://portal.suse.com/psdb/e400e6279f02255de204820f5290b8bb.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/268441775ca440e… http://portal.suse.com/psdb/268441775ca440ed04388897a55453d1.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/0e2c7f08437e012… http://portal.suse.com/psdb/0e2c7f08437e0128f5441c08f313e453.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ), send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ6A1xney5gA9JdPZAQKD/Qf/VoLJnO1p+LMZH3RTNSPznwbip6OdlyVx dZoSGnh+Y5Udn4ab0YR9iyPLE+vBj90dttU4pJXm9/cbZv+a4DjntnjMMMlJakAF DNPPyNBtZi0OWNdUaYoOvfBC881x7e58mcq33FJgMYiyv38KSKdzAJkPFP18trwH QQMB5s65BmFVXAkfFcgVZVsGq5WuRtuiZULdPlkm7CQk67JKWTUXmzfLVp1e0wuk POEUubaq1zNjkCiW8TtAl0Sg+tdtZKjHg9r5y+ITGbagz5kp2hySr57LtEKokcOI b+DrSnLFscJaS0b/8NlnwJ/I7jk9iaQ6xFJqotn2FiNuVdyChDvemg== =gbs9 -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report SUSE-SR-2005:029
by Marcus Meissner 09 Dec '05

09 Dec '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2005:029 Date: Fri, 09 Dec 2005 16:00:00 +0000 Cross-References: CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 Content of this advisory: 1) Solved Security Vulnerabilities: - php4 / php5 security update broken - mediawiki 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - Kernel updates - xpdf various integer overflow problems - perl denial of service and potential code execution 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - php4 / php5 security update broken We released a security update for PHP 4 and PHP 5 for all SUSE Linux based products. This update is broken when PHP applications are used together with the Apache "mod_rewrite" module. Several QA failures and recheck-ins are still delaying a fixed update for this problem, we are however confident that we can release updated packages on either Monday or Tuesday. - MediaWiki MediaWiki was updated to fix further Internet Explorer Javascript insertion flaws. This affects only SUSE Linux 9.3 and 10.0. We are not affected by the User language remote script insertion problems, since we are not shipping MediaWiki 1.5 currently, only 1.4.x versions are shipped. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Kernel updates We are currently preparing kernel security and bugfix updates for all our products. A SUSE Linux 10.0 kernel update was released on Monday, the other updates will follow next week. The updates will be separately announced. - xpdf various integer overflow problems Various integer overflows in xpdf and programs using xpdf code potentially allows to execute arbitrary code via specially crafted PDF files. This is tracked by the Mitre CVE IDs CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193. Affected are the packages: xpdf, gpdf, koffice-wordprocessing, pdftohtml, kdegraphics3-pdf, tetex, poppler, libextractor, cups on all SUSE Linux based products. We are waiting for final patches and have started preparing updates. - perl denial of service and potential code execution perl scripts that allow user supplied format strings to printf style perl functions can be used to either crash the perl interpreter or to possibly execute code by preparing a specially crafted format string. We are coordinating patches with the perl porters team before going ahead with the updates. All SUSE Linux based products are affected. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBQ5me73ey5gA9JdPZAQK8zwf9EQrfbkuYdxG3eSVa3yg6A82RUMblhiwn 2VRNBeDVWasoUAvmc+XmE3g1e3djg1fAxJdqHTydAKu8Ex+sh+0Vw8smfRQfe4Ia EGecT/vVI5rZ68hDaSkovfHhYgGcymuxbMiPWreY7nEWXaDdtYvE6DgMbc29/gss 7gAN6pBGNIV5uvqPr1hQXVXGmGGsgEiUMkNqiPyCcaywco4RIkskj5S+tKxfUxMa RLvrzv3Pm2nwttC9y6VC8k6PNYUoVR2SbW7NeC7S0fzprb1bxvjJomAnJAkp3HRx nCXx4kW0Gh7iA26zt8j4wFlWDjfgJc1FUtCoXNJzYhHZ+K+ZWWxTkA== =IgSS -----END PGP SIGNATURE-----

1 0