- openSUSE Security Announce

[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:2007:051)
by Marcus Meissner 06 Sep '07

06 Sep '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2007:051 Date: Thu, 06 Sep 2007 17:00:00 +0000 Affected Products: SUSE LINUX 10.1 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote denial of service Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-2242, CVE-2007-2453, CVE-2007-2525 CVE-2007-2876, CVE-2007-3105, CVE-2007-3107 CVE-2007-3513, CVE-2007-3848, CVE-2007-3851 Content of This Advisory: 1) Security Vulnerability Resolved: kernel security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Linux kernel in SLE 10 and SUSE Linux 10.1 was updated to fix various security issues and lots of bugs spotted after the Service Pack 1 release. This again aligns the SUSE Linux 10.1 kernel with the SLE 10 release and for 10.1 contains kABI incompatible changes, requiring updated kernel module packages. Our KMPs shipped with SUSE Linux 10.1 were released at the same time, the NVIDIA, ATI and madwifi module owners have been advised to update their repositories too. Following security issues were fixed: - CVE-2007-2242: The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - CVE-2007-2453: The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. - CVE-2007-2876: A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving "bound check ordering". Since this value can only be changed by a root user, exploitability is low. - CVE-2007-3107: The signal handling in the Linux kernel, when run on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency. - CVE-2007-2525: Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. - CVE-2007-3513: The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel did not limit the amount of memory used by a caller, which allowed local users to cause a denial of service (memory consumption). - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering device node could overwrite memory on the machine and so gain root privileges. Additionally a huge number of bugs were fixed. These are listed in the maintenance information links. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please reboot your machine after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cloop-kmp-bigsmp-2.01_2.6.… 8aa726f4083e5632373ebb28abbbabe8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cloop-kmp-debug-2.01_2.6.1… f0a9bf51e28af100faeea647eaa4f5c0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cloop-kmp-default-2.01_2.6… dfe7b935029f121d12af29e03b4a7ee7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cloop-kmp-smp-2.01_2.6.16.… 6bf39568579093c34c14690098200ac0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cloop-kmp-xen-2.01_2.6.16.… fc85744237063a6097c0843db50173c1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cloop-kmp-xenpae-2.01_2.6.… 77ffcf3230912df2f94221fbcb832e33 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-0.7.22-42.14.i586.rpm 114701af0f866fa088bfc1d3414a2e58 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-kmp-bigsmp-0.7.22_2.6… c4cc947dd32c3466bc0af5959332228b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-kmp-debug-0.7.22_2.6.… d99fce9db3933be106539e35295bbb9f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-kmp-default-0.7.22_2.… a89d12111ada77787b88dc9fc385f66a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-kmp-smp-0.7.22_2.6.16… 731543df0d337dbd65e74a85be87ad70 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-kmp-xen-0.7.22_2.6.16… c411a0b260cf41c7e41b04bd0f1f4e8e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/drbd-kmp-xenpae-0.7.22_2.6… f5456498221e86ebac5a90373ae9a500 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/hbedv-dazuko-kmp-bigsmp-2.… 96c3a125c011299a3b4d0f09fb4dd6de ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/hbedv-dazuko-kmp-debug-2.3… 793a53747b8241b5ab7939f8665a7b7d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/hbedv-dazuko-kmp-default-2… c644584794fdb8283483e0a37f1b4a34 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/hbedv-dazuko-kmp-smp-2.3.2… ebddde7e157b2b71001f3492ea092c0b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/hbedv-dazuko-kmp-xen-2.3.2… 51b1a7ab25cf1e9f790e30e895ea6995 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/hbedv-dazuko-kmp-xenpae-2.… 263337d6e2cfd9dae07c81474b14266a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ivtv-kmp-bigsmp-0.7.0_2.6.… 82e92676ab7d3b2d9e8fc2f8b6541ac7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ivtv-kmp-debug-0.7.0_2.6.1… 7586df096afd5c98132a800b71c938b5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ivtv-kmp-default-0.7.0_2.6… 087d141f079c40d49d2e7957d53b4226 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ivtv-kmp-smp-0.7.0_2.6.16.… 49fb0d79e32823914bdc013a903a1a32 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ivtv-kmp-xen-0.7.0_2.6.16.… 5906de32b1a32fe778892b68773ee503 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ivtv-kmp-xenpae-0.7.0_2.6.… 595085ce6c617f025393ac908ebc1d1b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-bigsmp-2.6.16.53-0.… b1f2a5a0b618e77d5fa78d14e70632ff ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-debug-2.6.16.53-0.8… 5c3973d34d65e89f807723d79ec646d9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-default-2.6.16.53-0… 2199d335d23cae9ca8b3854045457d22 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-kdump-2.6.16.53-0.8… c03c6afa5decd48a43a046d87db213af ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-smp-2.6.16.53-0.8.i… f977dffa9137809df615a66609f19bf8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-source-2.6.16.53-0.… ede06383c241446b4040234a771cce8e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-syms-2.6.16.53-0.8.… 4d56b5552e4acedc8462797c400612cb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-um-2.6.16.53-0.8.i5… 782727388dbb3894def87e0c5278ebbe ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-xen-2.6.16.53-0.8.i… d84f53b2eeb6473e6497025f03b5ea79 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kernel-xenpae-2.6.16.53-0.… b5e435359d41583fe36e762eb86bcd13 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/kexec-tools-1.101-32.42.i5… 44d6b40b14c0010fd4d1d2ef6e289d23 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/lirc-kmp-bigsmp-0.8.0_2.6.… 8c1d93c122786af870828af5d9409980 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/lirc-kmp-default-0.8.0_2.6… b239d8f9f57df8d8b8c7e4ab8f7311e2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/lirc-kmp-smp-0.8.0_2.6.16.… 933acacbe15b03289646383a1ed7928d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/lirc-kmp-xenpae-0.8.0_2.6.… 06fa9f9f22ce27c497a81732138538c3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mkinitrd-1.2-106.58.i586.r… 8df02f7543f376795c89318805d79fe4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/multipath-tools-0.4.6-25.2… d51adfdc697e7f8c27cf1d989b3fc3b6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ndiswrapper-kmp-bigsmp-1.3… 4fb80b4a3e5162f7d06653419462fb00 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ndiswrapper-kmp-debug-1.34… a669ea990409b675402143f807dfdc19 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ndiswrapper-kmp-default-1.… 3886e1cc5cf4a700a636b6a12b4ef323 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ndiswrapper-kmp-smp-1.34_2… f2a0784685d1611266b3a972a7cdba04 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ndiswrapper-kmp-xen-1.34_2… cca140c071e3cc09fcef38a112101a9c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/ndiswrapper-kmp-xenpae-1.3… 304bb00107ce2bc077fb704fb3f053e0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/novfs-kmp-bigsmp-2.0.0_2.6… 3392a961c1a5685b8f99bac30861659d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/novfs-kmp-debug-2.0.0_2.6.… ac4fe06a55aa92b7a61043097b57b27c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/novfs-kmp-default-2.0.0_2.… 2529eb35cdbd0535933e16a1373df55f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/novfs-kmp-smp-2.0.0_2.6.16… bd76a840e0502e259f5416b495d2fedb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/novfs-kmp-xen-2.0.0_2.6.16… d3177fb47cad63a5c8cd5d728934b4f6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/novfs-kmp-xenpae-2.0.0_2.6… 6f4eb228d098b5de12a9e2c2162b7c7c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-bigsmp-200601… 559f047bce75796bec8138ccdf3f25db ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-debug-2006012… 557e44b6fed9991c8d48818d4cf5f988 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-default-20060… 2cf7b14d387bf352448efc903cd48b87 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-kdump-2006012… 4174309573d599ecfa69a4c61ce2a498 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-smp-20060126_… 5df613d7b1c1607b122ac314d7accc37 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-xen-20060126_… 349b2b30ca64b1c006e47e90399f3574 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/omnibook-kmp-xenpae-200601… ae7ae920705be1609f63f8af63992baf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/open-iscsi-2.0.707-0.25.i5… 8fb2314c7b7bbc008b1b53f89a1bae91 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openafs-kmp-xenpae-1.4.0_2… baebbb9f96d128093f072e31c1eae92e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/pcfclock-kmp-bigsmp-0.44_2… 7f9ba5da69544100a4793ef58d04dfe7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/pcfclock-kmp-debug-0.44_2.… f7f79b4f1aac644c7b5a5d9b73817f0a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/pcfclock-kmp-default-0.44_… 31a8d76e8baeda190a10076ca1371e8f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/pcfclock-kmp-smp-0.44_2.6.… 6afaeded5bff07639e7ea6622546dac2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/quickcam-kmp-default-0.6.3… 7ed4be65ffd3cfcc28b844412983170d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/smartlink-softmodem-kmp-bi… d527beef0694ea6adcc28f0ba66c8c1c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/smartlink-softmodem-kmp-de… 8765e94592d06946b02be1b2a9f99310 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/smartlink-softmodem-kmp-sm… e09e3ca13d45d19273cd65a2b4b2ceac ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/tpctl-kmp-bigsmp-4.17_2.6.… 00ca3fafb0ae0f4a5dd087c45772e845 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/tpctl-kmp-debug-4.17_2.6.1… b8d3ddf8762c784520e250b225c4a5dc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/tpctl-kmp-default-4.17_2.6… 2fcbdbc6e1d9c12c22d02c2366aaa996 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/tpctl-kmp-smp-4.17_2.6.16.… e56148c17b04160109c392460b7313a9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/udev-085-30.40.i586.rpm b935afe02348c179ab196cf88b266445 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/usbvision-kmp-bigsmp-0.9.8… 78c1dfd00106c218fe31765dc8f404c2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/usbvision-kmp-debug-0.9.8.… ba7559bb011640a95674579293ad1588 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/usbvision-kmp-default-0.9.… 3887199c7c724e1fa5305eb7a6cb760e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/usbvision-kmp-smp-0.9.8.2_… f685e0577f2af7571312335fb85f746b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/usbvision-kmp-xen-0.9.8.2_… f5b4f345fa6657b58995a871fad13ea8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/usbvision-kmp-xenpae-0.9.8… b40cb2b79f85f33d0be023b71d44347d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/wlan-kmp-bigsmp-1_2.6.16.5… 6c7f5ca823c95a36605ccbf7a811e7c2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/wlan-kmp-debug-1_2.6.16.53… 00ec933efa0a707375c25ea267d3fc3d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/wlan-kmp-default-1_2.6.16.… d1699292963f744c0087bf122a4aa990 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/wlan-kmp-smp-1_2.6.16.53_0… 1e30e47808a3032143f87760cecea87d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/wlan-kmp-xen-1_2.6.16.53_0… 9b3fc81ca1eb896442004d478f206e8b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/wlan-kmp-xenpae-1_2.6.16.5… 825fcbc4902764b6effb5f04aaa9b127 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/zaptel-kmp-bigsmp-1.2.4_2.… d5768661492275d4f34b74ef98a3dbcb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/zaptel-kmp-debug-1.2.4_2.6… 4b031faa877b3e00b27b192d710f28f1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/zaptel-kmp-default-1.2.4_2… e84a5f3ef34d7df6b73f76dab0a92f57 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/zaptel-kmp-smp-1.2.4_2.6.1… 43fe4ea470fad94454b8a95fb2e5c97b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/zaptel-kmp-xen-1.2.4_2.6.1… bbb30c1b3f84ccb45788627b613ab516 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/zaptel-kmp-xenpae-1.2.4_2.… c6adbaef68fd343d484ba1a4cedff1ae Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cloop-kmp-default-2.01_2.6.… 4c330386b7d6ef6c045a5b6a78caa3ea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cloop-kmp-iseries64-2.01_2.… 8b377c2b05cfdd71c3c14f175bda2dd6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cloop-kmp-ppc64-2.01_2.6.16… fe7bef90aafe7869cffcca0efb1faf69 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/drbd-0.7.22-42.14.ppc.rpm 4defda4646464d603a70d6a2a602d374 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/drbd-kmp-default-0.7.22_2.6… b87d23504d541f09e043d14ca1470a8b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/drbd-kmp-iseries64-0.7.22_2… 37efd016af840f31d73ee57da26ef96f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/drbd-kmp-ppc64-0.7.22_2.6.1… e7c94414372c6fae6be7740ad16ad21d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-default-2.6.16.53-0.… 49065a45fdc422a6c944f336129161e5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-iseries64-2.6.16.53-… 3e19a3a2064d5ec593cdb82b21932479 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-kdump-2.6.16.53-0.8.… 46f04019504e45deaeaaad5ad65874f8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-ppc64-2.6.16.53-0.8.… 26ae8dd09e91f18cbf3e22c0361c44c3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-source-2.6.16.53-0.8… 888028367b84031cf696b97dcffed41d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/kernel-syms-2.6.16.53-0.8.p… 548ee4a65c3cf2096a6bb235826e9727 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/lirc-kmp-default-0.8.0_2.6.… 6545ac85657610c4371eb3eb792bae18 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/lirc-kmp-iseries64-0.8.0_2.… 6295ce4b29e4bc6d8904b7fe0350fb6e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/lirc-kmp-ppc64-0.8.0_2.6.16… bd988cf28ab39d64e59bbee0132c8c75 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/mkinitrd-1.2-106.58.ppc.rpm b2ca53b94f2cfacc6053dc8a7fbce78f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/multipath-tools-0.4.6-25.21… 7407c058b81351b2bb0387414e95d6dd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/open-iscsi-2.0.707-0.25.ppc… 6407dcf643e7dd479a49cdf7867ba61d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openafs-kmp-iseries64-1.4.0… c8fd9b719385aec295b0b86a62417675 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openafs-kmp-ppc64-1.4.0_2.6… feec6ac3f9de5e93901ba45b07eccfd9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/pcfclock-kmp-default-0.44_2… 4c308b618d77b376647351a8d51f6cd6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/pcfclock-kmp-ppc64-0.44_2.6… d2f6bcc19f45c85932ea85ecbf140038 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/quickcam-kmp-default-0.6.3_… f95358e253b4941ab33a262f0f5a417b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/udev-085-30.40.ppc.rpm f562428a0cf05840d37f9d39cade53a3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/wlan-kmp-default-1_2.6.16.5… 51bb199f3696b485edd7e20969cea2d6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/wlan-kmp-iseries64-1_2.6.16… 1f4d1e94c9cbf0f5541fd6e13abedb04 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/wlan-kmp-ppc64-1_2.6.16.53_… a8e699a320999e40c5f7d9ae16f3ccb4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/zaptel-kmp-default-1.2.4_2.… b7b9826124ef89b94567ced67e26b65f x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cloop-kmp-debug-2.01_2.6… 39c328bf75c7faf773614ac591eaca60 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cloop-kmp-default-2.01_2… e0e32da85086988977e18d6fe5db102b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cloop-kmp-smp-2.01_2.6.1… 5bc3c3a48de578aaed84d9bf40cd458f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cloop-kmp-xen-2.01_2.6.1… bceb7ea21b1a29ce83abb3e455ee7931 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/drbd-0.7.22-42.14.x86_64… 60575c44721e4a0346ffc8c6a91efc39 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/drbd-kmp-debug-0.7.22_2.… d6ec8ad91154d0f40fcdca14de51d4f6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/drbd-kmp-default-0.7.22_… d17fb7be99873a06bd09b560d0a749d5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/drbd-kmp-smp-0.7.22_2.6.… d32df6831c277a3ed0ab37dba0862919 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/drbd-kmp-xen-0.7.22_2.6.… 59cb6f93e5cd698b96312dd156ee91b4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/hbedv-dazuko-kmp-debug-2… 88506a8ca0fb23a2dbc763ec80d85a56 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/hbedv-dazuko-kmp-default… e6962e81eeda0bb6b1bcc9d8b43acd10 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/hbedv-dazuko-kmp-smp-2.3… 20683671ada341b103a06609d7bd0beb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/hbedv-dazuko-kmp-xen-2.3… baa0590c91ba62a963ed05dcbceae1a2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ivtv-kmp-debug-0.7.0_2.6… 1352dfb3164447aeba4d20304524dede ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ivtv-kmp-default-0.7.0_2… 886f709c015a7fabfe0942a6939b5556 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ivtv-kmp-smp-0.7.0_2.6.1… b5c352e3fc3a94affde5adbe81026ffa ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ivtv-kmp-xen-0.7.0_2.6.1… 7c42d35e099fdc74961021287cc0dedf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-debug-2.6.16.53-0… e535d3952b99ca381743e02968b05962 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-default-2.6.16.53… 918836d65c9757c499ecf5afea5a2afb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-kdump-2.6.16.53-0… 3cd03349441804ad506ca3c7f8c62abe ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-smp-2.6.16.53-0.8… 2fa7cb20b78bf574c3d096920b9e217b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-source-2.6.16.53-… 2b70910c1b5ad7024bc19e71f0b5b128 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-syms-2.6.16.53-0.… f2a52f88049f3dd0ce496f50df99ce31 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kernel-xen-2.6.16.53-0.8… 3f63250e48f8306d82e4e9aab5063cdf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/kexec-tools-1.101-32.42.… 9cb0431a731a47e3972e0e41d9a9efb8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/lirc-kmp-default-0.8.0_2… 2234284d6524af7b703815145f38dbf7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/lirc-kmp-smp-0.8.0_2.6.1… ffa29b4ba124cb564803f28d195dc84d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/mkinitrd-1.2-106.58.x86_… 94b5acaec5cd3d45a7d92b9fb1354d28 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/multipath-tools-0.4.6-25… 314fdda336fe19ae873225305e7c3681 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ndiswrapper-kmp-debug-1.… ab5e171b9a84655aa509ad574bf3222e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ndiswrapper-kmp-default-… 6cc099ca27594bc179663b80b7f8505c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ndiswrapper-kmp-smp-1.34… 340c8cc665bc241665333a1ccf9657a4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/ndiswrapper-kmp-xen-1.34… d25781bf7c38f240245f3d3bf86a0611 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/novfs-kmp-debug-2.0.0_2.… bef1faa072685be069d97328a005d4a5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/novfs-kmp-default-2.0.0_… ce297a8fc3ba54e7dc792030986eff78 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/novfs-kmp-smp-2.0.0_2.6.… 402699d04c5ac5526b2cd31e9dfc3b00 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/novfs-kmp-xen-2.0.0_2.6.… 59de5226b2c70f1a0e3cd8f552bd63bf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/omnibook-kmp-debug-20060… 3e1db97a3de2feb48ffa66626a84becb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/omnibook-kmp-default-200… deb9f50d3d1753363995b28a00fa8bde ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/omnibook-kmp-kdump-20060… ea51b1eb701b337c4eae57c424aafb6e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/omnibook-kmp-smp-2006012… 00b197889a4a5f31b14789d0bd18cb91 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/omnibook-kmp-xen-2006012… b92a1aab65439b869fd2d67f3a8f5650 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/open-iscsi-2.0.707-0.25.… 8df1553424ff6abccd38bbdad43821a8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/pcfclock-kmp-debug-0.44_… 18b6a2870992c758e0e15d500580ecde ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/pcfclock-kmp-default-0.4… 94b8d2968d9da6e9020090af47028d3a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/pcfclock-kmp-smp-0.44_2.… 455f703b0693140f0c2a0e7fa060a578 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/quickcam-kmp-default-0.6… 83023996dd47e6b7ae829744867f845a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/udev-085-30.40.x86_64.rpm 6bc8b2cac7a3577b5531d1b8a885666d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/wlan-kmp-debug-1_2.6.16.… 51b354b8a984d9a73a37d084329f46e9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/wlan-kmp-default-1_2.6.1… 1222ba499f29732d5e8942927b607e86 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/wlan-kmp-smp-1_2.6.16.53… 4bb744e8becf9e11beea5cb08c11f6bd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/wlan-kmp-xen-1_2.6.16.53… b642ba8461b8c6ae9ae009df3ceee3ff ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/zaptel-kmp-debug-1.2.4_2… 65576faf979436ae513e7e4f86aff810 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/zaptel-kmp-default-1.2.4… 7e36549187e62acc29015d2dea4d2419 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/zaptel-kmp-smp-1.2.4_2.6… ed411e6de7c77da5ba058f08eb3e9e2f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/zaptel-kmp-xen-1.2.4_2.6… 8fd9b35dda5b315090c37f4bca437bb4 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/drbd-0.7.22-42.14.src.rpm f73ab327699bc11971ef7951e4824402 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-bigsmp-2.6.16.53-0.8… 5d8953bf94be25f51ddca7f01d572031 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-debug-2.6.16.53-0.8.… db7a15080b3f473c5e734189fcade2e1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-default-2.6.16.53-0.… 20b1c3612124f5de388f1130c3bd63f7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-iseries64-2.6.16.53-… 00427dbd933673824fb5ec45065cdebb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-kdump-2.6.16.53-0.8.… f763bd08cb3c46aac3bf5dd32896c015 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-ppc64-2.6.16.53-0.8.… 6cbb187a584c0da91cd4427d288f770a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-smp-2.6.16.53-0.8.no… 2af3da693f084595d314f30792b11407 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-source-2.6.16.53-0.8… 78a9223f08200180e3827f5b5dba573a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-syms-2.6.16.53-0.8.s… 33489039ccf89bf830a0cfb88a9e71b3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-um-2.6.16.53-0.8.nos… f700dfa79c2ec8491ebefb1b4e3a19ff ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-xen-2.6.16.53-0.8.no… 9ba56bb02783bec58f57e2fc7f922527 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kernel-xenpae-2.6.16.53-0.8… 2e207cae957015284c3c8bc9796765e4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/kexec-tools-1.101-32.42.src… 6965e58790539344d582bca496a91b3d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/mkinitrd-1.2-106.58.src.rpm 445f075a76f09f234da20f5de25023d8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/multipath-tools-0.4.6-25.21… 2a77f15f70a78a620562022986062dae ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/open-iscsi-2.0.707-0.25.src… cbf7bc439560dbad490dcdf1328b927f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/udev-085-30.40.src.rpm a3768ed532eef9c30ab9ea04923b1471 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Desktop 10 SP1 for AMD64 and Intel EM64T http://support.novell.com/techcenter/psdb/1476b8bb669abfd3d3276d5f27c20239.… SUSE Linux Enterprise Server 10 SP1 for IBM zSeries 64bit http://support.novell.com/techcenter/psdb/6c78f382a20b722ceb5c36cab3f83afe.… SLE SDK 10 SP1 for IBM iSeries and IBM pSeries http://support.novell.com/techcenter/psdb/87829cedfb6551b47976e17c7a7ffc27.… SLE SDK 10 SP1 for IPF http://support.novell.com/techcenter/psdb/91179d377ced614f3598655be7a4a0f9.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/1476b8bb669abfd3d3276d5f27c20239.… http://support.novell.com/techcenter/psdb/6c78f382a20b722ceb5c36cab3f83afe.… http://support.novell.com/techcenter/psdb/87829cedfb6551b47976e17c7a7ffc27.… http://support.novell.com/techcenter/psdb/91179d377ced614f3598655be7a4a0f9.… http://support.novell.com/techcenter/psdb/a4e6d19f94707022b621550d1049f74e.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/1476b8bb669abfd3d3276d5f27c20239.… http://support.novell.com/techcenter/psdb/a4e6d19f94707022b621550d1049f74e.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/1476b8bb669abfd3d3276d5f27c20239.… http://support.novell.com/techcenter/psdb/a4e6d19f94707022b621550d1049f74e.… SUSE Linux Enterprise Desktop 10 SP1 for x86 http://support.novell.com/techcenter/psdb/a4e6d19f94707022b621550d1049f74e.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRuAaGHey5gA9JdPZAQI3Iwf/TsftHM94+5zAraPn39mms1eVlXHrUkiv G2N8iz/aUaR5C0IF5lmTACCfsuGZWPJgvkH/bG/7QTW+VvKbZm9nwzzIDnQkPfiI p+PUgg3eWNr+o4zEk2raEucw1YVA9h6t+3sBGeCrdrsZm7I+gkJDYQQ6cVZ7e3aO szy4/IN4ziruVEKIZvY66HVtiB1YAHnz+GVQqiGhWaWha4QyAMBjPL+H+/bH9zSr jfV7CbKkHzkzaApilVJfj7RvDm1wvvkG6p9vhnToKYXw5b8/QL6pbXcHpgz7NI6Q LNKSssM2yI8chuhA/6GqN06ECk3s8amrN/uVIThKcSDAOB4JPqSVwg== =dTnn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:018
by Marcus Meissner 31 Aug '07

31 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:018 Date: Fri, 31 Aug 2007 15:00:00 +0000 Cross-References: CVE-2007-2953, CVE-2007-2956, CVE-2007-4131 CVE-2007-4135, CVE-2007-4476, CVE-2007-4510 CVE-2007-4560 Content of this advisory: 1) Solved Security Vulnerabilities: - clamav 0.91.2 release - RealPlayer 10.0.9 - pfstools RGBE handling buffer overflow - vim/gvim format string problem in helptags - tar/star directory traversal problem - nfsidmap name - uid translation flaw 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - next kernel update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - clamav 0.91.2 release ClamAV was updated to 0.91.2 to fix various bugs like NULL pointer dereferences and uninitialized variables. (CVE-2007-4560, CVE-2007-4510) All SUSE Linux based products containing clamav were affected. - RealPlayer 10.0.9 The media player RealPlayer was updated to version 10.0.9. There was no information provided by Real on which vulnerabilities were fixed, but it is likely some were. We recommend installing this update. SUSE Linux 10.0, 10.1, openSUSE 10.2 and SUSE Linux Enterprise Desktop 10 and Novell Linux Desktop 9 are affected by this problem. - pfstools RGBE handling buffer overflow A buffer overflow when processing RGBE file could potentially allow attackers to execute arbitrary code by tricking the victim into running 'pfsinrgbe' on a specially crafted file (CVE-2007-2956). Only openSUSE 10.2 is affected by this problem and was fixed. - vim/gvim format string problem in helptags Vim was updated to address a format-string bug in "helptags". This bug can be exploited to execute code with the privileges of the user running Vim. (CVE-2007-2953) - tar/star directory traversal problem and 1 byte overflow A directory traversal bug was fixed in tar and star, which could allow unpacked tar archives to get unpacked outside of the current directory and e.g. overwrite system files. (CVE-2007-4131) This update also fixes a bug in function safer_name_suffix() of tar which leads to a crashing stack. Exploitability is unknown. (CVE-2007-4476) These problem was fixed in all SUSE Linux based distributions. - nfsidmap name - uid translation flaw The NFSv4 ID mapper had a flaw in the name -> uid translation which caused flaws in NFSv4 name lookups. (CVE-2007-4135) This problem was fixed for SUSE Linux Enterprise 10. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Next kernel update A SLE 10 kernel update will be released in the next weeks to catch up on post-Service Pack 1 fixes and current security fixes. A SUSE Linux 10.1 kernel update will be released with the same code base. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iQEVAwUBRtgbL3ey5gA9JdPZAQLKTwf7BoY8m0NTxostIr0SpiVSiOVVg9N8+Tnj UpGstdBczyTT6zn3c+tcE24K51Xx/uFiZ4+ZZAFhno4GX9rwW4B0KxXEUxVmbaa/ 9tbALx2UMZFtBnJuQU8RGMb4c6anLTkkGcRVZgp8dXnvYv/DnniKXLd8aQVbpaHE 6IyvbJEj9xVdiNftUTvkEm9xVONcYKdsS94PmQv2zztf8yCkD9NcSnFpg/hoddEW 9F+rOid9NwH8vPVlCfVnJ8be+VR9V7yODnJTi7+/F/+TPoo6v/crouQObfp0mSuO b/PXOBv/7thb9Tp3stoTAqE0IT4uzyVXoFpWFqakn6hK4Ub3yiwD6g== =8Y2Z -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Opera (SUSE-SA:2007:050)
by Thomas Biege 30 Aug '07

30 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: opera Announcement ID: SUSE-SA:2007:050 Date: Thu, 30 Aug 2007 12:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: no Cross-References: CVE-2007-4367 Content of This Advisory: 1) Security Vulnerability Resolved: Update for remotely exploitable command execution bug Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Opera web-browser allows an attacker to execute arbitrary code by providing an invalid pointer to a virtual function in JavaScript. This bug can be exploited automatically when a user visits a web-site that contains the attacker's JavaScript code. 2) Solution or Work-Around Disable JavaScript in your preferences or use another web-browser. Opera comes with JavaScript enabled by default. 3) Special Instructions and Notes none 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/opera-9.23-3.2.i586.rpm a52dc1ca6f2416378abb61fe91847439 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/opera-9.23-2.2.i586.rpm 26474a0300361157100fe011676580ad SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/opera-9.23-1.2.i586.r… eea8c81bf7cb7cc79367a25e571eaa00 Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/opera-9.23-3.2.ppc.rpm 7a7f748f72b91b26d5666c5c3f82beb5 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/opera-9.23-2.2.ppc.rpm 2dc169be0dbcba07734004d597738199 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/opera-9.23-3.2.x86_64.rpm 5084cbafecac36eb46fe58427b021f76 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/opera-9.23-2.2.x86_64.rpm 5bb56641ede4dd45ce1843bd9ad9353a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/opera-9.23-1.2.x86_… a10907dccb247408bf2a8ed078dff092 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/opera-9.23-3.2.nosrc.rpm 0232cf47a40c9059ab66ff3b00bc6301 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/opera-9.23-2.2.nosrc.rpm f7a2617287059e29e9a119f7809b537e SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/opera-9.23-1.2.nosrc.r… 106d63b92625c62981e16ef8360f3656 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRtajq3ey5gA9JdPZAQKV/wf+NcyJXrfdpB5nnj+yKFWtLLwiiRo3h8Og jo2pIekUa3Mhau/nVM5TLo2+8WNzRGQ15o4ehS9w1GxTEbFVaVLPQaWc5B+1B1Bw 1eG2qhF/A/MyXdQC//azjLdYWnEGmBXWLZ2riYpLwXd1OjWxI/ZpiLthJPDfX0g5 jwx29EXX2w2UMScdnKenfOji+/11xB58JmVPRQaakOpUIjKWuxy+i3qpXpgLYP6O e3giynA0trO4jTnqX6UKkMljT6ZV/FVB3tvFeMT2xILArP3sISDJtWwBPOGRmRbG zdl552hYutXyUrApoZqrXlUq1Q3kgCGMDpsgQePFxhao1Igr7FxGtg== =EYCw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:017
by Marcus Meissner 17 Aug '07

17 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:017 Date: Fri, 17 Aug 2007 17:00:00 +0000 Cross-References: CVE-2007-3099, CVE-2007-3100, CVE-2007-3377 CVE-2007-3409, CVE-2007-4091 Content of this advisory: 1) Solved Security Vulnerabilities: - perl-Net-DNS denial of service - rsync off-by-one overflow - open-iscsi insecure privileges and credential verification - rug / zen-updater insecure LD_LIBRARY_PATH usage 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - Opera 9.23 - next kernel update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - rsync off-by-one overflow Sebastian Krahmer of the SUSE Security Team found a off-by-one buffer overflow within the f_name() function of rsync. It is not clear if this problem can be exploited. This problem has been fixed for all SUSE Linux based distributions and CVE-2007-4091 has been assigned to this issue. - perl-Net-DNS denial of service perl-Net-DNS used sequential IDs for DNS lookups which could cause problem with some programs like spamassassin. It potentially also simplified DNS spoofing attacks against perl-Net-DNS (CVE-2007-3377). Additionally malformed compressed DNS packets could trigger an endless loop in perl-Net-DNS (CVE-2007-3409). These problems have been fixed in all SUSE Linux based products. - open-iscsi insecure privileges and credential verification This update fixes insecure privileges and credential verification with the iscsi daemon. (CVE-2007-3099, CVE-2007-3100) - rug / zen-updater insecure LD_LIBRARY_PATH usage The wrappers scripts for the C# program rug, zen-updater, zen-installer and zen-remover modified LD_LIBRARY_PATH and MONO_GAC_PREFIX insecurely by potentially leaving a empty path in it (same as "."). Exploit-ability is for users or the system administrator running "rug" in unsafe directories owned by a local attacker who could then inject libraries and so execute code. This problem affected SUSE Linux 10.1 and SUSE Linux Enterprise 10 and was fixed for SLE 10 in SP1, and SUSE Linux 10.1 via Online Update this week. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Opera 9.23 Opera 9.23 was released to fix a critical Javascript vulnerability. We are working on updates for the affected products. - next kernel update A SLE 10 kernel update will be released in the next weeks to catch up on post-Service Pack 1 fixes and current security fixes. A SUSE Linux 10.1 kernel update will be released with the same code base. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRsWzeHey5gA9JdPZAQK7HAf9E0ERXl3HziR3Omr7BUmlntSaZDm2tPKO JanZRplKu3xdVhAYjB6y5/nbS8OPj9mG2t8iGOBFO8/l04fsyNfpEyCidRaJGSbD GlsZlkrpWRjeQ9Brg4TsqToyq1mELq7kp32kI6ExfcG9+HgbyGV+15FUdjBeJ5lR y8BAzF+M+Boa8SYLqIje1yQdLrmBkt+Y9yGdCm5HzB0nTYhlxmHnJqu6dkJjgoMD ixfWNDFnbSrOfplvMOzzlmkwm4JlBuElQE4Kz2T62fCrAS7UXsw5D4jrHk0BRLKx DPcXKeW8qnKmjqyIcAjGtTKI48HNWeq/JeH8VfTWu4xq0/N4I9QIEA== =+aMn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:016
by Marcus Meissner 10 Aug '07

10 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:016 Date: Fri, 10 Aug 2007 16:00:00 +0000 Cross-References: CVE-2007-3387, CVE-2007-3798 Content of this advisory: 1) Solved Security Vulnerabilities: - orarun insecure group membership - xpdf code base buffer overflow - findutils-locate: core clean cron-job any file removal problem - tcpdump BGP packet handler overflow 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - next kernel update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - orarun insecure group membership SUSE provides a "orarun" package that helps with setting up Oracle servers. This package creates on installation a "oracle" user. Up to now the user is in the group "disk" to allow setting up raw disk partitions. This however allows the oracle user later to escalate privileges if for instance a program or script in the Oracle suite running as "oracle" user is compromised. We recommend removing the "disk" group membership from the "oracle" user. You can do so by doing: usermod -g oinstall -G dba oracle We will not provide fixed packages at this time since these could break customer setups, but future service packs or products will leave out the disk group. We thank José M. Fandiño for reporting this problem. - xpdf code base buffer overflow A buffer overflow in the xpdf code contained in cups,poppler,kpdf and others could be exploited by attackers to potentially execute arbitrary code (CVE-2007-3387). Only XPDF 3 code derivatives were affected, XPDF 2 code deviates do not write into the memory. - findutils-locate: core clean cron job any file removal problem The cron job that deletes old core files could be tricked to delete arbitrary files. Old core files are deleted if DELETE_OLD_CORE=yes is set. That is not the case by default though. The findutils-locate package was updated to fix this issue on the affected products. SUSE Linux Enterprise Server 9, 10, and SUSE Linux 10.0 and 10.1 were affected. We thank Jan Minář for reporting this problem. - tcpdump BGP packet handler overflow tcpdump was updated to fix a buffer overflow that could be triggered when displaying BGP packets (CVE-2007-3798). All SUSE Linux based products were affected. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - next kernel update A SLE 10 kernel update will be released in the next weeks to catch up on post-Service Pack 1 fixes and current security fixes. A SUSE Linux 10.1 kernel update will be released with the same code base. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRrxxTXey5gA9JdPZAQI16Af+P+v6Beb6R4B8tztvBMx5mjlYqgfh9qKh Bf+k2gvtN72aAkGC98IjiICW0VaCpn1d7MwePu4CWvM1bV5g2nMuXUifnb0048sf QlOhW6j/oibP4wDN61VDNqjFlo8cldEZKSEA5ZrYZstdXkqoBLxYBwIrNcqINSRX 57roMp/DBiNDlba15mLPYxzJJdsUh8o2GTwvHq8WWqWOVuxT5DKjzjHXgGrfhYQv XTrw2LqY0lZXIn17oKr8nT5B7M65HQfLiybpcUJ+0792HuZ1Ya/ufjnhVLXJxnUv DYWeAazc64cS5fjJgXefGOsz85scjcWB3l2PfAR3YoO9UCYvwERdfA== =bEYC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:015
by Marcus Meissner 03 Aug '07

03 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:015 Date: Fri, 03 Aug 2007 15:00:00 +0000 Cross-References: CVE-2007-0450, CVE-2007-1002, CVE-2007-1429 CVE-2007-2727, CVE-2007-2728, CVE-2007-2748 CVE-2007-2949, CVE-2007-2951, CVE-2007-3142 CVE-2007-3387, CVE-2007-3389, CVE-2007-3390 CVE-2007-3391, CVE-2007-3392, CVE-2007-3393 CVE-2007-3472, CVE-2007-3475, CVE-2007-3476 CVE-2007-3477, CVE-2007-3478, CVE-2007-3641 CVE-2007-3644, CVE-2007-3645, CVE-2007-3725 CVE-2007-3762, CVE-2007-3763, CVE-2007-3764 CVE-2007-3799, CVE-2007-3819, CVE-2007-3929 CVE-2007-3946, CVE-2007-3947, CVE-2007-3948 CVE-2007-3949, CVE-2007-3950 Content of this advisory: 1) Solved Security Vulnerabilities: - PHP security problems - moodle remote file inclusion - tomcat5 directory traversal - lighttpd various security problems - asterisk various security problems - libarchive security problems - xpdf buffer overflow - evolution format string problem in memo viewer - kvirc command execution - wireshark / ethereal security problems - gd various integer overflows - opera 9.22 release - clamav 0.91.1 release - gimp integer overflow in PSD handling 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - Mozilla Firefox 2.0.0.6 - Kernel Update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - PHP security problems Multiple security bugs were fixed in PHP: - Predictable generation of an initialization vector (IV) in the mcrypt extension (CVE-2007-2727) - Additional cookie attributes could be injected via a session id (CVE-2007-3799) - Specially crafted files could cause integer overflows in gd and leverage them to at least crash gd based applications (CVE-2007-3472, CVE-2007-3475, CVE-2007-3476, CVE-2007-3477, CVE-2007-3478) These GD fixes apply to a copy of the GD library in the PHP sources. - Insufficient validation of parameters in the substr_count function (CVE-2007-2748). - Predictable generating of an initialization vector (IV) in the soap extension (CVE-2007-2728) PHP4 and PHP5 packages were updated for all SUSE Linux distributions. - moodle remote file inclusion Moodle was updated to 1.7.2 to fix several problems, including a remote file inclusion (CVE-2007-1429). Moodle is only on openSUSE 10.2 and was fixed there. - Tomcat5 directory traversal Tomcat5 was updated to fix a problem, where certain characters of the URL were not properly filtered. This allowed directory reverse traversal attacks to access the web-root of tomcat. (CVE-2007-0450) This affected all our distributions containing tomcat5. - lighttpd various security problems Multiple bugs in lighttpd allowed remote attackers to crash lighttpd, circumvent access restrictions or even execute code. These issues are tracked by the Mitre CVE ids: CVE-2007-3946, CVE-2007-3947, CVE-2007-3948, CVE-2007-3949, CVE-2007-3950 and have been fixed for SUSE Linux Enterprise 10, SUSE Linux 10.1 and openSUSE 10.2. - Asterisk various security problems The Open Source PBS Asterisk was updated to fix multiple bugs that allowed remote attackers to crash the asterisk server or even execute arbitrary code depending on configuration (CVE-2007-3762, CVE-2007-3763, CVE-2007-3764). Asterisk was fixed for SUSE Linux 10.0, SUSE Linux 10.1 and openSUSE 10.2. - libarchive security problems Several problems in libarchive were fixed. Specially crafted tar-archives could cause programs based on libarchive to crash, to run into an endless loop or potentially to even execute arbitrary code (CVE-2007-3641, CVE-2007-3644, CVE-2007-3645). - xpdf buffer overflow A buffer overflow in xpdf could be exploited by attackers to potentially execute arbitrary code (CVE-2007-3387). Various other tools contain copies of the xpdf code and are also being updated. (poppler, libextractor, kdegraphics3-pdf, etc.) We have released some of those packages (xpdf, kdegraphics3-pdf) already and will release the others soon. - evolution format string problem in memo viewer Format string problems in the Memo Viewer of evolution could be used to potentially execute code when viewing shared memos. (CVE-2007-1002) Affected are evolution of SLE 10, SUSE Linux 10.1 and openSUSE 10.2. For SLE10 the fix was released with Service Pack 1 already, the others have received their update now. - kvirc command execution A bug in the IRC-URI parser allowed attackers to execute arbitrary commands by tricking a user into opening a specially crafted URI in kvirc (CVE-2007-2951). Updated packages have been released for SUSE Linux 10.0 - 10.2. - wireshark / ethereal security problems Various security problems were fixed in the wireshark 0.99.6 release, which were back-ported to wireshark / ethereal: CVE-2007-3389: Wireshark allowed remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload. CVE-2007-3390: Wireshark when running on certain systems, allowed remote attackers to cause a denial of service (crash) via crafted iSeries capture files that trigger a SIGTRAP. CVE-2007-3391: Wireshark allowed remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop. CVE-2007-3392: Wireshark allowed remote attackers to cause a denial of service via malformed (1) SSL or (2) MMS packets that trigger an infinite loop. CVE-2007-3393: Off-by-one error in the DHCP/BOOTP dissector in Wireshark allowed remote attackers to cause a denial of service (crash) via crafted DHCP-over-DOCSIS packets. - gd various integer overflows This update fixes multiple integer overflows in the gd library. Specially crafted files could leverage them to at least crash gd based applications (CVE-2007-3472, CVE-2007-3475, CVE-2007-3476, CVE-2007-3477, CVE-2007-3478). GD was updated for all SUSE Linux products, the update was released on July 24th. - Opera 9.22 release Opera was updated to version 9.22 on July 24 to fix numerous defects including some security problems. (CVE-2007-3929, CVE-2007-3819, CVE-2007-3142) - Clamav 0.91.1 release This clamav version update to 0.91.1 fixes among other things the long startup time of version 0.90.3 as well as a possibility to crash clamav with specially crafted rar archives (CVE-2007-3725). clamav was updated for all SUSE Linux based products that contain clamav. - gimp integer overflow in PSD handling The image editor GIMP was updated to fix a integer overflow in the handling of PSD files. By providing a crafted PSD file and tricking the user to open it an attacker could execute code. (CVE-2007-2949) GIMP was updated for all affected SUSE Linux products. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Mozilla Firefox 2.0.0.6 We will likely skip the Firefox 2.0.0.6 update and roll the fixes into the 2.0.0.7 release in some weeks, since most problems fixed are Windows only. - Kernel Update We are currently preparing a kernel update for SUSE Linux Enterprise 10 and SUSE Linux 10.1. A release date is not yet set. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRrMlo3ey5gA9JdPZAQKfmwf9HvEx6XncoqgI0pQkJeCBJQOxaXVm0s5J jir5Xz96hQ4w/HIFHOLeegteFg2mkoPdoBC2aFZIjcAG/UzbC6+/Xnda6Snk7QB0 fL6KYQpRb+1Hyj0TJ4E9H9+I4mKW9ODnu3DLlenu4ejN1p/Sq8+ul+Jro17opolX g2euA59G9UTCQZV22MPj13J9xKRRa38cDzbl8CDfWw5xc22+CEn2lJ5Nk9RYSQx8 UcdOe3fjP3DiR6n1jY3UflbCA4G3mH57SoVUrmQSDx8Sf6tbZFJZeJI8yykBW63d dBzWsnNNvUBlJoaSo3Plu9NK2Y31c4wKlORpCFLSSrvNM4sEvBSufA== =ag3i -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Mozilla (SUSE-SA:2007:049)
by Marcus Meissner 02 Aug '07

02 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: MozillaFirefox,MozillaThunderbird,Seamonkey Announcement ID: SUSE-SA:2007:049 Date: Thu, 02 Aug 2007 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-3089, CVE-2007-3285, CVE-2007-3656 CVE-2007-3670, CVE-2007-3734, CVE-2007-3735 CVE-2007-3736, CVE-2007-3737, CVE-2007-3738 MFSA 2007-18, MFSA 2007-19, MFSA 2007-20 MFSA 2007-21, MFSA 2007-22, MFSA 2007-23 MFSA 2007-24, MFSA 2007-25 Content of This Advisory: 1) Security Vulnerability Resolved: Mozilla security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Various security problems were found and fixed in Mozilla Firefox, Thunderbird and Seamonkey. Some of them received version updates, but the Firefox and Thunderbird 1.5.0.12 versions received backports. The updates have been released over the last 10 days and the last were released today. Following security problems were fixed: - MFSA 2007-18: Crashes with evidence of memory corruption The usual collection of stability fixes for crashes that look suspicious but haven't been proven to be exploitable. 25 were in the browser engine, reported by Mozilla developers and community members Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson,and Vladimir Sukhoy (CVE-2007-3734) 7 were in the JavaScript engine reported by Asaf Romano, Jesse Ruderman, Igor Bukanov (CVE-2007-3735) - MFSA 2007-19 / CVE-2007-3736: XSS using addEventListener and setTimeout moz_bug_r_a4 reported that scripts could be injected into another site's context by exploiting a timing issue using addEventLstener or setTimeout. - MFSA 2007-20 / CVE-2007-3089: frame spoofing Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. - MFSA 2007-21 / CVE-2007-3737: Privilege escalation using an event handler attached to an element not in the document Reported by moz_bug_r_a4. - MFSA 2007-22 / CVE-2007-3285: File type confusion due to %00 in name Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. - MFSA 2007-23 / CVE-2007-3670: Remote code execution by launching Firefox from Internet Explorer Greg MacManus of iDefense and Billy Rios of Verisign independently reported that links containing a quote (") character could be used in Internet Explorer to launch registered URL Protocol handlers with extra command-line parameters. Firefox and Thunderbird are among those which can be launched, and both support a "-chrome" option that could be used to run malware. This problem does not affect Linux. - MFSA 2007-24 / CVE-2007-3656: unauthorized access to wyciwyg:// documents Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents - MFSA 2007-25 / CVE-2007-3738: XPCNativeWrapper pollution shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Mozilla after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-2.0.0.5-1.1… 600db4d96816a290038d625f6e8ed6c6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaFirefox-translation… 90aea5380a49655399523f54c4551e69 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaThunderbird-1.5.0.1… e0f8f7b159a2988551f23b7b5b560b3a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/MozillaThunderbird-transla… 72bb5fa1f29903c83549ebb8203aaed6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-1.1.3-0.1.i586.r… bf8cbf970d08f8ef0c727ca79229efbc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-dom-inspector-1.… a22a745748fcedf9582e59da8e6efea5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-irc-1.1.3-0.1.i5… e1cd82fc818a1dbaff7d015a5d9b2ea8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-mail-1.1.3-0.1.i… fabce4275caa83f79319eaea12613ec1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-spellchecker-1.1… dd1cfb362e80d66977797cb44b7b44b4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/seamonkey-venkman-1.1.3-0.… 1c47e6f77f7e7f60c40f6fb23475aa18 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-2.0.0.5-1.2… 6fe7be0137419b7b78f6e1a1f6a0a4f1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/MozillaFirefox-translation… 1778646c89276ed2162f77c3da13d046 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-1.0.9-1.3.i586.r… b89299ed308dfe59948b2b1afac2f6ef ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-calendar-1.0.9-1… 2cf0ee532fbf4c802081dbd1dd4c6d8b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-dom-inspector-1.… 2ce4340a93502632ea6d3f20befd4dad ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-irc-1.0.9-1.3.i5… b301b9572704121c9d172e18886d503e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-mail-1.0.9-1.3.i… d31d58fb662d7f68307c699669b72e33 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-spellchecker-1.0… 198c766f1b32ecfb70e23fc393cab50a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/seamonkey-venkman-1.0.9-1.… e721026c5d410ea0481feed548a6743a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-2.0.0.… 67b16e7a091997b3d9cd1620982304fe ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaFirefox-transl… 1248d3bcbfa5ac7dfdd049e65a68446d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaThunderbird-1.… 6cf2bb6abe7fa60656ed421b6141c6d8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-1.8_seamonkey… 2480690fbb55acc8c326c8ff7853647f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-calendar-1.8_… e1601d069c0baf24983b383bd6158a69 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-devel-1.8_sea… aa48fafdef426a754a99fca4bae76614 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-dom-inspector… 7be3a6df9818ffd2d855f833a93cbe91 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-irc-1.8_seamo… 1547a8c884c721888878b16ff2767ad4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-ko-1.75-3.4.i… 7d345e1b6605b8ea0e04ad3d8ec77e43 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-mail-1.8_seam… 8ac98b84ae4bfbd97aae569037171911 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-spellchecker-… e258b620ac3cae7731f8857c0699d947 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-venkman-1.8_s… 6eb456359ec22b6e02f8e8f534f331d8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-zh-CN-1.7-6.4… 8bb3aa98e7724a2b50277a0368954b82 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-zh-TW-1.7-6.4… 4a8c81c5c915cd3c996b479a3d21679d Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-2.0.0.5-1.1.… 848db6f3d85c9e67e5b5200e33f0a6d1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaFirefox-translations… 8914c2e4a9966df51d04e157e84e57b2 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaThunderbird-1.5.0.12… 7d18527f3fe14e6e029b1a368cd3c38e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/MozillaThunderbird-translat… caf0278404575b739b407a88d4925f6f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-1.1.3-0.1.ppc.rpm f7b2db2b6a7fa63457a7a1c208bedf65 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-dom-inspector-1.1… a59274e07212e90ffc5c55f6cc5d2258 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-irc-1.1.3-0.1.ppc… b7d25744316faecda6bef7a612643418 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-mail-1.1.3-0.1.pp… 23f457b57f234798336011e1beec7815 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-spellchecker-1.1.… 29e40bf7466e6c981bf797be0f9e538d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/seamonkey-venkman-1.1.3-0.1… 988a2aec600e3bee231f340662b66099 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-2.0.0.5-1.2.… fdfc4e535397aa715ff0244ce6aca689 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/MozillaFirefox-translations… f182603e0d0c59e5f53ffc54a7a1909f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-1.0.9-1.3.ppc.rpm 579ea0954a79767797119f817fb0e568 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-calendar-1.0.9-1.… 9716ccd6033c1ae6dd25cc738b42c416 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-dom-inspector-1.0… 34d8894a54126c49fcd37565dd9d8423 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-irc-1.0.9-1.3.ppc… 794736b6dde797426856fd69972368eb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-mail-1.0.9-1.3.pp… 828c1b007154f62a05f9b2d240861399 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-spellchecker-1.0.… 6bd4b8725bf4463fbc47428a21220338 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/seamonkey-venkman-1.0.9-1.3… 9bf6d61c1d02281770661aae26eb036d SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-2.0.0.5… b250aa03a4d0c687e4531a2b3fee05c2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaFirefox-transla… c3905c8b330c72dd15fad257146273df ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/MozillaThunderbird-1.5… e70b13d3436d6fe143388adf88b26a1d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-1.8_seamonkey_… 600f48a27f8086c03e8e690fd2cd4a40 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-calendar-1.8_s… f7a67fed3884aeaf723599780e509a67 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-devel-1.8_seam… ae39fe07a1dbf1e39471382e1ebb686f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-dom-inspector-… d71c42e5d6a8ff88a73774589cae6a5e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-irc-1.8_seamon… 951cb64dc71e202cea56d59fc4a6931f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-ko-1.75-3.4.pp… ef441debe59e1f76c36e546ae8409b99 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-mail-1.8_seamo… 59cc7e6bdf993bfb1abf31692a040679 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-spellchecker-1… 65422388e67d6870dda291a29d4ca098 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-venkman-1.8_se… 69b76e684d82dc7ff6c843d1e82bd44a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-zh-CN-1.7-6.4.… 8d031f11619a177114917ea7ec993e19 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mozilla-zh-TW-1.7-6.4.… c006ab0fc51caf97b59e01006a16fbb9 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-2.0.0.5-1… b89e249c9b3fdf84dd34d38c5578e9d4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaFirefox-translati… 6387403a327a3d0a14887888064b8fc9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaThunderbird-1.5.0… 290e06b8f9f0b07f7876f06b014503a0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/MozillaThunderbird-trans… 37e6c95d17265191db93996058c3b5db ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-1.1.3-0.1.x86_… f0ab710e1610e03b4385c3ccc7d931e1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-dom-inspector-… b416e3c9a7bd15e0d5bb200c1fd502b1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-irc-1.1.3-0.1.… 6ac2728f862636b5feb9a46ccf0fbdbb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-mail-1.1.3-0.1… e276291b08f5b04a51bfba5520c80a71 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-spellchecker-1… f4333a2ad2dd3a7a4c0b15737ad27dda ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/seamonkey-venkman-1.1.3-… df66fd57450833bdf2fb2b9e13f568ad SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-1.0.9-1.3.x86_… ffaca4596d941b7a616c4bc67d8e4e41 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-calendar-1.0.9… ee1e750a083e1ee5f6bbfcd74d6e21e6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-dom-inspector-… 5d162787d99fa8c80d8da650da163796 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-irc-1.0.9-1.3.… 67d70bd2ac236283699eb8e93ef0e040 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-mail-1.0.9-1.3… fc01c6515926efad9a02b0da03227ce4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-spellchecker-1… 0f9cd3209adeb65d8511a71f94e52898 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/seamonkey-venkman-1.0.9-… e3d237b834b59032d3bbe5f121d88188 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/MozillaThunderbird-… bd6f9c49b021f9f1094179d04d821aa4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-1.8_seamonk… 1c31c1d2d8f1da4b0d03b94547524117 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-calendar-1.… 119fb5eed3f33b4c2d796f9615d6e6ab ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-devel-1.8_s… 27066ea084991741108c8da61bc2edbf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-dom-inspect… 1fc21b32c219d3a271dbea37d35d2151 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-irc-1.8_sea… 98023c8651c6d5b256970af2a599f351 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-ko-1.75-3.4… e7bc7409b88899e19f66627ed206b398 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-mail-1.8_se… 8c6308bf5de41dd7ebf049fa0c012f86 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-spellchecke… 26e29edac4dd784e773d73ce35880235 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-venkman-1.8… 57fc71c0136c18cf0ef5b62764e3be04 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-zh-CN-1.7-6… a6383cc4e41c27be2ccf03ecffecf121 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mozilla-zh-TW-1.7-6… 3ec067da3be6af2cd0a0e450c3e402f6 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/MozillaFirefox-2.0.0.5-1.1.… d0dc64ff492bc94a160a912785dd2c8c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/MozillaThunderbird-1.5.0.12… b26b4a68fb6a5d06dac7f03ba791b41a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/seamonkey-1.1.3-0.1.src.rpm 943073a9f25683ef62b9ce5225124a12 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/MozillaFirefox-2.0.0.5-1.2.… 8f2931d2d6442f8026a58aa6e5e6891d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/seamonkey-1.0.9-1.3.src.rpm 88610e7df3d5c0f879643e4bc28ce750 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaFirefox-2.0.0.5… d85a04bfda146cf80723bf77b6672ffa ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/MozillaThunderbird-1.5… a143552cdbb2ec14f23a4b25ce7bab7b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-1.8_seamonkey_… d907294656dfa9e97190d47a8103437e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-ko-1.75-3.4.sr… eb91a1a9b17caaa4778d5b3af33bb20c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-zh-CN-1.7-6.4.… 9457510c15dae059a72d5dbc5f33466c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/mozilla-zh-TW-1.7-6.4.… 214ac000b6eedc9557883e5de6b68503 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/d91b73c3c1e2666666b5dd6d36be8cbf.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/d91b73c3c1e2666666b5dd6d36be8cbf.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/d91b73c3c1e2666666b5dd6d36be8cbf.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/e40adef97bd42789da250e4cc9e1d01d.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/e40adef97bd42789da250e4cc9e1d01d.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/e40adef97bd42789da250e4cc9e1d01d.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/e40adef97bd42789da250e4cc9e1d01d.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/e40adef97bd42789da250e4cc9e1d01d.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/e40adef97bd42789da250e4cc9e1d01d.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/d91b73c3c1e2666666b5dd6d36be8cbf.… http://support.novell.com/techcenter/psdb/975911e840a1ef54b4b939009daa4a70.… Novell Linux Desktop 9 for x86 http://support.novell.com/techcenter/psdb/975911e840a1ef54b4b939009daa4a70.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRrHqkXey5gA9JdPZAQKQLggAhOQvnIDvEkm/hwhmCKa+rX/M+Fv032AK UHDz2RjBURbMOGOzVr3Sdyw901Ux+CTgsdyh5DEDi4G2CITh7D+nactPq44LOT8J Qhb09XbBT/WsDsRG6shB29v+5V+av8sE1o0eulRu15UBKzdg9Fzi+2Vjjoc5E0oh VPoqsx3tGOi3Gio1FS4wd5dqY2vgyrzeUnaDe7cT8n33U99CHy7r3h4giyCd+xm8 uupfk2GHYfTq1XJ1MGif5zviS947fK3fJJIsVkfsQ6Elo6+vyUH0/djBJnEHIr3S 68Y8rYWkHTgFxyzOdpZyp9TGMcrQfmgxRyJA2/t0sDMSIBak9+eGww== =HSGw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: qt3 (SUSE-SA:2007:048)
by Ludwig Nussel 01 Aug '07

01 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: qt3 Announcement ID: SUSE-SA:2007:048 Date: Wed, 01 Aug 2007 15:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Desktop 1.0 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-3388 Content of This Advisory: 1) Security Vulnerability Resolved: Qt format string bugs Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Format string bugs were found in several Qt warning messages. Applications using Qt for processing certain data types could trigger them if the data caused Qt to print warnings. The bugs potentially allow to execute arbitrary code via specially crafted files (CVE-2007-3388). 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running programs linked against Qt after the update.KDE applications are linked aginst Qt for example. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/qt3-3.3.7-16.i586.rpm 87f6312ffd388076bb974163d7cf1962 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/qt3-devel-3.3.7-16.i586.rpm 43ebdf4236a0c8cf124f0d52559789c2 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/qt3-static-3.3.7-17.i586.r… f47f94946fe1ca22f6a30ec810fb9258 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/qt3-3.3.5-58.29.i586.rpm 2e8f3cebe72117dcffa6fb96fdeefcba ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/qt3-devel-3.3.5-58.29.i586… 5f233c952b68ba843b3fcb420f3ddbe9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/qt3-static-3.3.5-58.23.i58… bae867d513ec83499b4ffbd4bb845f1d SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/qt3-3.3.4-28.12.i586.… 1d2779039c434857ca5121b3d3e09cce ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/qt3-devel-3.3.4-28.12… 9287eb02d84f11e81e78f18668ff48cb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/qt3-static-3.3.4-28.1… 90b80a996cf4b2f88be9139459074b72 Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/qt3-3.3.7-16.ppc.rpm d907538466a1aec06601e66cf8bab9fc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/qt3-devel-3.3.7-16.ppc.rpm 5a557ed4eeb84fc5ef5008987bc2f7d4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/qt3-static-3.3.7-17.ppc.rpm 621c47b80bd68248af27e0c6f7302b07 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/qt3-3.3.5-58.29.ppc.rpm adce133ec7ee761f0d7e29fc276ecb6a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/qt3-devel-3.3.5-58.29.ppc.r… a523c72efa553247d9d51b86ded104e3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/qt3-static-3.3.5-58.23.ppc.… 1d84829c55c88025ad935e00bcf7914f SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/qt3-3.3.4-28.12.ppc.rpm 0d8778e149c017961c6186d344b00410 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/qt3-devel-3.3.4-28.12.… 38fa12fb1fc419349b0ea2012b3792c5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/qt3-static-3.3.4-28.12… e486fc6f3b63269addbad7388851b983 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/qt3-3.3.7-16.x86_64.rpm a9689162b332b017c3561ec53481f124 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/qt3-32bit-3.3.7-16.x86_6… a3c14808373339842153f7c9944f457a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/qt3-devel-3.3.7-16.x86_6… 941d585951fc157032abd514542319cd ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/qt3-devel-32bit-3.3.7-16… 475a0c9c2a9db43eebb603a0a75f1d43 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/qt3-static-3.3.7-17.x86_… ab880e3552fe7055af2b904a8ce6766f SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-3.3.5-58.29.x86_64.r… 29a49dbc983dd2b44961e222568c5a36 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-32bit-3.3.5-58.29.x8… ff95bbf6ced39ad0fca3c1e2ee5cdbea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-devel-3.3.5-58.29.x8… 51a8b3ca44065de5dd009728cdf8cb4b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-devel-32bit-3.3.5-58… f20fc0ce47ac545832fe9c7a9871de9c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/qt3-static-3.3.5-58.23.x… 5429c39b33f1f8c19e9fbe5d3825eaf5 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-3.3.4-28.12.x86… 215fd4d7980a5a90dde5254f6154f621 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-32bit-3.3.4-28.… 7ee78ac7c066e9f07523567d9888d9ac ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-devel-3.3.4-28.… a7db3caa49181f65ed088ed27a5b6e08 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-devel-32bit-3.3… b469dabf630728e516c901e6b6f1f334 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/qt3-static-3.3.4-28… 26cbb8222ceb38b0f0522d9a0aff1973 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/qt3-3.3.7-16.src.rpm 87a3d1e99390cb5b5aa7758798048cfb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/qt3-static-3.3.7-17.src.rpm b9fde7c7b0b3d63f63a4e73d3347150b SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/qt3-3.3.5-58.29.src.rpm 035f23da9adbf1787cd1d93198879e27 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/qt3-static-3.3.5-58.23.src.… c5f9262d130fcc6a7d159aab1c6950c9 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/qt3-3.3.4-28.12.src.rpm 1e0283a43b643e2ebfc2b13f6041e414 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/qt3-static-3.3.4-28.12… bcd806c346bbd57730f14a61dfbf95f2 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/eac35f375ac5bb22efa8b828b221e0bf.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/eac35f375ac5bb22efa8b828b221e0bf.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/eac35f375ac5bb22efa8b828b221e0bf.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/eac35f375ac5bb22efa8b828b221e0bf.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/72e22bb06c6a063321588b1c9bbedc8c.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/72e22bb06c6a063321588b1c9bbedc8c.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/752b9410f9a13bf0bf8f487debdf1d53.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRrCUPHey5gA9JdPZAQKWPwf+Jrchl6zt4hYq+8L0iC44L6g42vicr/wi +0IX+0xbOvAGWWnFNyJQa7f5bt3lrF33HyTW3CzriFeoDOkiKC+pwbJGUmOIZGSP rTqlsaSoXi273MP2OLKN9O1V8GlLmXeJvG5S5Q/i97mqU+eerydCUN17OBms27eX N1EQqKmAJfD59PlXBWB0IMWYqwK+fSMXXY6PFSeIoYI2GCFJY/a/fe+odVBZMXTN xC/YOVjhgCxfi7bvInJckPPHd3WLLQIePyGWBQhpnvru0bAlmbqxTiTAXltUJ6Mt /+PdiiLzNI+HzBohtm7+ycDKqeK6X2QoHAd3hnDxLVr44DSXpZyc3Q== =FBZX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: bind, bind9 (SUSE-SA:2007:047)
by Ludwig Nussel 01 Aug '07

01 Aug '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: bind, bind9 Announcement ID: SUSE-SA:2007:047 Date: Wed, 01 Aug 2007 14:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: DNS cache poisoning Severity (1-10): 4 SUSE Default Package: no Cross-References: CVE-2007-2926 Content of This Advisory: 1) Security Vulnerability Resolved: bind security update Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Amit Klein found that the random number generator used by the BIND name server to compute DNS query IDs generates predictable values. Remote attackers could exploit this flaw to conduct DNS cache poisoning attacks (CVE-2007-2926). 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of bind after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-9.3.2-56.3.i586.rpm 48abc8f128c76c49e021005ffa37e9ee ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-libs-9.3.2-56.3.i586.… f240048ef7c3534bfc38fec305dd3544 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-utils-9.3.2-56.3.i586… cebf7e1d7c0c26298a7b30dd0571074c SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bind-9.3.2-17.18.i586.rpm 0a6d5f40bb95626e04bc090a89011901 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bind-libs-9.3.2-17.18.i586… f44c83eb3a7971001c58675dbde639be ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bind-utils-9.3.2-17.18.i58… bb311a19785da40e826827b2acfcad72 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-9.3.2-56.3.i586.… a75a13517fe07dda2f3f6def7de206f0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-devel-9.3.2-56.3… 0745b6d2b41259c86269632a03804372 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-doc-9.3.2-56.3.i… 14df9b80e49a627f4d5313e9cf95fc97 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-libs-9.3.2-56.3.… 9e4ef221bfde5aee6a94c904a98b2fc3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-lwresd-9.3.2-56.… 35fc7567db77d89561e991176ff0f6a4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-utils-9.3.2-56.3… 46fdb7a792c81d8a597ee7bd046a0f65 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/nss_lwres-0.93-6.3.i5… 0cea0ad2440d863eb5082138184e64ad Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/bind-9.3.2-56.3.ppc.rpm 8ba1e6488407ee636e2df2ed28a6e762 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/bind-libs-9.3.2-56.3.ppc.rpm 0c08f744bf7a730b1da5253372689ab9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/bind-utils-9.3.2-56.3.ppc.r… d9ac9c156a8290b7fb36281648a687bb SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bind-9.3.2-17.18.ppc.rpm 01196536550eb52905def53425a33fdb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bind-libs-9.3.2-17.18.ppc.r… c89a99c0076346029af97c7d700292b1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bind-utils-9.3.2-17.18.ppc.… 3065af7b1739cc9c9210ac4c2ea2fb20 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-9.3.2-56.3.ppc.rpm 39fa5b6d2d6d05bf7b7e6ab10a26450b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-devel-9.3.2-56.3.… 01927c9dba84b552fe4678ea545a0e1f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-doc-9.3.2-56.3.pp… e19c2a378da251d2298b39c8913bbee6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-libs-9.3.2-56.3.p… e38ecdcbcf9d4c45308d9cc0c6130a50 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-lwresd-9.3.2-56.3… c3461c9830feb17ae4152d6c5152b4e1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-utils-9.3.2-56.3.… 61a09dd2a49b0fc851a75c910c784b45 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/nss_lwres-0.93-6.3.ppc… 4f54b429356e3c3cd63025c828ee7fda x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-9.3.2-56.3.x86_64.r… a6f05877f1e67aa034510787ab4c5eb5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-libs-32bit-9.3.2-56… b425e8ccab18397b345d3a264fb6385e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-libs-9.3.2-56.3.x86… 9802cea2b3e51e15838280d71529543b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-utils-9.3.2-56.3.x8… 5a826a5d01b13ad46825af5ec0be47d9 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-9.3.2-17.18.x86_64.… 366c78e6581c683de19367aba4b4ec18 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-libs-32bit-9.3.2-17… 67d44342aac8bb90cbc30cde05028ef5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-libs-9.3.2-17.18.x8… d14194bd4c8fd21292e619beb4b45e30 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-utils-9.3.2-17.18.x… 169e61fbf1d14c74f3111129964f5781 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-9.3.2-56.3.x86… abcc76ac1cfde1240debb90bb9a6e4d4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-devel-9.3.2-56… c9d75ab01b6ec59a33ee057761b27689 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-doc-9.3.2-56.3… fb7f24a49961a51038148c3e7ddc02fb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-libs-32bit-9.3… da1ba6adf8548175c2e2c20f82ac3aea ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-libs-9.3.2-56.… eefb912d78be2d68336f5ba3e4af7da4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-lwresd-9.3.2-5… 68e60bd1dc5f3e7aeef46fb9cde0eb90 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-utils-9.3.2-56… bfbbfd8863c5d95ba01b3706b8070ed1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/nss_lwres-0.93-6.3.… d2b01545788cc682d85ccec56a279d63 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/bind-9.3.2-56.3.src.rpm 38e0184897ace16acfe0c05bdc495db9 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/bind-9.3.2-17.18.src.rpm 2d3b097dfc202b56b43b9fe32c7e3c32 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/bind-9.3.2-56.3.src.rpm 32e43c29bdcd6fe8de2afd4de2e56918 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/nss_lwres-0.93-6.3.src… fc699b0b5d8fd0ad309789323dcbab21 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/9661e828c0e56d3297ed6fc60453d1e7.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/9661e828c0e56d3297ed6fc60453d1e7.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/9661e828c0e56d3297ed6fc60453d1e7.… Open Enterprise Server http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRrCR3Xey5gA9JdPZAQIF+ggAm8lK8oSWV2ZgZ8tvu70DAzw9l2sI/Baq +JdcS1oQjTXLhurNPY+muXQiuHOXWLplZ/FPZQ7k9eOWw+BlsIBGP6ZXy5+nRZZq aZEMZTEYNsJHpn6pvgW3hFCfMNXwgnVALDeZyJm2co9pBwX60YBwniVErVDa3rLF 8t9eQtFMLnPqYKS43DWLgJGphUZ93XxoFJM8AG8DfAKfJBeRjaMp5VpFyb9t+Z/J yc401d+XLOxiUQzTjyAEJ2XewHSAMV9fHnvYLbeVavIOzkLqjIdlFQLq+Xyoh9PG Yv7i9j0WCwt1DGm50s58KBgIFhGxeW2BNrR9iZgsuk9bv/N9yqx8hw== =dlK5 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Summary Report SUSE-SR:2007:014
by Marcus Meissner 20 Jul '07

20 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:014 Date: Fri, 20 Jul 2007 12:00:00 +0000 Cross-References: CVE-2005-4835, CVE-2006-4168, CVE-2006-7177 CVE-2006-7178, CVE-2006-7179, CVE-2006-7180 CVE-2007-0720, CVE-2007-1558, CVE-2007-2447 CVE-2007-2645, CVE-2007-2829, CVE-2007-2830 CVE-2007-2831, CVE-2007-2948, CVE-2007-3257, CVE-2007-3372 Content of this advisory: 1) Solved Security Vulnerabilities: - MPlayer CDDB handling buffer overflow - madwifi site remote denial of service problems - samba bugfix regression update - cups denial of service regression fix - libexif denial of service problems - evolution IMAP SEQUENCE buffer overflow - mutt APOP password disclosure problem - avahi local denial of service 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - Mozilla Firefox/Thunderbird/Seamonkey update 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - MPlayer CDDB handling buffer overflow A buffer overflow in parsing of CDDB entries was fixed in MPlayer. This could be exploited by malicious CDDB servers to inject code. (CVE-2007-2948) MPlayer is only SUSE Linux Desktop 1.0 and an update was released for this product. - Madwifi site remote denial of service problems The madwifi driver and userland packages were updated to 0.9.3.1 to fix several denial of service problems. Due to versioning problems that would have caused the madwifi KMP RPMs not to be installed the RPM version still says "0.9.3", the content is the 0.9.3.1 version. This update fixes following security problems: CVE-2007-2829: The 802.11 network stack in net80211/ieee80211_input.c in Madwifi before 0.9.3.1 allows remote attackers to cause a denial of service (system hang) via a crafted length field in nested 802.3 Ethernet frames in Fast Frame packets, which results in a NULL pointer dereference. CVE-2007-2830: The ath_beacon_config function in if_ath.c in Madwifi before 0.9.3.1 allows remote attackers to cause a denial of service (system crash) via crafted beacon interval information when scanning for access points, which triggers a divide-by-zero error. CVE-2007-2831: Array index error in the (1) ieee80211_ioctl_getwmmparams and (2) ieee80211_ioctl_setwmmparams functions in net80211/ieee80211_wireless.c in Madwifi before 0.9.3.1 allows local users to cause a denial of service (system crash), possibly obtain kernel memory contents, and possibly execute arbitrary code via a large negative array index value. "remote attackers" for this problem are attackers within range of the WiFi reception of the card. Please note that the problems fixed in 0.9.3 were fixed by the madwifi Version upgrade to 0.9.3 in the SUSE Linux Enterprise Desktop Service Pack 1 already but not listed in a separate advisory. (CVE-2005-4835, CVE-2006-7177, CVE-2006-7178, CVE-2006-7179, CVE-2006-7180). Only SUSE Linux Desktop 10 contains the affected madwifi driver. - Samba bugfix regression update A samba update was released that fixes several regressions introduced by an earlier security update. The previous security fix for CVE-2007-2447 missed one character in the shell escape handling. Also fixed were some non-security related regressions introduced by the previous update. - cups denial of service regression fix CUPS packages were released to fix another denial of service problem introduced by the previous Denial of Service Fix for CVE-2007-0720, which was incomplete. All SUSE Linux based products were affected. - libexif denial of service problems Two security problems were fixed in libexif. CVE-2007-2645: A denial of service problem (crash) was fixed in the EXIF Loader of libexif, which could be used to crash the browser or image viewer when it interprets the EXIF tags in prepared JPEG files. CVE-2006-4168: An integer overflow during loading EXIF entries was fixed that could lead to a denial of service (crash) or potential code execution. All SUSE Linux based products containing libexif and libexif5 were affected. - evolution IMAP SEQUENCE buffer overflow A security problem was fixed in the evolution / evolution-data-server package, where a malicious IMAP server could execute code within evolution by sending a malformed response to a SEQUENCE command. (CVE-2007-3257) This affects all SUSE Linux based products containing evolution. - mutt APOP password disclosure problem This update of mutt fixes a vulnerability in the APOP implementation that allows an active attacker to guess three bytes of the password. (CVE-2007-1558) All SUSE Linux based products containing mutt were affected and fixed. - avahi local denial of service A security problem was fixed in avahi, where local attackers could send empty TXT data via D-BUS, causing the avahi daemon to exit. This issue has been assigned the Mitre CVE ID CVE-2007-3372 and it was fixed for SUSE Linux Enterprise 10, SUSE Linux 10.1 and openSUSE 10.2. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Mozilla Firefox/Thunderbird/Seamonkey update Mozilla Firefox and Thunderbird 2.0.0.5 have been released and fix various security issues. We are currently preparing updates. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file containing the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and integrity of a package needs to be verified to ensure that it has not been tampered with. The internal RPM package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and included at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRqCKoney5gA9JdPZAQKm8gf/RFKRr8E2EUJqB9e0xY2anSVhJxWlCel/ 8DLXAia6QuDzfv9gRiluDclWLGLWc72P4bM5YwumdsIObUok6qZ3rHDHYOUwTF/W qct/X/vFALwunNXZ6Uwczt2seggniSdjc28xhZHuzfhpErYU0hXewxMVfOnIyc+K jDRRSEI8EcUTvbzbuqUywbvjlhHeVIXy9oPTdkvdnvntSnxDXwPxtK8Uu4RyOf9E SyrHajke6kHUMQ8iiTGNpEpOcHJTYupVfi7Xg4fE7M/6/5KNUlA4ghq4nojQZNeL QY73kiD/TxU2PyCIKbXHGsrMgy8ub5tlzYw4mAb5b0v1WsWkmsjt0w== =wpcZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0