- openSUSE Security Announce

SUSE Security Summary Report (SUSE-SR:2005:012)
by Ludwig Nussel 29 Apr '05

29 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement-ID: SUSE-SR:2005:012 Date: Fri, 29 Apr 2005 14:00:00 +0000 Cross References: CAN-2005-0468 CAN-2005-0469 CAN-2005-0638 CAN-2005-0639 CAN-2005-0718 CAN-2005-0753 CAN-2005-1042 CAN-2005-1043 CAN-2005-1046 CAN-2005-1195 Content of this advisory: 1) solved security vulnerabilities: - heimdal telnet buffer overflow - php4, php5 bugs in exif parser - cvs buffer overflow - squid DoS - xli shell quoting problems 2) pending vulnerabilities, solutions, workarounds: - perl-Net-Server format string bug - xine buffer overflow - kimgio buffer overflows 3) standard appendix (further information) ______________________________________________________________________________ 1) solved security vulnerabilities To avoid spamming lists with advisories for every small incident, we will release weekly summary advisories for issues where we have released updates without a full advisory. Since these are minor issues, md5sums and ftp urls are not included. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - heimdal telnet buffer overflow This update fixes the telnet buffer overflows referenced by CAN-2005-0469 and CAN-2005-0468 which also affected the telnet client of the heimdal package. All SUSE Linux based products were affected. - php4, php5 bugs in exif parser Bugs in the exif parser could allow an attacker to execute arbitrary code or cause denial of service. This is tracked by the Mitre CVE IDs CAN-2005-1042 and CAN-2005-1043 All SUSE Linux based products were affected. - cvs buffer overflow This update fixes a buffer overflows which allowed remote attackers to execute arbitrary code. This is tracked by the Mitre CVE ID CAN-2005-0753 All SUSE Linux based products were affected. - squid DoS Squid could crash when a client unexpectedly aborted a PUT or POST connection. This problem has been fixed. This is tracked by the Mitre CVE ID CAN-2005-0718 All SUSE Linux based products were affected. - xli shell quoting problems This update of xli fixes a bug in the shell meta-character handling behaviour while uncompressing image files. This bug can be exploited to execute arbitrary shell commands. In conjunction with mail-clients it can even be exploited remotely. Additionally integer overflows while allocating memory were fixed. This is tracked by the Mitre CVE IDs CAN-2005-0638 and CAN-2005-0639 All SUSE Linux products were affected. ______________________________________________________________________________ 2) Pending vulnerabilities in SUSE Distributions and Workarounds: - perl-Net-Server format string bug A format string problem was found in the logging routines of the perl-Net-Server perl module collection. All SUSE Linux products are affected. - xine buffer overflow Buffer overflows in the code used to handle MMST streams or RealMedia RTSP streams allow remote malicious servers to execute arbitrary code. This is tracked by the Mitre CVE ID CAN-2005-1195 All SUSE Linux based products are affected. - kimgio buffer overflows Buffer overflows in the kimgio library of KDE potentially allows remote attackers to execute arbitrary code though specially crafted image files. This is tracked by the Mitre CVE ID CAN-2005-1046 All SUSE Linux based products are affected. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We recommend against subscribing to security lists that cause the e-mail message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the file name of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBiEYEExECAAYFAkGJG+YACgkQGsiRhDTRlzm8CQCg14Wz vg6j45e/r1oyt9EaHhleSacAnA+2dArk1I3xt49Z5rdnhqheF//9mQGiBDnu9IER BACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs47tj miI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlW t6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHx lRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifr ZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l 0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1 krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoEmyW/xC1sBbDk DUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25p bmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkDwmcABAsKAwQD FQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6dNfnwI2PAsgCg jH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzO AKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUD BRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4 fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklL snr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMn snT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/ xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmp U661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0EExECAB0FAjxq qTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1fAJ9dR7saz2KP NwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0EOe70khAIAISR 0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/HZnh3TwhBIw1 FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44ht5h+6HMBzoFC MAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPTtGzcAi2jVl9h l3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM523AMgpPQtsK m9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q2Y+GqZ+yAvNW jRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8QnSs0wwPg3xE ullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWawJxRLKH6Zjo/F aKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ1sj2xYdB1xO0 ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCHORrNjq9pYWlr xsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1wwylxadmmJaJ HzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQYEQIADAUCOe70 kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol0JdGwACeKTtt geVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAKCRCoTtronIAK yofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3coSPihn1+OBNw= =Fv2n - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iQEVAwUBQnI1/Xey5gA9JdPZAQIQoQf9GxAwsppPJyq362KEwuq3cEbIHFl/qID9 PeYBot0BkFkgMuBU+iWkLo57HExtUac/zqi/jqfZvRDq6BG/HForzsYQIfjZ0WEa PEuUApNygrxSmOjvTnvVKjBxT/FF9IH0lNIf8OyTd71sEgB/TiSDY1aH5+BjOS7f ykN32olaQR95dVnDY0MiyZ/PXsGm8j38kzZXGQpGVDcrfD/U02vR+WiZ4lF5Y44f /bFw335cFoeslelzKJSs/SW4a/nWaXxPp7bPew5H/fIBCVrvu8SfaS/QRo0+SBKH n2g8NpEoCDX7S9GNMjceUvjiMyGPRbyLlMkFZ79VFXONTums1+EsWQ== =Bv0z -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: Mozilla Firefox, Mozilla various security problems (SUSE-SA:2005:028)
by Marcus Meissner 27 Apr '05

27 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: Mozilla. Mozilla Firefox Announcement-ID: SUSE-SA:2005:028 Date: Wed, 27 Apr 2005 15:00:00 +0000 Affected products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 7 SUSE default package: yes Cross References: CAN-2005-0989 MFSA 2005-33 CAN-2005-0752 MFSA 2005-34 CAN-2005-1153 MFSA 2005-35 CAN-2005-1154 MFSA 2005-36 CAN-2005-1155 MFSA 2005-37 CAN-2005-1156 CAN-2005-1157 MFSA 2005-38 CAN-2005-1158 MFSA 2005-39 CAN-2005-1159 MFSA 2005-40 CAN-2005-1160 MFSA 2005-41 Content of this advisory: 1) security vulnerability resolved: various security problems in Mozilla based browsers problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion Several problems have been fixed with the security update releases of the Mozilla Firefox 1.0.3 web browser and the Mozilla Suite 1.7.7. This security update contains those security fixes. The Firefox packages have been directly upgraded to the version 1.0.3, for the Mozilla Suite packages the fixes up to version 1.7.7 have been back ported. Updates are currently provided for: Mozilla Firefox: SUSE Linux 9.0 up to 9.3, Novell Linux Desktop 9 Mozilla Suite: SUSE Linux 9.2 and 9.3 Fixes of the Mozilla Suite for older products (SUSE Linux 8.2 - 9.1, SUSE Linux Enterprise Server 8 and 9, SUSE Linux Desktop 1.0) are being worked on. Following security issues have been fixed: - MFSA 2005-33,CAN-2005-0989: A flaw in the Javascript regular expression handling of Mozilla based browser can lead to disclosure of browser memory, potentially exposing private data from web pages viewed or passwords or similar data sent to other web pages. This flaw could also crash the browser. - MFSA 2005-34,CAN-2005-0752: With manual Plugin install it was possible for the Plugin to execute javascript code with the installing users privileges. - MFSA 2005-35,CAN-2005-1153: Showing blocked javascript: pop up uses wrong privilege context, this could be used for a privilege escalation (installing malicious plugins). - MFSA 2005-36,CAN-2005-1154: Cross-site scripting through global scope pollution, this could lead to an attacker being able to run code in foreign websites context, potentially sniffing information or performing actions in that context. - MFSA 2005-37,CAN-2005-1155,"firelinking": Code execution through javascript: favicons, which could be used for a privilege escalation. - MFSA 2005-38,CAN-2005-1157,CAN-2005-1156,"firesearching": Search Plugin cross-site scripting. - MFSA 2005-39,CAN-2005-1158: Arbitrary code execution from Firefox sidebar panel II. - MFSA 2005-40,CAN-2005-1159: Missing Install object instance checks. - MFSA 2005-41,CAN-2005-1160: Privilege escalation via DOM property overrides. 2) solution/workaround None, please install the updated packages. 3) special instructions and notes None. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.0.3-1… fe494d595b165e3d801d8480ba42d934 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-transla… e8b3034594b1d3ff940899e4b7fd556a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-1.7.5-17.2.i58… 38227c087af417ea098e764d978625f9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-calendar-1.7.5… 0622920dc7c7346e8f3ed97a35043a5b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-devel-1.7.5-17… 81e5a8a3dfccd675f27d1b9aa1074def ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-dom-inspector-… d7445e7ac5d68b84df66836d36bd8e9e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-irc-1.7.5-17.2… 2b5d35f8957bfe8bf36d1d710df16b64 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-mail-1.7.5-17.… 943b850051ec81b65a8ecfb46d2dd186 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-spellchecker-1… c1531d820fce14c2da544096c542548e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-venkman-1.7.5-… 59421c602e482226aa3b25c342717dbd ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-32bit-9.3-7.… b44ebfe412ee2d6e4b866659219f449b SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/MozillaFirefox-1.0.3-1… 736eeae09a23b0378ca294ebaa3c7c63 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-1.7.2-17.9.i58… 82c250f9783d6c21fd98a330ebeb267d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-calendar-1.7.2… a0bf81303a3d8dce9eb46af6f31ee518 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-devel-1.7.2-17… 0d1bd3e050a9d0f64f2afe27195d7aa9 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-dom-inspector-… 38bf1250cd483a0dc66b276d9640d51e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-irc-1.7.2-17.9… 0452b6dacd213ad2a4a20dda13a080f0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-mail-1.7.2-17.… af54b9760cbd16d8a0e14fe789592ca0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-spellchecker-1… 220d35ce4aca302c76d282e0aa1fe860 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-venkman-1.7.2-… 3b8b41a0d4df73413f6b02d7f3014ce1 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/MozillaFirefox-1.0.3-0… 633d3e33bdfbccb3ea8665f85bb89a00 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/MozillaFirefox-1.0.3-0.… 272a238439a4a2e756815a3b7e79c19f SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/MozillaFirebird-1.0.3-… 1c5e3de27a07f3266e6061f655c88cd8 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/MozillaFirebird-1.0.3-3… 9561937bac554affcb5a11115c2125b1 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-1.7.5-17.2.x… db99d96f3a7425f9619ce04a32762638 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-calendar-1.7… fc0018d422f160a0ccade5bf2c0d43f7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-devel-1.7.5-… 8ecfeacdb888abdad99c97f8607c928c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-dom-inspecto… 2e3b67a03688f057a86baa97ea38715c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-irc-1.7.5-17… e74894451ca70e367cd517ef8288aa3c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-mail-1.7.5-1… d03ca7840b33d530f9550a6d31d236c9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-spellchecker… 8ddf1317fd9a57e2ca2def64efa8a396 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-venkman-1.7.… 34ec54027c3460430b8d92b516a440fd source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/mozilla-1.7.5-17.2.src.… 34898b0c34ba91ea11121ac11644dcf7 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/MozillaFirefox-1.0.3… e2a2c8793ded2bb3900ab9594bf860a7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-1.7.2-17.9.x… a435cb5e2dcc27248cf61c44e08fda23 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-calendar-1.7… 27d6d3dc54c25efff8d2369a68f80116 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-devel-1.7.2-… 12340bf83bd14e332d30d0b4f3ae3833 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-dom-inspecto… 3965d0520de2abcddea7732fda1aa24a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-irc-1.7.2-17… 5eda1256f790f6ef93497b905e316496 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-mail-1.7.2-1… 5107c689a3cb8c27b5e257a4cf64a6cc ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-spellchecker… aff79f3b35a26eef5ba540aea8722bed ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-venkman-1.7.… 89e0849e1bb2d8ab0164c7538d5d67fc source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/MozillaFirefox-1.0.3-1.… 38f5439c03baf379d3ec972bee6be113 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/mozilla-1.7.2-17.9.src.… 2b17a94896e81fafc197a22f4cedc892 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/MozillaFirefox-1.0… 7abc1803a8086e9d298ff4e17e757325 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/MozillaFirefox-1.0.3-… 3d1e05785b0e84e19caf7f03d29e4dd2 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/MozillaFirebird-1.… d3e7925e57a397f08ce736d7e5c76432 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/MozillaFirebird-1.0.3… e0f87b8aedf4679fc2c3d70ea5404717 ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQm+lsXey5gA9JdPZAQGHdQf/aZ19x8EVyOoEUu3rmzdpYt4HgtSWq1xx GjyQQHwTBNhX6SFGgnl592nK7NpSWCz+we1VOskEXLjwYO0xmwkdvFz/C+eHLl/N 3LfIh/k9jNA2LxAAlb30b5wEPBefCTLW9dPg53zoDc4CeTq/UPyKDjy/HPYuH5lv Ws41Acy5m7LhEXhtXfK/3ozNpEklqcrIKS0lCe52WxVMUUoiGvkKjtWtbOZWGY/I 78iCvD9pCDecqawN46mFBT+uPf9XsqB37CRfcO4IY78M8yjRQEYafk0pEqLM+U0O nit9WAQalIplim5AEMhUOEaBZixq67uoNy5LI3Uv7ZVybIQr004E0g== =kuK6 -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: PostgreSQL buffer overflow problems (SUSE-SA-2005:027)
by Marcus Meissner 20 Apr '05

20 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: postgresql Announcement-ID: SUSE-SA:2005:027 Date: Wed, 20 Apr 2005 09:00:00 +0000 Affected products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 5 SUSE default package: no Cross References: CAN-2005-0247 Content of this advisory: 1) security vulnerability resolved: code execution due to bugs in several SQL commands problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: none 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion Several problems were identified and fixed in the PostgreSQL database server. Multiple buffer overflows in the low level parsing routines may allow attackers to execute arbitrary code via: (1) a large number of variables in a SQL statement being handled by the read_sql_construct() function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function. This is tracked by the Mitre CVE ID CAN-2005-0247. 2) solution/workaround None, please install the updated packages. 3) special instructions and notes If you are running a PostgreSQL server please make sure that it is stopped or at least doesn't have any client connections during the update. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-8.0.1-6.i58… 678cf8fac25f43217a75ff1b69afa1e1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-contrib-8.0… 9f71e3a477cb37e96b6252d3e41af5d0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-devel-8.0.1… 13befe8d62a70898b576f46332b04016 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-docs-8.0.1-… d51a60a473567c87c3f94cc0d5abde2d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-libs-8.0.1-… 50af9cba7571c4859b033a420782c5c3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-pl-8.0.1-6.… 3d68c0e2f026e3c1f1d33ec828ade723 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-server-8.0.… 4601a1e4308348a7a27fbe4dd0bfe029 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-32bi… 55c4a7c5b510b4a05b789540adbcca00 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-7.4.7-0.3.i… 6d5ca6b626a70cee2b34e49d33855648 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-contrib-7.4… 62020a1c26ed41635cf07f37f1c22817 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-devel-7.4.7… eb20f825e8c1ee955e6904bd718ad1ba ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-docs-7.4.7-… 79194edc8a6a6ad10104b964e66cf789 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-libs-7.4.7-… 67353952335be148e0f3719a50edf8c5 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-pl-7.4.7-0.… caad51baf0dfca24df09fec5d4385555 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-server-7.4.… 55a89a0f695e5dc892fa31af6140e367 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-32bi… 91ac32a40b548d187ca78fb095f182ac SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-7.4.7-0.5.i… 7027aa706e60a5074b294edba529479c ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-contrib-7.4… f7f3ef933b3cef23e892ede41d30b7e2 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-devel-7.4.7… 8b48f30541f0834d14c7c1297202a55f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-docs-7.4.7-… e4456b0be9e08ffab52bc8476d2a25c8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-libs-7.4.7-… 9a936afc00a75b243c7c7bd040eb3e97 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-pl-7.4.7-0.… 7037b8f9f9ca4d0c3325b1f52a38338c ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-server-7.4.… a6699829779cf0f1adc9eb899e028cce ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/postgresql-libs-32bi… 6d7c782b577a97024d5b388957686eb9 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-7.4.7-0.5.sr… 10074702f7983e615b0d4da932915419 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-7.3.9-7.i58… dbefa2ff236099277275e050196832f9 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-contrib-7.3… 9e933821ae869b86c9dbb9899df86d75 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-devel-7.3.9… 8c2f83c0acb4bda10989a90082126324 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-docs-7.3.9-… 4fa5151ac425ef2765600082c8772d38 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-libs-7.3.9-… c038222567e7692081dfef91f56fa73b ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-pl-7.3.9-7.… 57730936587d5214f45d498721abc0d4 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-server-7.3.… a66b7aa7172c4accefad29b98b725452 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/postgresql-test-7.3.9-… c2d0256ea4ce83f12e73e4f23a0f4929 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/i586/postgresql-libs-32bi… 0a754eb5f8535cd7a291ffefb724f537 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/postgresql-7.3.9-7.src.… 174eb88726ae089eb80327613d0191c9 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-7.3.9-6.i58… a2b5993ddc330ffc4caf596b95cd44da ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-contrib-7.3… 80f40fb76c5eb8b04634836f5da87839 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-devel-7.3.9… e97783f94a2e103b4f36d8309525e03b ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-docs-7.3.9-… df6f2407af9063765d3100efda4e9fd7 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-libs-7.3.9-… 158525f64b5ce8b4e84307442c55cf69 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-pl-7.3.9-6.… b214dab6c7691e408c8cb94f3d89266b ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-server-7.3.… ef2c190ddcca664c6d24c30cee18b06a ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/postgresql-test-7.3.9-… 598bc10d2956c68c44bbc15c1048b961 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/postgresql-7.3.9-6.src.… b9607afe3c591211cd4828387b78e844 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-8.0.1-6.x… a608a80f0c5e52244ef0e06f71179eec ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-contrib-8… 3fc4c4e413857244670ec31d132ecf6e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-devel-8.0… 604493537efd3eefdb6c2268c76d9fce ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-docs-8.0.… 4f9cdf3fef5cbc05655a61c0d40188ac ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-8.0.… 1693e687c7175143a8417a1971b7561d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-pl-8.0.1-… 231201858f97d931a342cc54197fede0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-server-8.… cf53838797c30f7c0d6c20780b3df994 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-8.0.1-6.src.… 72d273fb0e710ce3b36f8a75760faca0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-pl-8.0.1-6.n… b12ca9ab8d1e1403d64608447cef61af SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-7.4.7-0.3… 376426e12fa067ed9750ff729e7af64f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-contrib-7… a2a1174114c9f2cd8b0bd24dc15603ad ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-devel-7.4… 52c49022348810ee55dc74a986a10324 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-docs-7.4.… c4ffdce772938cb5ca851a09eb05ccb9 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-7.4.… b89fbdd68337b6f6d557e030fdee385c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-pl-7.4.7-… 6fe8b6011a779152b659b85278176084 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-server-7.… 94bd74ce6d5e215c0cc910227606b081 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-7.4.7-0.3.sr… b8c6138e39ecc4c75537c7bf99cbcee4 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-pl-7.4.7-0.3… e9c71d98739d760557aa9719ac45083b SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-7.4.7-0… 000d9921b17457f420806deb0b52b864 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-contrib… 7ae07a0f82e1c752a43f1d2f1d6f76a4 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-devel-7… 959493267003db19075030c88b288e53 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-docs-7.… 452dc62ada42a821a7d6e8bc79e6fbd8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-libs-7.… 6d07eec96e67f4c3b316b980db2ded02 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-pl-7.4.… a9a394f502ce7d45b72e8d037513cc60 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-server-… 090f72759ce39af0b49170ff3b0e939a source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-7.4.7-0.5.… 8bd7c2894ca62fe59e52f5ee79a13a8c SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-7.3.9-7… d9b71b21317c17281a1d0b5ac058ee7e ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-contrib… df00a736fbbc1fe396ca802f28556a6e ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-devel-7… b1bc20c65730504cb68204644b53c3b1 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-docs-7.… aa2a266f6cfb859e248d7c6a9168cd5d ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-libs-7.… ff5014d8c7d7c2d3b044bb2f268c0bf8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-pl-7.3.… 9e9dc0405761bde26676ad71b71d18c8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-server-… 0235a9bd3d8b582c8eeec89ae5cc02ff ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/postgresql-test-7.… 2cd64de68e37398c11448271c87d8f9b source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/postgresql-7.3.9-7.sr… cb17afaeae94a5d9c982654047c46b7f ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: none ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQmYWjXey5gA9JdPZAQE2hgf9HiTUk55ar7ggbJwBwSxOOqxLt5fJ4z/E REl6bZM0ti5xuk0dlbQpM4ZlSkQfajpp3SMmou2lsD8ZFteEbmbN/NZvgp3CBZRA Ci8EnTldo3/Sfv9cUj1Obd1CGFYAost0pK+khX3QNGJOfTBOu2HVi6DCaY4PNGcP 8V09PM/8INpcWvvuX+FLZpiHMJlu3JpDArTTsTtulNoIPoe3zKa1Bjns9SdMzD/S 9o5+0xG/ObuOZqomhsBBbb4+u66Rd0fVsLTflEvbaulcvavIhgkyDQn6dkrj9za7 SvJG2vYYXtY3WZWQRJsUiM1AfMAy9mCXflk+Yj7vh1x5iKcCRBntpw== =IWpL -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: RealPlayer buffer overflow in RAM file handling (SUSE-SA:2005:026)
by Marcus Meissner 20 Apr '05

20 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: RealPlayer Announcement-ID: SUSE-SA:2005:026 Date: Wed, 20 Apr 2005 09:00:00 +0000 Affected products: 9.2, 9.3 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE default package: yes Cross References: Content of this advisory: 1) security vulnerability resolved: buffer overflow in RAM file handling problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion This update fixes a security issue within the RealPlayer media player. A remote attacker could craft a special .RAM (Real Audio Media) file which would cause a buffer overflow when played within RealPlayer. This is the Real Player Update as referenced on this page: http://service.real.com/help/faq/security/050419_player/EN/ 2) solution/workaround None, please install the updated packages. 3) special instructions and notes Restart RealPlayer if running. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.4-1.1.… b6ca6d5c87690fca385981ccf272ddf1 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.4-1.1.… 7e87cb712e6f07b9bdefe4f2ea79d6d0 ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQmYE/3ey5gA9JdPZAQGn2ggAl+THJtR4kixnP9wihTn7TSm+bEIpD8Sl tTtTWyE45ivyMeiwfhzNbkO8wb4vfUBCA6mHlzufIic5iZ93VPprPaO9Za1Y+Pmb YcuzLwMHaTPx7oDy2j0BbCG2gntXgK6PgIuvACYPyGxYjh8XgH48knCKyiP5jgzQ weZQAZ9kHn+SDLoFzHSW7D9wa3G5e/8Z3hsQXBUSv0/EtgLHzyzMbkdiT6kVczXe av0+pzZVpVWB/Z8DKTFK20ENL1QJYRkFt2jq9FM5NkPABIgtgYbEgH2/KoTwx29w d3FrTm7HI5PBfE/HisCmV2lc79p3BG0tHr+JNfpnV/IO1KF9quvHmQ== =CqtJ -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: OpenOffice heap overflow problem (SUSE-SA:2005:025)
by Marcus Meissner 19 Apr '05

19 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: OpenOffice_org Announcement-ID: SUSE-SA:2005:025 Date: Tue, 19 Apr 2005 13:00:00 +0000 Affected products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE default package: yes Cross References: CAN-2005-0941 Content of this advisory: 1) security vulnerability resolved: heap overflow in MS Word DOC file handling problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion This security update fixes a buffer overflow in OpenOffice_org Microsoft Word document reader which could allow a remote attacker sending a handcrafted .doc file to execute code as the user opening the document in OpenOffice. This is tracked by the Mitre CVE ID CAN-2005-0941. WARNING: The updated packages are very large for distributions before SUSE Linux 9.2 and 9.3. The minimum download sizes for those are: SUSE Linux Desktop 1: 47 MB Novell Linux Desktop 9: 41 MB SUSE Linux 8.2: 37 MB SUSE Linux 9.0: 46 MB SUSE Linux 9.1: 50 MB SUSE Linux 9.2: 2.1 MB (using delta rpm) SUSE Linux 9.3: 3.5 MB (using delta rpm) 2) solution/workaround Install the updated packages. A possible workaround is to not open .DOC files from untrusted sources. 3) special instructions and notes Restart OpenOffice after the update. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-1.9.79-… b552f46f192457b6487b60dd7adab845 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-ar-1.9.… 8b3defa6812104ac95aa3ecd198c08e5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-ca-1.9.… 63a174e1f5b177e8d785f14a21f5bec5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-cs-1.9.… dcc5245c56657d6e20cc714b229390fd ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-da-1.9.… bcb44ef1ef0688327e8b2304f2adfb76 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-de-1.9.… 3c166f9a421f0137134d750c869748cc ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-de-temp… b0bfd04da81ec413eab5ab292ab4d4f4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-el-1.9.… 974366c76fe393438d9a3ab6f73b5bdb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-es-1.9.… 17d21ae9d96670aca17b116d5770d0fb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-et-1.9.… e20309f95c285e141087f5472f0a37f2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-fi-1.9.… ca43a8e14d7662c41b8d60f1f526dca7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-fr-1.9.… b19618fd2ff92431f48f4fc36273ae1a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-gnome-1… a12adba49239a86e174457fb95f5c576 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-hu-1.9.… 36057e0d7e178478a6b6eb119e7d56df ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-it-1.9.… 7d8d796f8bb9a8046b07af980f8adfc5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-ja-1.9.… 2160456066a9449daff5dcf26814882b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-kde-1.9… 305e8470904629f0c8e3a278d2f0b1e9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-ko-1.9.… ab4cbc8427c84110990bcea0f7185322 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-nl-1.9.… bbcef39ccd2be2b7b8611286427caf3c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-pl-1.9.… 784fa5fef330224ea92ee8c7573444a5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-pt-1.9.… cf0a961f879a96af96b4b3464844f6e1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-ru-1.9.… 0e041750d71900ce52dd7e0192a65693 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-sk-1.9.… 5f62da8fbdb0da4b63612a2b02a36dc1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-sl-1.9.… dab43fb02881dd04a1f24b56a5f11f71 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-sv-1.9.… 11be2bff9e95a2ae2b87cbb3ae763f46 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-tr-1.9.… c0a8ba848b1b266b0d13f7905fe234e6 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-zh-CN-1… 3f267e1277041393fcd28cc4cee59cf7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/OpenOffice_org-zh-TW-1… 05bb29569bfdf851ac2c4d268c58bead SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-1.1.3-1… 2293f4e4c6ab47b0614f7e9988273d6c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-ar-1.1.… bb0f47a473f4262c2cdf8cd49e2564f9 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-ca-1.1.… 7e2263e7703856b184cc8a76f799732a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-cs-1.1.… 32d6b6ee86e395c442654409f11e9c9c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-da-1.1.… dca243c3ad1747021b1f5c7074e1e3b7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-de-1.1.… 39f68abc86e4a5e33d42957d8a37af01 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-el-1.1.… 20eddfbefd818c8d1cfe599898893c50 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-en-1.1.… 4068f98e7f40d66905e5a253a2470cba ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-en-help… 0a4286d62466addf22bb2bba7ab0c309 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-es-1.1.… a3effffec6221f5e1edda0da2502fa77 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-et-1.1.… 7bca5b49f4ecd97331efdd8b9d02704f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-fi-1.1.… 79eec2c6b39a24a80f2a2030167d327b ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-fr-1.1.… 640b167beaedb0e400a9945fbdec3346 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-gnome-1… fec069d75bd3036d9181789e47d5ff11 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-hu-1.1.… 2fae2a1136717f97eefb55eb86571099 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-it-1.1.… 0f170766b94adf4f0c86d2b251ef80b8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-ja-1.1.… 0b39736cdeab86262746d52f6ca6f4be ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-kde-1.1… ba6a72c373198ff4509e9870cb16f253 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-ko-1.1.… 7a443cc6cb4d6880ffb1e02fa3aa0ba7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-nl-1.1.… dc6f63e7b9141838a46fa4738f038e58 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-pl-1.1.… eca5ce05d506b0aeda52c89f4558cecd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-pt-1.1.… 799d8c7f09c3459f90032d25be0f5525 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-ru-1.1.… 01ebf77e4e283925a6506a24c3e8d865 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-sk-1.1.… aec3c6e8b4143d97f1b6d35bf1f3dc8a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-sl-1.1.… 8b074f282d1bb4d9883324f07ca5797e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-sv-1.1.… 0cd956b13b0bfa1b478f238426b61813 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-tr-1.1.… 09586c7bc9801d9a4b7ab5c026d88880 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-zh-CN-1… 101e72d1f892b22d585688aad67ed5a8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/OpenOffice_org-zh-TW-1… 73dbea37ec2f089f0932956782e4c923 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-1.1.1-2… acfc765af694e2dbad866400ff35baf1 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-ar-1.1.… 0af9c4a72afa6e6fdde2b0bcc096666f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-cs-1.1.… da472e7cea51097743762bc6a2608aa4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-da-1.1.… 70fdd4f83e0f18b1895e142b4e8f0f41 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-de-1.1.… 23e05864cc3993ea28b414b9fb8c14ad ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-el-1.1.… cd516d937d0f11b99f9b89950136eac6 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-en-1.1.… 74e823e5c1af46a94a1439ceca09bf08 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-en-help… 04e1cf5845598f842cca8a142e963206 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-es-1.1.… d23180d06e4ee6aa2d92a3b3d4ff9036 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-et-1.1.… 2d48b32b780c40ba6edf87f205252f6f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-fr-1.1.… 84eb506c11c687852d747e34ad58adb7 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-hu-1.1.… 7fc4d93253f873a84d5dcf1be56ea02b ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-it-1.1.… d317a379e5e8d0dbd5c2637ebffdb978 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-ja-1.1.… 84b4466a0ad38e1bee97bd76de10a650 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-ko-1.1.… 8dd0108842f786c5278413017c178bd8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-nl-1.1.… f09448181bc7b7a4f0076694ec29f073 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-pl-1.1.… 637c906b339a24e984a6ee080dc57f42 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-pt-1.1.… 3b98ed06cb70895123b5bc9cbe8744b7 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-ru-1.1.… 467c41efec48271d291cceb38709a2aa ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-sk-1.1.… a475fe4fb2a99341831fdc6da07497d0 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-sl-1.1.… ad03e64157d0c0ba9a31f2e3cc8c78f8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-sv-1.1.… 5efef74ffe625cf6e4f38b8738211a25 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-tr-1.1.… fee1d6e9f05d59b95561dbe192ae927f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-zh-CN-1… 1ce11a3e8ecec9b032e4c250c7b7dcd7 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/OpenOffice_org-zh-TW-1… cbff62da371e49552ced339f9a5a014e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/OpenOffice_org-1.1.1-23… e30ccd2e95d5f985be7918185e5347e6 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-1.1-100… 2103fcc3a5de4724a96350b6c5aba23d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-ar-1.1-… 24ef98c1b908db39073a792959a412db ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-cs-1.1-… 8b9b494f4ec8e0cad1a14c025fbe5025 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-da-1.1-… a4f199cd7d077552b80b96fa8f573e8d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-de-1.1-… fa8bef6b96f4f44a5e65ba471b937c7c ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-el-1.1-… 182ab41d8b98cfcb25514d84f5426569 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-en-1.1-… da512b6c56065b7d6537b0385fc89f90 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-en-help… 7cd38f5e4381f64bd1cbf4c883b6cb6e ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-es-1.1-… 227616d6355d91b6a680837b546878bc ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-fr-1.1-… 9f052173c82e73b578f9edfbad5a7649 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-hu-1.1-… b424833a10fad334502a0c73d1842d51 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-it-1.1-… 4a3706cd87d6938530d9bb7261eb7b2f ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-ja-1.1-… 00212453e83c014a68d51945f08cc486 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-ko-1.1-… 0da0e8b50393bccd6ed00aeaaef5809a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-nl-1.1-… ecfa98395e093e3ab2acb80b04cd234d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-pl-1.1-… 6f50954b40c3d74c1cba1b1df920f25a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-pt-1.1-… 9c052a19385612f952aff029086f6877 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-ru-1.1-… ef3c9469080799b7ff1c40e8f54f72fe ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-sk-1.1-… f28d7b1b30b5bfd06a5d774e424de7d9 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-sv-1.1-… c0cbd660335c6418699993b1fb78a7e8 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-tr-1.1-… b4d926bc3e1eea6edfd453f645d2e3bb ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-zh-CN-1… 0fe30e9116ef5df1e776be3322381d0a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/OpenOffice_org-zh-TW-1… 3c9f01c4cb808238967c386a9bbf95f2 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/OpenOffice_org-1.1-100.… 6ad8a3d82246b021cedcd23f4ce74f1a SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-1.0.2-7… 6b5f9f1b9bd7dad1d62619c46e471ee4 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-cs-1.0.… 966b54c4cc0a7eca79386d3d7eed358d ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-de-1.0.… f857a4c91b90de7b46d9700439fc3dc4 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-en-1.0.… 65706db98543bdcf84b8ff1ec3be93ca ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-en-help… c574794e58d89c56b9cab405ca1462a6 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-es-1.0.… 6a6eed7174ec918d4c7617728e0328c3 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-fr-1.0.… 7428286d640ca1c4e0e8572acf1fa370 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-hu-1.0.… 27fae82ea8f296265847e26e91ead421 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-it-1.0.… e4e70c8843084cbc9707e1baf7b9b9f4 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-nl-1.0.… ae9a2d1c379be2581bd936e4f08c14bb ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/OpenOffice_org-sv-1.0.… 401508cc4fdc89759f9c78497943456b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/OpenOffice_org-1.0.2-76… 5a086c30ec314b476ef3fcc7399b921e ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQmUCXXey5gA9JdPZAQEVrwf+JUsttvz6+k+tvRZ1qB4cjTgD7x3Rg7q0 dgbWbEQ/wQCQY51ujnFIj6Yba7MS8m0QulCCGNrx3wZ1SqsITeoAQMS8RJiPzNGc hxrYCZSP5YHxCqIxo0z2T0vRmNkKd/sk2/ep/U46vM2gtIh+/1KuKTR4MqnzIptc QKw4wodkNxT797C8Q4mqwkclqY0+UdqKqcp0PNh6q9H7NuGpURbugB8t2uu+sOXw Y3F8pUwDqO2K0HSOUtSBKhqhk6DfKNNW8ZzfiS9GdUbNuH6hHfSlUIvHVFXAsofl ZlSv79pDWKOcDZf8XSIfvY0Ddb8g7doTysFrGHMYztjCqZd3vmXX7A== =bB3g -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: cvs (SUSE-SA:2005:024)
by Sebastian Krahmer 18 Apr '05

18 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: cvs Announcement-ID: SUSE-SA:2005:024 Date: Monday, Apr 18st 2005 13:30 MEST Affected products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE CORE 9 for x86 SuSE Linux Enterprise Server 8, 9 UnitedLinux 1.0 School-Server 1 Open-Enterprise-Server 9 Vulnerability Type: remote code execution Severity (1-10): 6 SUSE default package: No Cross References: CAN-2005-0753 Content of this advisory: 1) security vulnerability resolved: buffer overflow and memory access problem in cvs problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - IDN (Internationalized Domain Name) cloaking - PostgreSQL - Mozilla - OpenOffice_org 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. The current maintainer of CVS reported various problems within CVS such as a buffer overflow and memory access problems which have been fixed within the available updates. The CVE project has assigned the CAN number CAN-2005-0753. 2) solution/workaround There is no easy workaround except shutting down the CVS server. 3) special instructions and notes No special actions need to be taken after installing this update. 4) package location and checksums Download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/cvs-1.12.11-4.2.i586.r… 8e27dd3b7a9867940830aa9dd8fd95bc patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/cvs-1.12.11-4.2.i586.p… acd6904641df500ca50da8147ee54019 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/cvs-1.12.11-4.2.src.rpm 6a075a97c2bd30ade965e90e0f9671c4 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/cvs-1.12.9-2.2.i586.rpm 7192dce3bb42cd51c98a3510e9e5e73a patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/cvs-1.12.9-2.2.i586.pa… ae4b8f9096b50e7f1c3a15e715e4c8e7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/cvs-1.12.9-2.2.src.rpm cebc4e07ac34f6a6f76789d6ce0eba37 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cvs-1.11.14-24.10.i586… 07778aea3050bcf05c96ae680b9d01e4 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cvs-1.11.14-24.10.i586… 60591530555521e34d798a0d0365686a source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/cvs-1.11.14-24.10.src.r… bd4b0324b51cee45f247e41f2f6139d4 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-85.i586.rpm 795f6e5a6849706bb439366129833841 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-85.i586.pat… ec2bb29f912831f9d5e7dd15ec950d9b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/cvs-1.11.6-85.src.rpm a3695ffd8f741a9f376e5e3244d412c8 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-116.i586.rpm 6fc24ea4712d10855e60d26b9262f48c patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-116.i586.pa… 7b4e1cae79c33c4965b53159bd888a70 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/cvs-1.11.5-116.src.rpm 401896062510804b79ba75a5e800d9e2 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/x86_64/cvs-1.12.11-4.2.x8… db2665d2e95762aa2c376fed929c44f1 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/x86_64/cvs-1.12.11-4.2.x8… 8b3070a29bd15c430980937b53928640 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.3/rpm/src/cvs-1.12.11-4.2.src.r… 6a075a97c2bd30ade965e90e0f9671c4 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/cvs-1.12.9-2.2.x86… 21518326918a0a7e42176b60544e214e patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/cvs-1.12.9-2.2.x86… 8bbb9b4bda742cb62836b6a6453aef2c source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/src/cvs-1.12.9-2.2.src.rpm cebc4e07ac34f6a6f76789d6ce0eba37 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cvs-1.11.14-24.10.… 7543263ca5374da3a9926cde6c8bd58c patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cvs-1.11.14-24.10.… 1b245e5669be7b6e082c67d5e094466a source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/cvs-1.11.14-24.10.src… 8c399e20f6046faa3de70ae0fc133060 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-85.x86_… 708318fbf0d27efd212c16ac26f63003 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-85.x86_… 7d5f303351ae584f07998847cc476f7c source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/cvs-1.11.6-85.src.rpm ff6eddc0257dfd8dfa1b97653117d2c7 ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: - IDN (Internationalized Domain Name) cloaking / homograph attacks Problems with the IDN / punycode handling that allows non-ASCII domain names were reported for every browser. - The KDE approach is currently filtering on the top level domain. - The Mozilla approach is currently to display punycode. We have released Mozilla Firefox and KDE / konqueror updates for this problem, the others (mozilla suite and opera) are still pending. - PostgreSQL problems Additional PostgreSQL problems were reported: - A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. CAN-2005-0244 - Other earlier listed problems are already fixed. We are still working on updates for this problem. - new Mozilla security problems Several new Mozilla browser security problems have been reported. We are currently addressing these issues. - OpenOffice_org heap overflow A heap overflow was found in the MS Word document handing of OpenOffice_org, allowing a remote attacker to execute code via a handcrafted .doc file. We are preparing updates for this issue. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We recommend against subscribing to security lists that cause the e-mail message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the file name of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBiEYEExECAAYFAkGJG+YACgkQGsiRhDTRlzm8CQCg14Wz vg6j45e/r1oyt9EaHhleSacAnA+2dArk1I3xt49Z5rdnhqheF//9mQGiBDnu9IER BACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs47tj miI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlW t6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHx lRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifr ZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l 0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1 krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoEmyW/xC1sBbDk DUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25p bmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkDwmcABAsKAwQD FQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6dNfnwI2PAsgCg jH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzO AKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUD BRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4 fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklL snr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMn snT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/ xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmp U661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0EExECAB0FAjxq qTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1fAJ9dR7saz2KP NwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0EOe70khAIAISR 0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/HZnh3TwhBIw1 FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44ht5h+6HMBzoFC MAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPTtGzcAi2jVl9h l3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM523AMgpPQtsK m9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q2Y+GqZ+yAvNW jRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8QnSs0wwPg3xE ullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWawJxRLKH6Zjo/F aKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ1sj2xYdB1xO0 ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCHORrNjq9pYWlr xsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1wwylxadmmJaJ HzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQYEQIADAUCOe70 kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol0JdGwACeKTtt geVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAKCRCoTtronIAK yofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3coSPihn1+OBNw= =Fv2n - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQmO/u3ey5gA9JdPZAQF6GggAgTCAQEADDglUXgjsnso7O70e676qNHi/ Ftr5gjDFl4D2FTEGCPiaZZLDueyxduETAVs9Aseu8vaiMB1TTbknpB9k40FjU13f tlvbRnFj/bbMk6YxN/dcYm+0YxCmNdc8SEcCLRWTiUAAq9DSi6xdVYo3RfWdzmPe vc/sU24CEPX/nXimtkxevslPAwqV/Wngbhw8AuqWe9VnN/cKQTFmKAYiEyfXe6OK 1WNeZeLb99s0eHPcT7uuxiPd7NxBOF5d5K/Ga9pR5UL/sHX9Dvbn8oeeuVFnlAPP FKXo9as0/yuk/mtQMhoOXLkLgoB/XUu+3WjekRe+PkBzCMBwbVFU1Q== =d+0e -----END PGP SIGNATURE----- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer(a)suse.de - SuSE Security Team ~

1 0

SUSE Security Summary Report (SUSE-SR:2005:011)
by Marcus Meissner 15 Apr '05

15 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Summary Report Announcement-ID: SUSE-SR:2005:011 Date: Fri, 15 Apr 2005 13:00:00 +0000 Cross References: CAN-2005-0664 CAN-2005-0667 CAN-2005-0992 PMASA-2005-3 CAN-2005-0877 CAN-2005-0876 CAN-2005-0877 Content of this advisory: 1) solved security vulnerabilities: - wget directory traversal and dot file overwrite - libexif buffer overflow in EXIF parsing - sylpheed buffer overflow in header decoding - phpMyAdmin cross site scripting problem - dnsmasq buffer overflow and denial of service 2) pending vulnerabilities, solutions, workarounds: - IDN (Internationalized Domain Name) cloaking / homograph attacks - PostgreSQL problems - new Mozilla security problems - OpenOffice_org heap overflow 3) standard appendix (further information) ______________________________________________________________________________ 1) solved security vulnerabilities To avoid spamming lists with advisories for every small incident, we will release weekly summary advisories for issues where we have released updates without a full advisory. Since these are minor issues, md5sums and ftp URLs are not included. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - wget directory traversal and dot file overwrite Two security problems were fixed in the wget download program which were reported earlier this year on full-disclosure. - HTTP redirect statements could be used to do a directory traversal and write to files outside of the current directory. - HTTP redirect statements could be used to overwrite dot (".") files potentially overwriting users .bashrc or similar files. This update replaces dangerous directories and filenames by replacing the dot (".") with an underscore ("_"). This affects all SUSE distributions. The SUSE Linux 9.3 update also fixes the incorrectly encoded german translations. - libexif buffer overflow in EXIF parsing A small buffer overflow in the libexif image processing library was fixed. This could lead to a denial of service or a potential remote code execution attack when processing handcrafted JPEG files. This is tracked by the Mitre CVE ID CAN-2005-0664. - sylpheed buffer overflow in header decoding The mail user agent sylpheed does not do proper bounds checking while decoding mime encoded strings (for example in the Reply-To field). The bug occurs only for special local settings (like en_US.UTF-8) and can be abused by a remote attacker to execute arbitrary code with the privileges of the user receiving a malformed email. All SUSE Linux products were affected. This is tracked by the Mitre CVE ID CAN-2005-0667. - phpMyAdmin cross site scripting problem Another cross site scripting bug was found in phpMyAdmin. All SUSE Linux products are affected. This is tracked by the Mitre CVE ID CAN-2005-0992 and phpMyAdmin ID PMASA-2005-3. - dnsmasq buffer overflow and denial of service A buffer overflow was fixed in the dnsmasq masquerading DNS daemon. This could lead to a denial-of-service condition that can be triggered by an attacker being in the local network during restart. This is tracked by the Mitre CVE ID CAN-2005-0876. Additionally a DNS cache poisoning attack can be launched easily to reroute traffic of applications using dnsmasq for DNS lookups. This is tracked by the Mitre CVE ID CAN-2005-0877. SUSE Linux 9.2 and 9.3 are affected by this problem. ______________________________________________________________________________ 2) Pending vulnerabilities in SUSE Distributions and Workarounds: - IDN (Internationalized Domain Name) cloaking / homograph attacks Problems with the IDN / punycode handling that allows non-ASCII domain names were reported for every browser. - The KDE approach is currently filtering on the top level domain. - The Mozilla approach is currently to display punycode. We have released Mozilla Firefox and KDE / konqueror updates for this problem, the others (Mozilla suite and opera) are still pending. - PostgreSQL problems Additional PostgreSQL problems were reported: - A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. CAN-2005-0244 - Other earlier listed problems are already fixed. We are still working on updates for this problem. - new Mozilla security problems Several new Mozilla browser security problems have been reported. We are currently addressing these issues. - OpenOffice_org heap overflow A heap overflow was found in the MS Word document handing of OpenOffice_org, allowing a remote attacker to execute code via a handcrafted .doc file. We are preparing updates for this issue. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We recommend against subscribing to security lists that cause the e-mail message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the file name of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBiEYEExECAAYFAkGJG+YACgkQGsiRhDTRlzm8CQCg14Wz vg6j45e/r1oyt9EaHhleSacAnA+2dArk1I3xt49Z5rdnhqheF//9mQGiBDnu9IER BACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs47tj miI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlW t6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHx lRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifr ZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l 0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1 krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoEmyW/xC1sBbDk DUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25p bmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkDwmcABAsKAwQD FQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6dNfnwI2PAsgCg jH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzO AKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUD BRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4 fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklL snr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMn snT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/ xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmp U661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0EExECAB0FAjxq qTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1fAJ9dR7saz2KP NwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0EOe70khAIAISR 0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/HZnh3TwhBIw1 FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44ht5h+6HMBzoFC MAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPTtGzcAi2jVl9h l3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM523AMgpPQtsK m9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q2Y+GqZ+yAvNW jRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8QnSs0wwPg3xE ullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWawJxRLKH6Zjo/F aKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ1sj2xYdB1xO0 ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCHORrNjq9pYWlr xsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1wwylxadmmJaJ HzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQYEQIADAUCOe70 kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol0JdGwACeKTtt geVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAKCRCoTtronIAK yofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3coSPihn1+OBNw= =Fv2n - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQl/Bjney5gA9JdPZAQEhfgf/fJEDT9tah3s8aI6aGu0rDsNy+7d0ZcYF YU2NBY1b1LBD9HLtHSjkSnnB8DvUmzzHwP6ZZQFCMiYuI5gDYIvfx5NFrynbR6PB ah/J2RDebta8mArXE6w0IiATKq/F9+ZRxxTTb15co6UOQbHBfBqXi3JgwT/2eHc/ N0FM8cwwaDZh+LelD+ICxvCRgub6Z/DIvM2IC40Fbl+/ocfUFYfh5nXAFwwApR3h OksHnKmtGRxg131VfHwyfk4alir5a6uIcQFIQ4FCxQNraPlGMRhodrLDsMbUGp2g 2noOyCZpxFG8dguqN/1mgLF0IoTGPKeWEZ8AKxa9L2YZp5tYVeGVyQ== =UVZO -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: php remote denial of service (SUSE-SA:2005:023)
by Marcus Meissner 15 Apr '05

15 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: php4, php5 Announcement-ID: SUSE-SA:2005:023 Date: Fri, 15 Apr 2005 12:00:00 +0000 Affected products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 8, 9 Vulnerability Type: remote denial of service Severity (1-10): 5 SUSE default package: no Cross References: CAN-2005-0524 CAN-2005-0525 Content of this advisory: 1) security vulnerability resolved: php4 / php5 denial of service attack problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: none 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion This update fixes the following security issues in the PHP scripting language: - A bug in getimagesize() EXIF handling which could lead to a denial of service attack. This is tracked by the Mitre CVE IDs CAN-2005-0524 and CAN-2005-0525. Additionally this non-security bug was fixed: - Performance problems of unserialize() caused by previous security fix to unserialize were fixed. All SUSE Linux based distributions shipping php4 and php5 were affected. 2) solution/workaround Please install the upgraded packages. 3) special instructions and notes Please make sure you restart the web server after this update. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.1… 092b41e835df38140ce84a57a8a19291 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3… 859c59423121af7fc782187b67ac9eb2 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.1… 998bb2eee2ccb49db4889f9064520212 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.2.i586.… 8e5903503b80b7235e253d9b8b59904f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.2… b6e4b7080e54cb4ca2b970817d7a7202 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14… 5f14cca638d59b161c3db68cc378c237 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14… 726545e66501ea788cb278804071bfe3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14… c201b0e680713340312baef2b8629252 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.2.i586.r… 356d41447026e2c29658b4be3ba18b95 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.2.… 63b4c9099189788fc6c6fee76d4b0d6f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.… 5b5d43fc648f6d54a36dbd475c075e0d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvmsg-5.0.3-14.… f64d969e257eebc6756b018fd2609638 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvshm-5.0.3-14.… 7e70d9b50cb54250c26953ada098a381 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-32bit-9.3-7.1.x… 05fad72084e61a4df8a3acd1ff08f798 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-mod_php4-4.3.8… 30fc3c59fab61fa89944dec7db94d26e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mod_php4-servlet-4.3.8… ba2c67dd1c709dff17168eaebd8e145f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-4.3.8-8.5.i586.rpm 6d4a22a613dc64a3699d27ce09f9f255 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-devel-4.3.8-8.5.i… fdbd8f94484d41142f51af35b18b8b97 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-fastcgi-4.3.8-8.5… 78a39683a5496885464c8a7bb5ebdd82 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-session-4.3.8-8.5… 70a081d38fa56e51c4e357dd0a7c3a73 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-sysvshm-4.3.8-8.5… ae7974ce3c6e62fea4687a13eefa1f43 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-32bit-9.2-20050… a9d235e734d2ac2e876048173900e392 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-mod_php4-4.3.4… b7aead2cb147c681e0efb34cb0012d56 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-core-4.3.4-43… bf8e4ccdcc94b8ff6aa9e50738d5652e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-servlet-4.3.4… cbeec3026b9274969a61421ec0b5d15f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.28.i586.… 65b3a8046f7622973b7a7d0b8a388a9a ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-devel-4.3.4-43.28… dc7b8514735b01887158b9666cb09cc1 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-fastcgi-4.3.4-43.… 7872f4539151e9055a0c3a05bcc53340 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.28.… e6c0896439221b47ac95bd5b81347030 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.28… 879bb81a1e99f0f1abc9f9297ef78afb ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-recode-4.3.4-43.2… 7640c6d169b4ee0bb7beace768ebd3bf ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.… 091a8ca814be21d0dca4473214151ab4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.… f836d57b333b0854f77831f947a29939 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-sysvshm-4.3.4-43.… d0ce400b95af15df2c2ff93cefc27f6f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.28.… 153fe65a00f9c83ed6e3e9d8ac58bcd7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.28.src.rpm 6cd11704fb5dcba94fef2efe304ce6ae SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-mod_php4-4.3.3… 8e9e46631279dfec913dbccc3507a04d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-187.i58… 4b817d14ea8cfa471d2b7da231bc9c04 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-aolserver-4.3… 01cde19877d4cdb7241183c29d799a40 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-18… 2f3b9eaea64686556524d4b6a3712b44 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-devel-4.3.3-1… 9ffcd67d307dac6d4d2b35c8f2e19269 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3… f381038385a6634a0191daa3da1d8ea8 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mod_php4-4.3.3-187.src.… ba28af987d39a5eb456574fc0fb95828 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-mod_php4-4.3.1… e2afaa2f21bfd29e5689fb66e87bc7c4 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-176.i58… 7056ee242089ad9889c9109d7ba58bfa ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-aolserver-4.3… 8af8e5ba3e8a69737b695f3df2886c43 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-17… cc17c23d79a92b7d73db7015343fec6f ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-devel-4.3.1-1… 792e5ca40d4b7416e50a7c5d8305cc76 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mod_php4-4.3.1-176.src.… 33395ed1d8a162e7bca09fc93ef6ed68 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php4-4.3… 121aad084e9f90b7e8d29c373b02244b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php5-5.0… 9d4dd7ba5c8d91d1457d665bcf0aebbb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mod_php4-servlet-4.3… 878e379e96e2c372963df3da299a15eb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-4.3.10-14.2.x86… e00307757dcad75e470ba669a703028f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-devel-4.3.10-14… 06a496f60998c7201cf185ee474cd43d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-fastcgi-4.3.10-… 0635a305efff157be56155c721db1cff ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-session-4.3.10-… 281d0cc5a831edfd3c50a678f0fa74ac ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-sysvshm-4.3.10-… edbcb8ca2bab9aa26c799e86526386d9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-5.0.3-14.2.x86_… 72d4e5c520f32be6719efd1a744fad3e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-devel-5.0.3-14.… c7a90df0de9500399421a565c2828d9c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-fastcgi-5.0.3-1… 8cdb9d138bb757dff6906e5bd44eda68 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvmsg-5.0.3-1… 06152a5ab1352458a8a339813df012b0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvshm-5.0.3-1… fbb8306bf72ee918ec6b7a5804f52857 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php4-4.3.10-14.2.src.rpm 2623d3f94ea8e6bd801249f7b79c0e09 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php5-5.0.3-14.2.src.rpm 9026dde16cdf291cfae85d8a8e5b266b SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-mod_php4-4.3… 74e80d4996883b92ae30b1aea5a24d3d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mod_php4-servlet-4.3… b7e113e58096dee64975ad09075b058e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-4.3.8-8.5.x86_6… dc2697c70c101c3c16133e45aad4eb05 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-devel-4.3.8-8.5… 0904155bbb6b3bf8a275bd7a7780c356 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-fastcgi-4.3.8-8… 472e3a708e7f6f1774dce421d1c06067 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-session-4.3.8-8… 4f1402d04098100f10a7910685b17d45 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-sysvshm-4.3.8-8… ae473a3e1e8177d711a98d7f85a43db1 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/php4-4.3.8-8.5.src.rpm be3087c034218ea830c64dfcfc20fd5d SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-mod_php4-4… 8aedd4ae5089b6ad1628a46e962e10c5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-core-4.3.… bd38471abb2b27c6e0f104a05ae3dec5 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-servlet-4… 6db8f9c47c5c3df1acfeb874b87b87af ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.28.x… 83acb944933f86d8752eb1c0b79d51fd ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-devel-4.3.4-4… eb10c12b4dda00a723fd2481cb0d9431 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-fastcgi-4.3.4… 6f0f093744f78d3a01f22ee750ee41b9 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43… be1d5285711535911577202e61eea27f ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-4… 0e7c2f8ee85bac2b33d0669004c93781 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-recode-4.3.4-… e614abf4e2de40ce21bd05a6c0e7b4da ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4… e769eeaa2674e0090abfd8e97f4a6cb7 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4… eb9953ae01fbdaae89b1010d8bb89fbd ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-sysvshm-4.3.4… 0a5fd6e2d6caa31edd14e7bb87d45a90 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43… 6507908da0b26e98739bc21d3af623fe source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.28.src.… 2ce604b9c1f50575bae7fdcf1736e40a SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-mod_php4-4… adb3475c4da5623ae3a83e82f0369340 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-187… 082261652c7fa03cd2dda0101c03e2a7 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-aolserver… c4cd316278e841f0a9ea8c3448fe0c63 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.… 427d132d1682e628abf972d353e30113 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-devel-4.3… 5a5e7041c2d74a6736cc07a095764b4b ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4… 76cf3f75df2341b03c58b7ddaeb4bad4 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mod_php4-4.3.3-187.sr… b9b4f1b5fa5edac29c606ca3b03c041c ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: none ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQl+NaXey5gA9JdPZAQEdHAgAgJIFuGro3aYnRFmDZ2+MDt+mTFko//kZ RzAd1P8100crlmL/3wpVrPjZnKuQGdSgqAh/4QK7ONXsIFrUm/bno1r2nF6eeOz6 SBeN7WMAWpRD8Eauol6J8kMLEmBQQFIWP2WtFLU7RVriwlFFaTxY9RpxsP6y6F0I PbqCqh5kIzypeSDv7zIN3jFAMG7Ohyrjx+L7l6O65AaMF5effGFZNDGNoTel/8/9 RxhAXfHyLVTSz4oZD1/1epKRJ7uSzdXPhLzFkd9rol41gJ7BKI4d92NJzkGz2VBI ov/nW9vFvDznkk5fudzSHB3/b6j/SVXgHmNQlprWneiAXHVpCS1Dew== =OJbv -----END PGP SIGNATURE-----

1 0

SUSE Security Announcement: various KDE security problems (SUSE-SA:2005:022)
by Marcus Meissner 11 Apr '05

11 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: kdelibs3 Announcement-ID: SUSE-SA:2005:022 Date: Mon, 11 Apr 2005 15:00:00 +0000 Affected products: 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution local denial of service Severity (1-10): 8 SUSE default package: yes Cross References: CAN-2005-0237 CAN-2005-0396 Content of this advisory: 1) security vulnerability resolved: several security problems in KDE problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion Several vulnerabilities have been identified and fixed in the KDE desktop environment. - A buffer overflow via specially crafted PCX pictures was fixed. This could lead to a remote attacker being able to execute code as the user opening or viewing a PCX images. This PCX image could have been embedded within a web page or Email. This affects SUSE Linux 9.1 up to 9.3, SUSE Linux Enterprise Server 9 and Novell Linux Desktop 9. - The IDN domain name cloaking problem was fixed. A remote website could disguise its name as another potentially trusted site by using a extension originally meant for non-ASCII domain names by using "homographs" which look exactly like other letters. The fix used by KDE is only use homographs for trusted domains. It is disabled by default for the .net, .com and .org domains. This issue exists in SUSE Linux 9.1 and 9.2, SUSE Linux Enterprise Server 9 and Novell Linux Desktop 9. It has been assigned the Mitre CVE ID CAN-2005-0233. - A denial of service attack against the DCOP service was fixed. A local user could cause another users KDE session to visible hang by writing bad data to the world writable DCOP socket. The socket has been made writable only for the user itself. This was found by Sebastian Krahmer of SUSE Security. This affects all SUSE Linux versions, except SUSE Linux 9.3. Updates for SUSE Linux up to 9.0 and SUSE Linux Enterprise Server 8 are not included for this minor issue. They will be included should a later security update for different issues be necessary. This is tracked by the Mitre CVE ID CAN-2005-0396. Additionally following bug was fixed: - A possible race in the DNS resolver causing unresolved hosts in rare cases was fixed. This only affected SUSE Linux 9.3. 2) solution/workaround Please install the updated packages. 3) special instructions and notes Make sure you restart your KDE session after this update. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdelibs3-3.4.0-20.3.i5… 6b63160218d7e9023418980186942ab3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-32bit-9.3-7… 7de0dcf016ad28f3f95c9110a376dc7b SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdelibs3-3.3.0-34.5.i5… 47c8c9ccb24b30261de0910ff5bfa19e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-32bit-9.2-2… 7da9ca5c0cefb043ea170c59beaa588a SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-3.2.1-44.46.i… 6dd4f0b38a750f256f6639decda2a968 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/kdelibs3-32bit-9.1-2… 955791a7b3973698f2c9ea8b0cd09716 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdelibs3-3.2.1-44.46.sr… 3f5585b97d663b7d6d9bcac0f8c0b7a0 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-3.4.0-20.3.… 5c79a3e9e143bd0c29ecbf7d4b4222a2 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/kdelibs3-3.4.0-20.3.src… 6a3f653fe866b9cfb7f9215fed404e94 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-3.3.0-34.5.… d2970930a5757b3a2758eb53efda5d8b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kdelibs3-3.3.0-34.5.src… 4ae72b2108db739ebc4aefca67b5b566 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdelibs3-3.2.1-44.… 7355ab449354f49fdc0de161d6fb86ab source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdelibs3-3.2.1-44.46.… 1587e0cfa6ce3dae17c4f6fa8c10ef01 ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQlqaQney5gA9JdPZAQHmVAf/ZmqLy6ioDYLfaw3xzwFjVGCKPMJMwCDw z7ncZ53/l82oLlFNIlt4A9FpK6Nq3vXCQuNCI0av6uGlhlRvqlp+XoWfYfPDVIuX wQ6ROHyJBVV2NgLCendUp/DzukF0V1aeZ8dJ4zYwlqrc5lq6HGrkxBN2ILNuBOwA mxMRk2mXcFO8f1LKqTQxrONyWRsj08F8JwZNvqosZ92ft+MnY5Cv48dl6GeRKBMX zyHvN6j/mknEUCUmTJmXHWT8bhLYCdgdWNcxvZGrMSz32m6p/B+AM4nOVn22lfYN swdN8VvaRoaGu+PBFSdvRXep71cDMZ0Y2mLMoD/+c9eHaDrs6UI7RQ== =LHnC -----END PGP SIGNATURE-----

1 0

SUSE Security Summary Report (SUSE-SR:2005:010)
by Marcus Meissner 08 Apr '05

08 Apr '05

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Summary Report Announcement-ID: SUSE-SR:2005:010 Date: Fri, 08 Apr 2005 14:00:00 +0000 Cross References: CAN-2005-0605 CAN-2005-0706 CAN-2005-0891 Content of this advisory: 1) solved security vulnerabilities: - netapplet local privilege escalation - grip buffer overflow in cddb handling - additional libXPM overflows - tetex tmp symlink attack - crash by double free in gdk-pixbuf 2) pending vulnerabilities, solutions, workarounds: - wget directory traversal and dot file overwrite problem - IDN (Internationalized Domain Name) cloaking / homograph attacks - PostgreSQL problems - php denial of service problems - new Mozilla security problems - buffer overflow in sylpheed / sylpheed-claws 3) standard appendix (further information) ______________________________________________________________________________ 1) solved security vulnerabilities To avoid spamming lists with advisories for every small incident, we will release weekly summary advisories for issues where we have released updates without a full advisory. Since these are minor issues, md5sums and ftp URLs are not included. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - netapplet local privilege escalation The SUSE Security Team reviewed critical parts of netapplet and found severe bugs which could allow local attackers to gain root privileges. User input has been passed to network scripts without verification. This has been fixed. Novell Linux Desktop 9 was affected by this problem. - grip buffer overflow in cddb handling Insufficient checks when processing CDDB queries could lead to buffer- and integer overflows. Those bugs have been fixed. This is tracked by the Mitre CVE ID CAN-2005-0706. All SUSE Linux products including grip were affected. - additional libXPM overflows This update fixes a buffer overflow in some for loops that can be triggered while processing XPM image file data. This bug could potentially be exploitable from remote to execute arbitrary code. This is tracked by the Mitre CVE ID CAN-2005-0605. All SUSE Linux based products were affected by this problem. - tetex tmp symlink attack By placing a symlink in /var/cache/fonts a user could find out which files exist in directories not accessible for him. Indexing /var/cache/fonts is now done as user nobody instead of root to prevent this. All SUSE Linux products were affected. - crash by double free in gdk-pixbuf A bug in the BMP handling of gdk-pixbuf causes a pointer to be freed twice, resulting in a crash of the application. We will fix this in upcoming products, a security update is not planned. This is tracked by the Mitre CVE ID CAN-2005-0891. ______________________________________________________________________________ 2) Pending vulnerabilities in SUSE Distributions and Workarounds: - wget directory traversal and dot file overwrite problem We are still working on updated packages for the wget issues as reported on Bugtraq: http://www.securityfocus.com/archive/1/383998 Packages are now in QA. - IDN (Internationalized Domain Name) cloaking / homograph attacks Problems with the IDN / punycode handling that allows non-ASCII domain names were reported for every browser. - The KDE approach is currently filtering on the top level domain. - The Mozilla approach is currently to display punycode. We have released Mozilla Firefox updates for this problem, the others are still pending. - PostgreSQL problems Additional PostgreSQL problems were reported: - A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. CAN-2005-0244 - Other earlier listed problems are already fixed. We are still working on updates for this problem. - php denial of service problems We are working on updates for the new php denial of service problems as found in the php5 5.0.4 and php4 4.3.11 release. - New Mozilla security problems Several new Mozilla browser security problems have been reported. We are currently addressing these issues. - buffer overflow in sylpheed / sylpheed-claws Buffer overflows in the handling of the MIME conversion of header lines in the GTK based mail reader sylpheed / sylpheed-claws were found. We are currently working on updates. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security(a)suse.de) the checksums show proof of the authenticity of the package. We recommend against subscribing to security lists that cause the e-mail message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the file name of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build(a)suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (FAQ) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBiEYEExECAAYFAkGJG+YACgkQGsiRhDTRlzm8CQCg14Wz vg6j45e/r1oyt9EaHhleSacAnA+2dArk1I3xt49Z5rdnhqheF//9mQGiBDnu9IER BACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs47tj miI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlW t6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHx lRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifr ZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l 0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1 krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoEmyW/xC1sBbDk DUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25p bmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkDwmcABAsKAwQD FQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6dNfnwI2PAsgCg jH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzO AKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUD BRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4 fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklL snr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMn snT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/ xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmp U661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0EExECAB0FAjxq qTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1fAJ9dR7saz2KP NwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0EOe70khAIAISR 0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/HZnh3TwhBIw1 FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44ht5h+6HMBzoFC MAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPTtGzcAi2jVl9h l3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM523AMgpPQtsK m9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q2Y+GqZ+yAvNW jRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8QnSs0wwPg3xE ullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWawJxRLKH6Zjo/F aKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ1sj2xYdB1xO0 ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCHORrNjq9pYWlr xsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1wwylxadmmJaJ HzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQYEQIADAUCOe70 kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol0JdGwACeKTtt geVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAKCRCoTtronIAK yofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3coSPihn1+OBNw= =Fv2n - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQlaOtXey5gA9JdPZAQGrVgf9FiCoJ6j+uuNriTAyPWHqACoeCP7OSRIg 9Eo3jnHkWu/ik2SpwrXl0CyJ0Fc+4aSYv5DR0x0rfm+0VVPkX9HrHoMmiwDnsUnw Z4ErtSe1QSUIEIV7/I+GIuX69c3unmT8JuNObKrYaOfTh/8K8JMt01o+Iuj7j+6f Xl5vMVBF1KzmD1SdD/JTyMh4omMoFErrorzA+Q+0qISQ7PhPPMI5HJXVLrkKOZwW Zi/QDM1DZoHLU/XuYv2qF/50w8fKw++hdtqBdeiQ/hEbCmLpIDv2qQlCdm+O0FYc 3NCHxElgDi4iJ/hJy367a2RPP6eCMM0nlLvD487cy940oHQBQvK54Q== =qGhP -----END PGP SIGNATURE-----

1 0