- openSUSE Security Announce

[security-announce] SUSE Security Announcement: flash-player (SUSE-SA:2007:046)
by Marcus Meissner 19 Jul '07

19 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: flash-player Announcement ID: SUSE-SA:2007:046 Date: Thu, 19 Jul 2007 13:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Desktop 1.0 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-2022, CVE-2007-3456, CVE-2007-3457 Content of This Advisory: 1) Security Vulnerability Resolved: Adobe Flash Player security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Adobe Flash Player was updated to fix various security issues. New versions: - Flash 7.0.70.0: SUSE Linux 10.0, Novell Linux Desktop 9, SUSE Linux Desktop 1.0 and SUSE Linux Enterprise Server 8 - Flash 9.0.48.0: SUSE Linux 10.1, openSUSE 10.2 and SUSE Linux Enterprise Desktop 10. Security issues resolved: - CVE-2007-3456: An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user's web browser, email client, or other applications that include or reference the Flash Player. - CVE-2007-3457: An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. - CVE-2007-2022: The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. The web browsers Opera and konqueror that were affected by CVE-2007-2022 have already been fixed independently. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of flash after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/flash-player-9.0.48.0-1.1.… 131ba264fcdabc55a568c15b588c6ecd SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/flash-player-9.0.48.0-1.2.… 98bc9952b35fc72f82a2146b074bfbb9 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/flash-player-7.0.70.0… 775613fa6a09b9359e07c87b5efe1d5a Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/flash-player-9.0.48.0-1.1.s… 9cccf1386487f58c7b619785d31ee4b0 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/flash-player-9.0.48.0-1.2.s… 7ac2087cb331b1188837c9baf42d4dd4 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/flash-player-7.0.70.0-… 2078936c1bb42c55eb85e7fd6ca62a53 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/a3ed2a4c78f6382bffe9aeb90de5f965.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/11185d1d77c266319dacb704d254fd94.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/11185d1d77c266319dacb704d254fd94.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRp9XDXey5gA9JdPZAQI33Qf+J42AkFwWGzdjIFrggljEIZPX02INQBvs RwaSuHsJ7EsGA9eJ9wN+GSlHFqOedgL0fAomBAr+WNqtuUTg3R7E8PX0kTmD3cKI nAZIgOD4lGD5dJYNsbiC0lzklJgMrvTNEZwVOHE+QhbHZe65BFrlXHJjWLxJjivo dDS70HbFZRXNq14DRwzKGJdEl+A5yqP93OzcrtM3E75+jHrdieA2ww3F/C7+F/Jt OrzbSiMHmdxExP4OnKWDDg23h46vVx5RDcsMHN2eBBWErMHDtYYedGtC06tYMKZn TlLduG8Z8aS3apKk0ZMfXoGaFi0Fossi5DrTHiHdreDR3gCtoXDaAw== =xNe/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Java security problems (SUSE-SA:2007:045)
by Marcus Meissner 18 Jul '07

18 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: IBM Java, Sun Java Announcement ID: SUSE-SA:2007:045 Date: Wed, 18 Jul 2007 18:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Desktop 1.0 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2006-6736, CVE-2006-6737, CVE-2006-6745 CVE-2007-0243, CVE-2007-2788, CVE-2007-2789 CVE-2007-3004, CVE-2007-3005 Content of This Advisory: 1) Security Vulnerability Resolved: various java security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - Correction for kernel advisory SUSE-SA:2007:043 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Both the IBM and Sun Java environments had several security issues which have been fixed by upgrading to their current patch levels. IBM Java JRE/SDK 1.3 was updated to 1.3.1 SR10. IBM Java JRE/SDK 1.4 was updated to 1.4.2 SR8. IBM Java JRE/SDK 5 was updated to 5.0 SR3. Sun Java JRE/SDK 1.3 was updated to 1.3.1_20. Sun Java JRE/SDK 1.4 was updated to 1.4.2_15. Sun Java JRE/SDK 1.5.0 was updated to 1.5.0_12. For IBM Java please also check the web page http://www-128.ibm.com/developerworks/java/jdk/alerts/ for more details. For Sun Java please also check the web page http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1 for more details. Affecting both sets of JDKs: - CVE-2007-0243: A buffer overflow vulnerability in the Java(TM) Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. IBM Java specific (fixed already for Sun Java in SUSE-SA:2007:003) problems: - CVE-2006-6737/CVE-2006-6736: Two vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to access data in other applets. - CVE-2006-6745: Two vulnerabilities in the Java(TM) Runtime Environment with serialization may independently allow an untrusted applet or application to elevate its privileges. Sun Java specific (fixed for IBM Java in later versions): - CVE-2007-2788 / CVE-2007-3004: Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK), allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file. - CVE-2007-2789 / CVE-2007-3005: The BMP image parser in Sun Java Development Kit (JDK), on Unix/Linux systems, allows remote attackers to trigger the opening of arbitrary local files via a crafted BMP file, which causes a denial of service (system hang) in certain cases such as /dev/tty, and has other unspecified impact. - CVE-2007-0243: Buffer overflow in Sun JDK and Java Runtime Environment (JRE) allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart running Java instances. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-1.4.2_updat… d127e4f44e096a9dd06c14814bd2182c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-alsa-1.4.2_… a37f8d08c7e9789fc7876dc3e37da5b9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-demo-1.4.2_… 0f2e825414bbfd9c1902c2d4d8471e43 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-devel-1.4.2… d01ae6db6325f64a6b6a01aebe342031 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-jdbc-1.4.2_… a86f7b7b752b6dbb45a1368027f393d6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-plugin-1.4.… 4c9ff9f65b29b68a28ce1a8e84bf4813 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_4_2-sun-src-1.4.2_u… 18020d2e7c086751659f79fc54ca7fc6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-1.5.0_updat… e23a75a56e94d61ea64aae6d1364236d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-alsa-1.5.0_… 89647e053e07458532337478cce33cad ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-demo-1.5.0_… 962aef2cde996c68bf837f0b6c02a6e4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-devel-1.5.0… 15ba442c876600e59453b5e6a7d774b6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-jdbc-1.5.0_… 570092628e736998bf98e0153736595b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-plugin-1.5.… 6b27e226c65e444521f3964933dd474b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/java-1_5_0-sun-src-1.5.0_u… 703422879e4ebf22e6295383deae522d SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-1.4.2.15-2.… 159c176de609647b9cbc4e2f477a793d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-alsa-1.4.2.… e51e6c719126ab5efe679786c4f47cba ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-demo-1.4.2.… 066dc7eda76f25899b25cea8079afc0f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-devel-1.4.2… 5599dfe80fe053e4a3332cc4f76e7720 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-jdbc-1.4.2.… 15d749d534785cfdf8bd109b7e1f76c9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-plugin-1.4.… fc9e644929c7571f281382375f808dc7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_4_2-sun-src-1.4.2.1… 1a23c8b996815dd55f80c4298830256f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-1.5.0_12-2.… 8f158ac8ab83f7d72a19caa29ceae701 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-alsa-1.5.0_… 366a738ed2c0a26f11501c74d7ee88cb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-demo-1.5.0_… 01452bd648010f03b2dade18ac412125 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-devel-1.5.0… 5229399ac7f8500ecbe13c075ddd1215 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-jdbc-1.5.0_… 55693889496cb3bf2757f581eff753dc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-plugin-1.5.… 16e688147e8ebd8055ee35d7066a37a0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/java-1_5_0-sun-src-1.5.0_1… 52b6439209a9f08f9a7c582f5be6afb1 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-1.4.2.… 630512d206eb760db5be2506c227eb0b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-alsa-1… 4a333fd9e8b28bc592b4f9bbfb710bf0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-demo-1… f9cb64c25765bf3317a25c980976ec77 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-devel-… ff1a6a11ef42ce167df4c3258a534ae8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-jdbc-1… 69e15d0311de0f2d4ec83df1b0ccd28e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-plugin… 04072837c2eba22785fd87161d7c8fb8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_4_2-sun-src-1.… 18f2e82b24615428c9703cb3c7699b4c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-1.5.0_… 8cdac523a1416fc23f86f74c20ee2d47 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-alsa-1… c00ff3d2b961c5da9a398a56231c15b9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-demo-1… 2e9049ba2424621e96ac63dd646d0860 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-devel-… 6660f2e9bb5bf3b4dfa080ced121d3d4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-jdbc-1… f0e93dd1acf6a6a2caa3f009b75fe061 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/java-1_5_0-sun-plugin… a47683a25a369253173ddc28e4049f09 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-1.5.0_upd… 9f3ef07f4bacc445eca261ee29e899ef ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-alsa-1.5.… f293d1c08089f16daf990692df3d97d3 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-demo-1.5.… cfbf41758105bce296c6cbbd1a31c174 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-devel-1.5… c6f54e2c39788faf1cd5518f38450b00 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-jdbc-1.5.… 54672479c76d8c30d076ef358e548db6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/java-1_5_0-sun-src-1.5.0… 37570a66f1227d7699353b4ebb2f5d92 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-1.5.0_12-… b4dc3bf51489568887f316c4e56e7b0d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-alsa-1.5.… 66860bf3f94132c4a199f454f9adcbed ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-demo-1.5.… 201e9f5ba9e7adcaffe79d3e0baeb6d8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-devel-1.5… a748d4e7ba25561cfcd29a6a1028a519 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-jdbc-1.5.… f19d6cbfe6bce232ef23a4a57ed22a46 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/java-1_5_0-sun-src-1.5.0… 9c0d632b4a389232dc7be2c71a31bc29 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-1.5.… a025ef68d1f195df7ee456f2fce52979 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-alsa… 9150ad42f5ba77284a632684ff0cb061 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-demo… e11f8f7453ee1894f38f90d9cca7a30e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-deve… 4d94914d13825dfdecea50bf2679c179 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/java-1_5_0-sun-jdbc… 5120d762ca5dfc91fea4d41fe40c966e Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/java-1_4_2-sun-1.4.2_update… ea53f3e1dbd5f3e8dd9df1e5d07d93ae ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/java-1_5_0-sun-1.5.0_update… 790c082ae4ee14328b35e7da450ff2dd SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/java-1_4_2-sun-1.4.2.15-2.1… f3fd322dc7c4830d7d38ebea68598a8d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/java-1_5_0-sun-1.5.0_12-2.1… e944399dcd5667744fb0faf96bc61965 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/java-1_4_2-sun-1.4.2.1… 09b093972cc108b7ce5e111c0edd4009 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/java-1_5_0-sun-1.5.0_1… 42d90396d048156c62d5946466281ed8 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/d2f549cc040cd81ae4a268bb5edfe918.… http://support.novell.com/techcenter/psdb/dc35750a80dacaad950b2c1075b2b499.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/d2f549cc040cd81ae4a268bb5edfe918.… http://support.novell.com/techcenter/psdb/dc35750a80dacaad950b2c1075b2b499.… http://support.novell.com/techcenter/psdb/4f850d1e2b871db609de64ec70f0089c.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/4f850d1e2b871db609de64ec70f0089c.… Open Enterprise Server http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… http://support.novell.com/techcenter/psdb/327376e840cf84f64469ae584f131ea6.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… http://support.novell.com/techcenter/psdb/327376e840cf84f64469ae584f131ea6.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… http://support.novell.com/techcenter/psdb/327376e840cf84f64469ae584f131ea6.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… http://support.novell.com/techcenter/psdb/327376e840cf84f64469ae584f131ea6.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… http://support.novell.com/techcenter/psdb/327376e840cf84f64469ae584f131ea6.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/90864743019d987b918e58f9bba908b8.… http://support.novell.com/techcenter/psdb/3012728a973846dec5946ec81fd01aca.… http://support.novell.com/techcenter/psdb/327376e840cf84f64469ae584f131ea6.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - Correction for kernel advisory SUSE-SA:2007:043 The Linux kernel security advisory SUSE-SA:2007:043 incorrectly lists various SUSE Linux Enterprise Server 9 products as being affected. Correction: The advisory SUSE-SA:2007:043 only applies to the SUSE Linux 10.0 and openSUSE 10.2 products. The last SLES 9 kernel advisory is SUSE-SA:2007:035 and already contains most of the fixes listed. The fixes not listed yet will be fixed with the next SLES 9 kernel update. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRp4z1Hey5gA9JdPZAQL1Fwf/V+AQlUTwGbizTXJ4falNt48c50SackDh GQRoyCPtCzC1S4EdeeLLDlAbEnrnLQTkSBaBCV+wukVJEAqYvamIg6Hz5d16uxd+ Sq612JqDFBQeuM2Mk0j15KCeBXMyrHdLzGpG3GrDFbjp3RnoDNlW1PVl3VexLM7n t+izudNsA70K6TxhgJbPYzed6rlyOe+EjoKqJgMfICzYuniUd0h9kjC0t3I24III qiPP7g3CAvJe9mwUteXYHUB2oHYb/4hPkgtlzvlRnIau2MMmBRy14FHk4oTD58/2 QespYkBU0g50EgEwRdsvay9+zwu5T6+WQ0vH3njLJM94QAq1tDKUrQ== =a8cV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: php4,php5 (SUSE-SA:2007:044)
by Marcus Meissner 12 Jul '07

12 Jul '07

1 0

[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:2007:043)
by Marcus Meissner 09 Jul '07

09 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2007:043 Date: Mon, 09 Jul 2007 13:00:00 +0000 Affected Products: SUSE LINUX 10.0 openSUSE 10.2 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 Vulnerability Type: remote denial of service Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2006-7203, CVE-2007-1357, CVE-2007-1496 CVE-2007-1497, CVE-2007-1592, CVE-2007-1861 CVE-2007-2453, CVE-2007-2876 Content of This Advisory: 1) Security Vulnerability Resolved: kernel security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The SUSE Linux 10.0 and openSUSE 10.2 have been updated to fix various security problems. Please note that the SUSE Linux 10.0 has been released some weeks ago. The SUSE Linux 10.1 is affected by some of those problems but will be updated in some weeks to merge back with the SLE10 Service Pack 1 kernel. - CVE-2007-1357: A denial of service problem against the AppleTalk protocol was fixed. A remote attacker in the same AppleTalk network segment could cause the machine to crash if it has AppleTalk protocol loaded. - CVE-2007-1861: The nl_fib_lookup function in net/ipv4/fib_frontend.c allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow. - CVE-2007-1496: nfnetlink_log in netfilter allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference. - CVE-2007-1497: nf_conntrack in netfilter does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments. Please note that the connection tracking option for IPv6 is not enabled in any currently shipping SUSE Linux kernel, so it does not affect SUSE Linux default kernels. - CVE-2007-1592: A local user could affect a double-free of a ipv6 structure potentially causing a local denial of service attack. - CVE-2006-7203: The compat_sys_mount function in fs/compat.c allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs"). - CVE-2007-2453: Seeding of the kernel random generator on boot did not work correctly due to a programming mistake and so the kernel might have more predictable random numbers than assured. - CVE-2007-2876: A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. Also some non-security bugs were fixed. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please reboot the machine after update. On openSUSE 10.2 this update will trigger installation of new NVIDIA kernel drivers if you have the NVIDIA repository added. This addition will leave the old versions present, they need to be removed manually. Run: rpm -qa |grep nvidia-gfx If you have a new "nvidia-gfxG01-..." package in this list, you can remove the left over nvidia-gfx-... package. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-bigsmp-2.6.18.8-0.5… a505d3960da0ec2ffe648752f1d8b6c4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-default-2.6.18.8-0.… da9c7c160022a364b3bb07fee33d602d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-source-2.6.18.8-0.5… 4e1c40c4fda8864192a230bb05380aca ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-syms-2.6.18.8-0.5.i… 5e273c329378e6c102f2f8ad7e154926 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-xen-2.6.18.8-0.5.i5… c309622d4a95ffe1737c40f025856a7e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-xenpae-2.6.18.8-0.5… 195c5f7ab27f3c3ab20fb47fa0e27ec6 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/Intel-536ep-4.69-0.2.… 1d3fe226bab796dcd52bd99a568f726e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-2.6.13-… 3cf2ab34b8a006be241aa022f192c89b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-bigsmp-nongpl-… ee1c01585c96fadcf3071e1028470725 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-2.6.13… d17a8edd2af6c014176525b3b18d9dd9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-default-nongpl… 05614b6e759579c3e0ee5325ad226fd5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-2.6.13-15.… fc205f6d3c72ee4a4efafd391866a593 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-smp-nongpl-2.6… 741e1670becd48cae2f9994c2dfaff5c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-source-2.6.13-… fe997ec5203094fc2fa58eb6b03cc6b5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-syms-2.6.13-15… c7cf492f1fa78512c1a8d9cd7fb07bac ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-2.6.13-15.1… 40114d46d9bb329c5dce4762a7ca78d7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-um-nongpl-2.6.… 0839b75f18b63ddf1623769d0283eb18 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-2.6.13-15.… 0626e5104b81301c71ddde79bfabdc27 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/kernel-xen-nongpl-2.6… aa2d3994fe3ac616548eb20beb056c57 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/um-host-kernel-2.6.13… d377dae62b3689c187d8258597df6a67 Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-default-2.6.18.8-0.5… 590007ea5d50c35b79eaf3246f80b360 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-iseries64-2.6.18.8-0… b174a54f8aae959fdfc50d009be2d069 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-ppc64-2.6.18.8-0.5.p… 448c87b384c1f62d9e5519cd6f47f5aa ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-source-2.6.18.8-0.5.… 04bf780fe95e95d9953ab344a0debfe0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-syms-2.6.18.8-0.5.pp… 63102284392f8afc6e5a48855b6cf8a8 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-default-2.6.13-… 7f704938e86c3de242436d114560fae9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-iseries64-2.6.1… bf310faa41c55b897893e8891e0eaaa8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-ppc64-2.6.13-15… 1a01f7fe3c5b9701d2d122d05138c000 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-source-2.6.13-1… b76403857ba669b234d2891855809f06 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/kernel-syms-2.6.13-15.… 6617ba26a91fd4ae1f7018c2b9675159 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-default-2.6.18.8-… 36bf701bec6ff3f1ef7622ae2d718fc7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-source-2.6.18.8-0… 2a00aff3634cb6b60c6c174bbfbc87cc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-syms-2.6.18.8-0.5… 0d673a9f9557eb1643c66c6a22f63cda ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-xen-2.6.18.8-0.5.… 187d790942b4b7287a766c45e6ece747 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-2.6.… effe5768bfde49ca4062a55c49607263 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-default-nong… ffb75eae6c6ff7bfc965a6227f1f7972 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-2.6.13-1… 106430486de053978ed824436dd064fa ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-smp-nongpl-2… c1e57b4f42c2de1cf31ebaf9cbdc389f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-source-2.6.1… ab6ba07327191cf7c409f4f9c0602d73 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-syms-2.6.13-… e3b600c1e5e2ab862168d20220bcff5c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-2.6.13-1… d299aa32d3e17091aa83d7f3097653b5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/kernel-xen-nongpl-2… d523b78f2f2d5d1d162d3cbd4511a7c2 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-bigsmp-2.6.18.8-0.5.… a4c9f16922fea3aaad385b4614d21d15 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-default-2.6.18.8-0.5… a576cb1f91137053da1e7f6c58c7d37c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-iseries64-2.6.18.8-0… 901878ad7875cdce03c2178c2d91ae06 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-ppc64-2.6.18.8-0.5.n… 4985f6d66c4cb0d899f5a01db4e38237 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-source-2.6.18.8-0.5.… 71a95473e6114f4eea2a6a00f591d8f8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-syms-2.6.18.8-0.5.sr… 5a7312884f85d6bce16991333c1504b1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-xen-2.6.18.8-0.5.nos… e53829bfc3ae75c0dfdcc0c7e5411ba8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-xenpae-2.6.18.8-0.5.… d8cfd9e90f21b4167ebf2935aeba7678 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/Intel-536ep-4.69-0.2.s… 05dec5d7ae03b161f2a57f6da8955700 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-bigsmp-2.6.13-1… e5ef10ca84c922a722a593e76a20c2f1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-default-2.6.13-… a76d8142a583508c669e147c070ce78d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-iseries64-2.6.1… 8016b18e1d36bbfbbed8f75d2c79cb04 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-ppc64-2.6.13-15… cf5c3bdf83956b642ddd3aa46eac5ee0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-smp-2.6.13-15.1… 261324df40ac37369cfdd9b22919c742 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1… 17a5dd4d44426ce4d7d96aa437582513 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-source-2.6.13-1… d200d519ac2cdb2e01a9222f381c3e63 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-syms-2.6.13-15.… a3c1111ae281e8ac2ed871b39e2236e3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-um-2.6.13-15.16… 88a5a6f8507a193e9407d6490821be94 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/kernel-xen-2.6.13-15.1… 0b1277b23d20e93da20ecafe4a23a8b6 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRpIqgXey5gA9JdPZAQKVaAf/UYixRKjKAi3ggJL7EQr/YheoU11UdNq2 OYn4yNf7WgxnK8mRRrzEbZJnhmYXGi3eDEQghQ+EAqNzWYXUxrrPe0G6sQoGWmB6 Pe1nKm8NMqNtfvicF6rKtgAfrCMRP5DrYioDrVLvF1r3GvURNslurTsTNc59fuV/ Lo1/hDJnTT6hwHpb9BlWUpwkntnJKEn01ysg4HqSK92Yhz5yJHmEeW9ZZ91q0PSa eSldcRNYQ3JR3C70JzFdu7UZ+QtzI5sPZwoJmRO9QOMavWPghTg3O6+nyP9Um/B0 ywr6ZGXWEsEZI8EsoBO9PepZ17N+VWjjpwRKL7gzGGQdir/M8h/GWw== =CzqZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: Evolution (SUSE-SA:2007:042)
by Marcus Meissner 05 Jul '07

05 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: evolution,evolution-data-server Announcement ID: SUSE-SA:2007:042 Date: Thu, 05 Jul 2007 18:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 SuSE Linux Desktop 1.0 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2007-3257 Content of This Advisory: 1) Security Vulnerability Resolved: remote code execution by malicious IMAP server Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion A malicious IMAP server could execute code within evolution by sending a malformed response to a SEQUENCE command. (CVE-2007-3257) This requires the user to connect to this malicious server (or a DNS entry of a good one replaced pointed to a malicious one) For older products the problematic code lives in the evolution package, for newer ones in the evolution-data-server package. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of evolution after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/evolution-data-server-1.8.… cf0ef3332a1005a598dc01b9b8721c3b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/evolution-data-server-deve… 53c2edfea054edf680d16b9a6ebe1d6a SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/evolution-data-server-1.6.… ac3b9d062feda507bc46bb4537c35f01 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/evolution-data-server-deve… 999c30d78f4bcedb92cc9d13acd4cb04 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/evolution-data-server… f81fc01aac70dacaef72067cd20e1789 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/evolution-data-server… 0c5019714dc38967250d546e4240324b Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/evolution-data-server-1.8.2… bedd7b5ecb09dc7ebe13b4ba5a39746c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/evolution-data-server-devel… 435aca4e7fd2047c8f65de84b4a460ba SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/evolution-data-server-1.6.0… d58d33df2443fefe6dede70c06c0151e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/evolution-data-server-devel… e2be822ff9c625b8d6c2571d6003104e SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/evolution-data-server-… 7be262a623a6035ddbe8e885aaee59fc ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/evolution-data-server-… 55e98a69b4e8570548966506ee8b8890 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/evolution-data-server-1.… ddf44956dd38e64e8fd8f352da504a28 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/evolution-data-server-32… 9f1ee1154618701bb018afdc4df07207 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/evolution-data-server-de… af6d90f21a8574f9ed4a6ac26edc1ba9 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/evolution-data-server-1.… f71072d3a1b4cdcae9ac1e4464088b20 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/evolution-data-server-32… e19ff9bd8b3a607dba310ce9f515fec5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/evolution-data-server-de… d080eb77092927c24cd6977f18011008 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/evolution-data-serv… 8a82624a404f4a37aeabb10f663f39f9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/evolution-data-serv… 64b949a2a7feee1015b0172d9d8f4688 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/evolution-data-serv… 6d3f26332fd7aee190f9a801411a3ebd Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/evolution-data-server-1.8.2… cb868a3ffb3dbd880f1eabf52b9a2b2f SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/evolution-data-server-1.6.0… b20034e320b6dc7a78c00ac775bd798b SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/evolution-data-server-… e84e74ba25d843e82e15392d125a8c44 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/05f2191a0a3c694e34ebe389d55eb5ab.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/05f2191a0a3c694e34ebe389d55eb5ab.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/49ddc1710da25d618b1e7a9a8b2194b5.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/49ddc1710da25d618b1e7a9a8b2194b5.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRo0Rhney5gA9JdPZAQJh0Qf/dUAI+BzwhEJKs9huaJzrLuEezc4K6YXZ O+qgDZ2fxmldf+1ZG3INMkWI4Lo40hvj4aUeYAbXmohW0nBF92bJzhUjP2b1W5io BIDMsES6CCM5okb7ipv60UGuD79f3/LCiLMhMWrpjViWpAcPtbr8b4ARNVjmTaxv 6zbg3cUseg8zLnFxxBYM12DXZxFekYey0klL5uYQVu5jK4RbEigCwAEDsVB4CaFS ZgI8IBlhF1NtqHd5j+mfvqCUFj/nrZVWlO/ea6abe6maQVr8R4B5WN0dJw8Zfbnb ixsEq3rrEZKQw/5noC0Rq6yyk+21AswkgGxlX4HUCajU2HFFw6G/cg== =7iu+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: freetype2 (SUSE-SA:2007:041)
by Marcus Meissner 04 Jul '07

04 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: freetype2 Announcement ID: SUSE-SA:2007:041 Date: Wed, 04 Jul 2007 14:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Desktop 1.0 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE Default Package: yes Cross-References: CVE-2007-2754 Content of This Advisory: 1) Security Vulnerability Resolved: freetype2 security problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The TTF rendering library freetype2 was updated to fix an integer signedness bug when handling TTF images. This bug can lead to a heap overflow that can be exploited to execute arbitrary code. (CVE-2007-2754) Updates for SLE 10 Service Pack 1 and SUSE Linux 10.1 were released on Monday the 2nd of July, all other products received them at June 20th. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart your desktop after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/freetype2-2.2.1.20061027-1… 3d57e279dba8b3f75760e56b6664e466 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/freetype2-devel-2.2.1.2006… 97d4c1211f0946dad3a7b4ce5d51a933 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/freetype2-2.1.10-18.14.i58… 327ce20607390381023742a279ad84b1 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/freetype2-devel-2.1.10-18.… 7bc0c9c1b5ca05bfb7a10eea608e687a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/freetype2-2.1.10-4.9.… 9856006a53a4f50d2d919043441ee7f7 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/freetype2-devel-2.1.1… 3369f95a87b2ac67754bd8d0ca6be892 Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/freetype2-2.2.1.20061027-15… 6290e10b65e5ad9c508fc9ae7f5be443 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/freetype2-devel-2.2.1.20061… f53c8a0d9a76397d69bb9080f296f200 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/freetype2-2.1.10-18.14.ppc.… cee13c222808ee806b1d3711895a5780 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/freetype2-devel-2.1.10-18.1… 6828861f12fb2dd120082f5eb2ad9cf9 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/freetype2-2.1.10-4.9.p… 342c1268d8ae87d00afa9ea8c475c5bf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/freetype2-devel-2.1.10… 93ed500ad8e68e3d4f50de9e455205bd x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/freetype2-2.2.1.20061027… 0d1f860aed7fe167273dc39f8d5dde71 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/freetype2-32bit-2.2.1.20… d390422eaa70be260ff76e67b43f7a25 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/freetype2-devel-2.2.1.20… c9236db9b5235545cedda120994efef3 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/freetype2-devel-32bit-2.… 391d544bc6e47b1819b2de570def0dbe SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-2.1.10-18.14.x… c14a7cbee88ea0d66d2426582bca8a82 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-32bit-2.1.10-1… 5bf9df9882521f30eec53884c8e8044c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-devel-2.1.10-1… f6e5ea94aa8f2054c493a343586e3073 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/freetype2-devel-32bit-2.… 0d6cd857c9a30cc109d56e2be369b5fe SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-2.1.10-4.… f1e0170374db5118dfcc816f5ebe9d61 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-32bit-2.1… f3620efaf0b4398d618547a867c1ca87 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-devel-2.1… 56eab1c0122caf3dd7d2bc9e9f273042 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/freetype2-devel-32b… 51854ad773e65d703bdb9ede50c5f851 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/freetype2-2.2.1.20061027-15… 9fb6f7a05c9792e1cdb36a071d090989 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/freetype2-2.1.10-18.14.src.… 7cebbeb338640a4090162ece7ca8eb5e SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/freetype2-2.1.10-4.9.s… 833d154c7d8ce2604dc427f43dc3f99a Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/824a4e24e4379e41403530852c364190.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/824a4e24e4379e41403530852c364190.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… Open Enterprise Server http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/21c9a243dbedc0b6b97f4bf9e8e2d3f9.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRouIfXey5gA9JdPZAQL1HAf+Ij7ufUKuJCnFgMHmREcNNyHl/W/0iacl Ioz2KNQjJ/AYRuroeMiY2UHZNFpQjGRFaJcuuNTXzQXWS25SO21HcNkNcv8Z2145 f965htX52S9gIOJ+wKMkSF40AvH/Za7o774JldFTdV8WysIgOgXJVmg0o45VzCgX qpK9P/7HPSuQYvQShO23to2zYrqFi5EHwUhq9EXSl5glAV9OO8tL1N1+iJJDZEl6 +pTTyyR/fqK1fpwpIEEfhMsooMs4Hc/rC/DHLoa9W8CsZTO2yKB+wjWf0vyIkeLk jSTRnQaVMGohZ959Czq34eGAvgOuckljJ3TOcRPr97ciTxxdfyd6Xw== =GRor -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: file (SUSE-SA:2007:040)
by Marcus Meissner 04 Jul '07

04 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: file Announcement ID: SUSE-SA:2007:040 Date: Wed, 04 Jul 2007 13:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: potential code execution Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2007-1536, CVE-2007-2799 Content of This Advisory: 1) Security Vulnerability Resolved: file integer overflow Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion A previous security fix for file introduced a new integer overflow in the file_printf() function and potentially be used to execute code. This has been fixed and updates have been provided. Since file can be run by automatic scripts, remote exploitation might be possible. This issue is tracked by the Mitre CVE ID CVE-2007-2799. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/file-4.17-27.i586.rpm 71fb39025842635d3d2a369f67d36966 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/file-devel-4.17-27.i586.rpm 58c8c5cc8219c3a27c6fa35c00d562d1 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/file-4.16-15.13.i586.rpm 0dfcb7061a69c3ea263e259cdc5622a3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/file-devel-4.16-15.13.i586… 81647420e3676bd1327ad3ee93a2d66c SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/file-4.14-3.5.i586.rpm 2b6b5eb1e6713683ab0062237b18b270 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/file-devel-4.14-3.5.i… c2341c2361c6ff61a975471a077d8370 Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/file-4.17-27.ppc.rpm a34ffaaa3557c9d95b410fb13305feb5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/file-devel-4.17-27.ppc.rpm f37b44f3b7faaa5614108f243199478d SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/file-4.16-15.13.ppc.rpm 56f3f787274846955a55a47df9d80f47 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/file-devel-4.16-15.13.ppc.r… 293aaa3d05a2446c4735e5d60ece2e61 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/file-4.14-3.5.ppc.rpm 01722877b74c715ccaf9bfc57cdb4537 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/file-devel-4.14-3.5.pp… d46fdd9f2cf95e14bea4e6bdfd304d78 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/file-32bit-4.17-27.x86_6… 04fa107453847fdbacba7ac20c416c14 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/file-4.17-27.x86_64.rpm 9b25a6c3c36b64da56d18c64c0d41541 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/file-devel-4.17-27.x86_6… 43ad432ef1020371d63a955cba3b4904 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/file-32bit-4.16-15.13.x8… 97f580b6bd4ab6afc3484bb9c75aa27a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/file-4.16-15.13.x86_64.r… 5b2fc247062c970cc6bfd8fcd7de8b51 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/file-devel-4.16-15.13.x8… 6857325d13a32187461b980f47f8e52f SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/file-32bit-4.14-3.5… a84f3907a7384a27b532c370bfc90371 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/file-4.14-3.5.x86_6… 09430fce30b187c0bc78829ace54fbe6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/file-devel-4.14-3.5… 17168aee14e6bffdf6b300e24e3e2568 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/file-4.17-27.src.rpm 63b8e44129d7526ffb6562a2d811933f SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/file-4.16-15.13.src.rpm 06e9f7f0ce0217a20bab1b572004a513 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/file-4.14-3.5.src.rpm 515371c885768d38cf506c1cd8227ca3 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/16b049160f20102b048862a6595a6130.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/16b049160f20102b048862a6595a6130.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/16b049160f20102b048862a6595a6130.… Open Enterprise Server http://support.novell.com/techcenter/psdb/40f3a050df9659ee95c994d2fde2b2b0.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/40f3a050df9659ee95c994d2fde2b2b0.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/40f3a050df9659ee95c994d2fde2b2b0.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/40f3a050df9659ee95c994d2fde2b2b0.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRouIRney5gA9JdPZAQIsLwgAiHcToaCWNK0zNixMnDhjUkGB7e8WcbIV qKpmjW5281AypHLND8ZgXOo+6/rogEI0Lcr4EdTJCsaJCYt6uOrtXW4ywLtZILnD zzXUh+ROexqA65MqnYzUXJsraF2nB4S0451IbiO40LjtEsexY0pfQ5utVxtqBziI WLBfzlC+xA6fDoD5p4Rj9uoDzu9Ot5OxIU5QGkcVQf7P08ZjNZYsYWljq7GVy3ed t6f/5Kd/Xv8dPGVTh7bTNPtwuZKXkt2DkUYXuR7DGd84y9ldl7AHBDM+RneXMpoz HL5L5sfwggoc/sCpDFf7ttl/pf40u076QSgRoy3zNJCioiKYAKbnBg== =0WZs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: libexif (SUSE-SA:2007:039)
by Marcus Meissner 03 Jul '07

03 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: libexif Announcement ID: SUSE-SA:2007:039 Date: Tue, 03 Jul 2007 17:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Desktop 1.0 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote denial of service Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2006-4168, CVE-2007-2645 Content of This Advisory: 1) Security Vulnerability Resolved: libexif remote denial of service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion Two security problems were fixed in the libexif library which handles extended information in JPEG images. CVE-2007-2645: A denial of service problem (crash) was fixed in the EXIF Loader of libexif, which could be used to crash the browser or image viewer when it interprets the EXIF tags in prepared JPEG files. () CVE-2006-4168: A integer overflow was fixed in the EXIF loader, which could potentially be used to execute code or at least to crash the image viewer/web browser. Attackers might crash your E-Mail client or Web browser by embedding a crafted JPEG image with broken EXIF data. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/libexif-0.6.14-20.i586.rpm 8b51ea8c00917b92f2c6f917dc6c7075 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/libexif5-0.5.12-39.i586.rpm 2f664181c05adba466688d72acba0290 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/libexif-0.6.13-20.6.i586.r… 19c460b7303a61f73aa6e8fc608c19e6 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/libexif5-0.5.12-17.7.i586.… 94ef6e0db31f9a27cfe918127e111ae8 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/libexif-0.6.13-5.6.i5… 828b66ebbcf65165265b2626d5cfd128 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/libexif5-0.5.12-5.3.i… 2ee753118e36046fde13e7baf776198e Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/libexif-0.6.14-20.ppc.rpm 8b4fd53fe4d613e8265cca92e4125eed ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/libexif5-0.5.12-39.ppc.rpm 23907dd0364b4abc001ad0e1fefc559f SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/libexif-0.6.13-20.6.ppc.rpm 6dfe90de0ec18f6b62545d41c1ce0451 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/libexif5-0.5.12-17.7.ppc.rpm 5b16777269b81781ab22e1199bae4744 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/libexif-0.6.13-5.6.ppc… 66758e06bf81296b0f785c4f9be1f6e4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/libexif5-0.5.12-5.3.pp… 088582470dcb34f117d7914dc0314fd8 x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/libexif-0.6.14-20.x86_64… 281b4a175bc3ee533c2bc013045cb56f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/libexif-32bit-0.6.14-20.… af8ca717ed67c7daf8162264d8c9aad0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/libexif5-0.5.12-39.x86_6… 62cb1d299cfb85754d2f99fc954f9786 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/libexif-0.6.13-20.6.x86_… 9b758ea30cd441c9d43d0320b4660878 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/libexif-32bit-0.6.13-20.… 7b7666c817078d8ce07026a823dd9b4d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/libexif5-0.5.12-17.7.x86… 2166b456ee47fe57d4557ede76e54a13 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/libexif-0.6.13-5.6.… 5b52f417442e5b6e4c5aebcad9577696 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/libexif-32bit-0.6.1… 6785cb87dd30b864171f79cd7b5c3535 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/libexif5-0.5.12-5.3… e1f59baef428fa1c02d06f83f3aeee59 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/libexif-0.6.14-20.src.rpm 1feda79286d3d993eaed1e6c9d9b6477 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/libexif5-0.5.12-39.src.rpm 7f2a0b31dab5845cd281926e91f181b7 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/libexif-0.6.13-20.6.src.rpm 78bf6de918f018177b3151eed8cf7709 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/libexif5-0.5.12-17.7.src.rpm ac32eee3053e9ec1c28363fbddcc7d0d SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/libexif-0.6.13-5.6.src… 8f901b2be54e9ea36539723f2fe63e5f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/libexif5-0.5.12-5.3.sr… aa25a73a0f84cfe83728d94bbd69a454 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/f4ec1eac6e651c2a2747f2e56275d1c4.… SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/f4ec1eac6e651c2a2747f2e56275d1c4.… http://support.novell.com/techcenter/psdb/bfd3d663c28c43bc07ad75413eec677a.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/bfd3d663c28c43bc07ad75413eec677a.… UnitedLinux 1.0 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SuSE Linux Openexchange Server 4 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… Open Enterprise Server http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… Novell Linux POS 9 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SuSE Linux Enterprise Server 8 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SuSE Linux Standard Server 8 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SuSE Linux School Server http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SUSE LINUX Retail Solution 8 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… SUSE SLES 9 http://support.novell.com/techcenter/psdb/d2186e8218d131e17a5524c43a27b841.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRopvG3ey5gA9JdPZAQJaigf+N/Xeh76qfZ/mfk+fQGJfvqTTLw7NBoIl Iy4SKMLSubF3v3YYD+hqxLTFC/WdJGUKNTqNJSaXq2iu00M1TVAk0Ch3+eyAa74z tk9skeGmABW/DVV5g/qAdg8IHxuZpN9pw0ZDJXTgSR5OjYWPDJcDw2dy9XF9QH9Q fs4TofgOKXwnDj6TqfJtKXyIzXgmBEYEXAJnDOMlNZ/0i68QCP22QmSZUETPN3Xf mBl+lQpe3bw1knsqIgJ7gdVLeh75o62sdupvNEZvqTfl/rurPERrdlwq/FLSd5iL laPK2gu6FUylb1r5JRufu8lLY11MbdGGZfryeYzPthlEwt4X25PCJQ== =7L0m -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: krb5 security problems (SUSE-SA:2007:038)
by Marcus Meissner 03 Jul '07

03 Jul '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: krb5 Announcement ID: SUSE-SA:2007:038 Date: Tue, 03 Jul 2007 17:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 7 SUSE Default Package: no Cross-References: CVE-2007-2442, CVE-2007-2443, CVE-2007-2798 Content of This Advisory: 1) Security Vulnerability Resolved: krb5 security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The KRB5 libraries and utilities contained two security problems for which updates were released. - CVE-2007-2798: A stack-based buffer overflow in kadmind was fixed which can be exploited by authenticated remote users to gain root. This requires kadmind to run to be effective. - CVE-2007-2442, CVE-2007-2443: Additionally two bugs in the RPC library of kadmind were fixed that can lead to remote system compromise. Note that third-party applications using this RPC library are vulnerable too. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/krb5-1.5.1-23.6.i586.rpm dc2fa8951dada9f5682fe449dc385e2d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/krb5-devel-1.5.1-23.6.i586… dd2d611d86a420e45f5cacce9d7fdec1 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/krb5-server-1.5.1-23.6.i58… 5daa3fedc4198ebb7b4d0a8127bed8ed SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/krb5-1.4.3-19.22.i586.rpm 09da59a0aaafd6c8d22321752f2c38d3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/krb5-devel-1.4.3-19.22.i58… 0840fcc71f5b4e97beb835e0e25dedbc ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/krb5-server-1.4.3-19.22.i5… 9d23419758f2b0a69ba143dbacbc9f0a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/krb5-1.4.1-5.7.i586.r… 32b71e707e4ec85b0eee500de51a89cf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/krb5-devel-1.4.1-5.7.… f71c6582dcb3a74a804a4143ff6f48c3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/krb5-server-1.4.1-5.7… 22b2f9c5cc94918a58c8c5e1b4d6296d Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/krb5-1.5.1-23.6.ppc.rpm cdf7854a981af8b5b9e4ad5d0eca9c7d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/krb5-devel-1.5.1-23.6.ppc.r… 5aba32af56d726c3616cc4260a69a848 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/krb5-server-1.5.1-23.6.ppc.… a1ab8842ba74f4b2a3e2cba56d730556 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/krb5-1.4.3-19.22.ppc.rpm aa13e756476c571bdb9d1f909ffdd2d9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/krb5-devel-1.4.3-19.22.ppc.… c121580b3e9392f8de76efda8d5dd551 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/krb5-server-1.4.3-19.22.ppc… aabf1f7df56922b01d67213af2cfc0af SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/krb5-1.4.1-5.7.ppc.rpm 069361f8698af89dc366bf3d2cdf7239 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/krb5-devel-1.4.1-5.7.p… e440e4b49b571b8bf9ebf0f9200d29c3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/krb5-server-1.4.1-5.7.… 4188e3334beceefce3cab6aa8429a16c x86-64 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/krb5-1.5.1-23.6.x86_64.r… edff62bb110662ee8a16f51b69c684c2 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/krb5-32bit-1.5.1-23.6.x8… af81d30ce34ee7c0c708a8c0f17d81a5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/krb5-devel-1.5.1-23.6.x8… 7d204e67fa211a528acedd6980925686 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/krb5-devel-32bit-1.5.1-2… 8036b0e78e1fea05e895b7d2c5717538 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/krb5-server-1.5.1-23.6.x… 14238f108e2375205961a73ec15ecbde SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/krb5-1.4.3-19.22.x86_64.… 0c46b69cf856956753908711a391ca3c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/krb5-32bit-1.4.3-19.22.x… cd9562c71d1439f9ea1b7fd29b2a2a15 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/krb5-devel-1.4.3-19.22.x… 624a0d8362e07050d705642f12e6109e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/krb5-devel-32bit-1.4.3-1… 30cd873aa47a0006d5e402e2280d311f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/krb5-server-1.4.3-19.22.… 6149c3d8873ebbdf0549f74eabd61a0e SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/krb5-1.4.1-5.7.x86_… eaf8552be5695919d2d7a058339c4d1f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/krb5-32bit-1.4.1-5.… 146f189e550f82bc987cde96a0b13086 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/krb5-devel-1.4.1-5.… 5bd145009778a85a0e8d26f58cf976c6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/krb5-devel-32bit-1.… 21418e68ed403d5bc822e8e31473bc57 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/krb5-server-1.4.1-5… 2c55efe366234d32d547c85ffe3e78a2 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/krb5-1.5.1-23.6.src.rpm e3a6f207ca990afd58afec40b3b08aea SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/krb5-1.4.3-19.22.src.rpm a29ba835ba013e45102b136d7c0f89a8 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/krb5-1.4.1-5.7.src.rpm b4a34b1b66194f86cd6163aa9a5879b4 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/b25610d8b470e16c60af96095d35faae.… SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/b25610d8b470e16c60af96095d35faae.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/b25610d8b470e16c60af96095d35faae.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. opensuse-security-announce(a)opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe(a)opensuse.org>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRopsKXey5gA9JdPZAQK1Mwf/UX8QDQUhTT3FBRUVFk/NEXaP4pZpo/FW LOHAYEiR+j51qkFx4JyrbJ2PGdUwE7TfsqLjEVl+cZcPytxqLoWrqBJfvHGD4e1u iHW8DuqmFIKw9Sja7Cdg/s3HzIMij59cIAzmZTAmY+NcDg1aafQO22ZFXX6Tkq7j ZjNl++MCm86h/d2JuLyqeBJY1ZRimufr5SuqkQzVeHty5BPxolh9oyqx8ZfpAnov Wsg3HE01+C8h5y24gnjKYMbU2YU1p2gPbPPuRgTHda+sOy7MXVqD2TkKr6djsC2R aKwfk/IFfjjYWp1KAK1YdVnjrTdPoGJ/9lGY6lyJJlVr682MFNMyqw== =/Ad+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE Security Announcement: OpenOffice_org (SUSE-SA:2007:037)
by Marcus Meissner 28 Jun '07

28 Jun '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: OpenOffice_org Announcement ID: SUSE-SA:2007:037 Date: Thu, 28 Jun 2007 14:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 SuSE Linux Desktop 1.0 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 Vulnerability Type: remote code execution Severity (1-10): 7 SUSE Default Package: yes Cross-References: CVE-2007-0245 Content of This Advisory: 1) Security Vulnerability Resolved: OpenOffice_org RTF importer buffer overflow Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Office suite OpenOffice_org was updated to fix a heap buffer overflow in its RTF parser. This issue could be used by attackers sending specially crafted RTF files to potentially execute code and it is tracked by the Mitre CVE ID CVE-2007-0245. Packages for SUSE Linux 10.0, SUSE Linux 10.1 and openSUSE 10.2 on June 20th, for SUSE Linux Desktop 1.0 and Novell Linux Desktop on June 15th, for SUSE Linux Enterprise Desktop 10 on June 28th. For SUSE Linux Enterprise 10 additional non-security bugs were fixed. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Restart OpenOffice_org after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-2.0.4-38.5.… 51898edcd0066bf5db3cedad07f8eb7d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-af-2.0.4-38… 5a386f4613e9fa593bbb0febc8b2ebd7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ar-2.0.4-38… 159e81d0f12c8212c1f8b76766068422 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ca-2.0.4-38… 073ed944485e24021c26915e5fbc2be7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-cs-2.0.4-38… 5e7b3c404d5f0c69da3410ae951ddcb5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-da-2.0.4-38… 379600c59f14ecbfb2b14c5a51476fb9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-de-2.0.4-38… ad787bd9ba581a806e9bbe1260e85475 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-es-2.0.4-38… 1db9cf326f5e122ec2d6a756cf7ef87f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-fi-2.0.4-38… dfb32bfae04a29cc1c24b50cd45e757c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-fr-2.0.4-38… 4e6feb4d16b76b213ae4a1a34be00ed4 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-galleries-2… f5c258380a1464ebce7ed992075221ff ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-gnome-2.0.4… a4d70546cde7c6306046cec175b1d66f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-gu-IN-2.0.4… 961df04e1e1721e486451b28e9eec3c5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-hi-IN-2.0.4… 3adb1a3e7ab4e1f4efb925e4c292050e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-hu-2.0.4-38… de92cc231d938949f445f80ec0fd25eb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-it-2.0.4-38… 572e2c710da34054791ddb5298fc92e7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ja-2.0.4-38… 331315cddd0cee2d849fcdd738003447 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-kde-2.0.4-3… 2ab9941f27ed9564bdc460730790fba5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-mono-2.0.4-… c32139444331a9806864d236e3e30f58 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-nb-2.0.4-38… f119b58edeaf4335d556ce9b4d0d337d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-nl-2.0.4-38… 824ab567729a2b21548fb650d8485dcb ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-nn-2.0.4-38… 1e0d03cd7fd7f70d4a749840f79058e5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-officebean-… 70676f1211e94bf774c2cc2e7ac3dd0c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-pl-2.0.4-38… 2c6b930dc1c579c464e54e0c6e4e0b9b ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-pt-BR-2.0.4… 471f57da7a11c64d8d40a8945f55764f ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-ru-2.0.4-38… c75c2c0e32ba1a783d8fb574d4eb9219 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sk-2.0.4-38… bb2e438581999acf030add33ca0d2bd0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-sv-2.0.4-38… f06d5113f7f03c59a007c3d4ce850aae ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-xh-2.0.4-38… e763bbb3c7ac189bc9775dea3bace346 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-zh-CN-2.0.4… 55095b147ae4edc0c6f628d8f799f9c5 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-zh-TW-2.0.4… bf1236eb5171cda29b5f8c1ccd427d27 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/OpenOffice_org-zu-2.0.4-38… 39d40f3439ac2a1a34f43304365346cd SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-2.0.4-38.2.… 5f57c296c190435760425417fc51af48 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-af-2.0.4-38… 1d1b49353aaab53fdc563e415722bded ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ar-2.0.4-38… e655c17261382e9d3bfe21c717fee0f9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ca-2.0.4-38… 8a915b0d398878820ddea5563a822080 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-cs-2.0.4-38… b4c964321e33e545e1708065b720ea69 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-da-2.0.4-38… 88db08e9b9119905d514cff7726a68fd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-de-2.0.4-38… 89fe97cede7f2a6cbe509dd4443f819f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-de-template… 8db09131f31982271850f166993e51a3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-es-2.0.4-38… af39def1adcd3148053dcf95df9376a3 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-fi-2.0.4-38… 5b318d65acd3d4de36fbe3d30038555d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-fr-2.0.4-38… df73c796adb6d0f86ca213462379a7d5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-galleries-2… 0e017f063af917aa540a01c301cab924 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-gnome-2.0.4… 62ec71c8589aa5f81955140651abf02b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-gu-IN-2.0.4… b0bab2be2088c9c6ba4c60bbb2b9076b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-hi-IN-2.0.4… 0b3e1bfbb0f6b19854ac4f09fdcbd309 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-hu-2.0.4-38… 4b977d7bb609dd9e8803ce1226c27afb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-it-2.0.4-38… 78b6555824f6e44ebbbeba461071b347 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ja-2.0.4-38… 3cd270b7905964f1182e77ddca7c1868 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-kde-2.0.4-3… 16bb6508f14cc44902089c19df90e6ea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-mono-2.0.4-… 367fe07b826e76196860afa88672d00b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-nb-2.0.4-38… 7e5fd94a8d2a32dd7ab915ae320a2176 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-nl-2.0.4-38… 096fcbdb99de03d1d9dd4ee12bd5ea54 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-nn-2.0.4-38… 0cc8bb6370c7e741159ed385a0f02119 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-officebean-… 90168189c194fad4f504551cc8ffc81b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-pl-2.0.4-38… c1a527c22aa1d8ca4b09762862a8db12 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-pt-BR-2.0.4… f29a4aeeeaba68fd580e97232e92ae34 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ru-2.0.4-38… 9fd399cd1ceabc83e3d24d95d88c103c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-sk-2.0.4-38… 6d1224bc5bd41f04ba4a832fd08e057a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-sv-2.0.4-38… 83273e94c3d7b8fcbe239f829f6b2a11 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-xh-2.0.4-38… 7fb1daef50ce7bffb8ea4960fff5e7f4 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-zh-CN-2.0.4… 56993d330f3007bacc44375019997208 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-zh-TW-2.0.4… c2e34c7d84ee85875eafb2922e7a8211 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-zu-2.0.4-38… dbf2a2480ef81c6fff996b49036405c0 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-2.0.0-… d7c31b14a0772a4263007d22094aae6a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-af-2.0… eac86287f4e859555b70dd5470d88e1d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-ar-2.0… 48429fd4082e246325dc94887ffb9d07 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-ca-2.0… d35651c52aa3702a88c960807582c938 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-cs-2.0… dcf0fba4826ac78c8dbec12cba143c96 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-da-2.0… 7425a54da5615adef46634d4955ba5ba ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-de-2.0… c92eaa2ec45c46cd17d4c4ec194b604a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-de-tem… 46c8e37f6a8d73d248c5573c3b8262a6 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-es-2.0… 4fb592edf077d7d55d0597595a96a4c2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-fi-2.0… 1414ddc1d9093976992dfdae6e534e70 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-fr-2.0… 3fbdcd8266bb32ef7f59bb4c63ab3942 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-galler… 4225fd3a50f8333cdfbe9f09a61c99c2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-gnome-… 1ea78aa3755c66ab6d834281b3fe16c1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-gu-IN-… c6b6ce2cde7eafcc61f84b18d0b8eb9b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-hu-2.0… 6fe8c5aef1dabf941d20cfad0a4bb1c8 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-hunspe… 2eb1521a0fde5648d2ec8c862a2bbff2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-it-2.0… fba17ad4b94778ff51543f2919cee9aa ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-ja-2.0… 5c2075edca251fcbd567b955835db8b0 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-kde-2.… 07a16f4f4d46dd44ae073a947f57766a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-mono-2… ab9459ca19815e16597db265b954e273 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-nb-2.0… 94ee43a96cdac0b7d8189052005902f9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-nl-2.0… 2b21657a9c12c9f007bd8ea009620394 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-nn-2.0… 1a90d306e3df987893682564576af13f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-office… a8181b279aa5ecc5680a8c4ce9fd44ec ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-pl-2.0… 71322e2e55d2da981ba8f549b7234f95 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-pt-BR-… 15052978f611da0e8c846a13cfce67af ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-ru-2.0… fdcdc88f4462132069040fa0584a4549 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-sk-2.0… d2317e08f52efbfeee7d312854e28d07 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-sv-2.0… e75d4d90df758d15cdc6e680608e386c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-xh-2.0… 7156a686c14e0e731e77f6a2bbf3e68a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-zh-CN-… 138dcebc9cc1df50b1116303d477d196 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-zh-TW-… 9c139fb169f20e59fe5bd226b5785ded ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/OpenOffice_org-zu-2.0… 782764adb7e2508489191c4287308c28 Power PC Platform: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-2.0.4-38.5.p… 37be29a47a82076dc448647975fbaaa6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-af-2.0.4-38.… 9f5a09e18846a0de4cc2256063681b26 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ar-2.0.4-38.… 1a1e1bbc36cf0cde8300df347fa15b60 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ca-2.0.4-38.… aa93a943877f41b4e90ff51bf2f05f38 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-cs-2.0.4-38.… cb58ca884e85bf792cb919ffbe94ab2c ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-da-2.0.4-38.… 6c88c5d32d66fc5b25cdce4663139138 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-de-2.0.4-38.… 005bae67ac601f1b59354b05fd0ed39e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-es-2.0.4-38.… eedca9dedabcbc938d30924d0c117ee9 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-fi-2.0.4-38.… ccac046d11e327f6484deb4333b69714 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-fr-2.0.4-38.… f008b9b33ac419b14dfb06e9beb231a0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-galleries-2.… 00ed0dcdb31771252a92db4143c5e065 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-gnome-2.0.4-… baa28af4096be173063a653664037c0e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-gu-IN-2.0.4-… e7c14a5df4875a07f8b125ad4e8ef95a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-hi-IN-2.0.4-… 353a11ed24d8e134dc4b0aaddaae43cc ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-hu-2.0.4-38.… e95bfa18d29f8ef95353310d8ac38cf6 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-it-2.0.4-38.… a8dc0910be2f6d712f701fbbedd53da0 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ja-2.0.4-38.… 5461da880a57e842e241ec96fc594a32 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-kde-2.0.4-38… 6591c9f91f384fadb48a6ffb76c91543 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-mono-2.0.4-3… a079f8e6a506cb47b69499ed50e6d7d7 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-nb-2.0.4-38.… c7a18ba75465d19d00a3365dcdbb7c91 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-nl-2.0.4-38.… 7238f01aac7112fb4cb4649edc926e1e ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-nn-2.0.4-38.… d2a0edf415c04e8598bd0ea7e7b19de8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-officebean-2… c4cf8edb77c5efef20bceccbcca6507d ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-pl-2.0.4-38.… 51b1e666ae6e049c47fe9f3c8f1aa148 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-pt-BR-2.0.4-… 628b7dcb6122db6edeeb7600079bbd25 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-ru-2.0.4-38.… e1cd5a85a3457b1bf1517b21b3572d10 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sk-2.0.4-38.… 0d6d2ed948636cb31ad86627c3b641da ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-sv-2.0.4-38.… cf383fb07ce44bd47db66f469dae8fc8 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-xh-2.0.4-38.… c75a23d1257a0427ef736a15c4199d25 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-zh-CN-2.0.4-… 9e7c66d5c151ebc7946e4b651df32f93 ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-zh-TW-2.0.4-… 69f0a907a8ac0abd7a0d5127387d163a ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/OpenOffice_org-zu-2.0.4-38.… c9256b708bbd23b26e7b7a28b082d312 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-2.0.4-38.2.5… eb6e3ccc47af70456f72fad106ffad09 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-af-2.0.4-38.… 6f76970b1728f3c9c662625706bf86bd ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ar-2.0.4-38.… 3b6a81ba7415b17f8e16f16d7a5a512d ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ca-2.0.4-38.… 3a29086442f28f3c8e13a4543efaf662 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-cs-2.0.4-38.… ead0172dc888d44be376070ef402e53e ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-da-2.0.4-38.… 274ef45683be24117a4abfcdb0d56a12 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-de-2.0.4-38.… 8a90918a8f75ff5de00a2c7b13f328cf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-es-2.0.4-38.… d027365008dc6134477c099c7145426b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-fi-2.0.4-38.… fee926420559a793e517dc3ef9e7f9b7 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-fr-2.0.4-38.… 5ef213b6ec357cba58430fe607802154 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-galleries-2.… d821a98cc9fbf682f103b60eb247bf16 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-gnome-2.0.4-… a89cefcdd9ea2e5c31620bd8255104eb ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-gu-IN-2.0.4-… 8c83c3b0238b874864955fc987be474b ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-hi-IN-2.0.4-… 91053fabb2b03bce8fcee323fbe42386 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-hu-2.0.4-38.… e704a64d1eff4008b493c8f7d44b89bf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-it-2.0.4-38.… 1e761e8e1c907677a0a81b32870e7b53 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ja-2.0.4-38.… 21e34b6244b9e4bfead9d7619770d6d9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-kde-2.0.4-38… 934984d83f9b8a0a8f9b2a1a90dae589 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-mono-2.0.4-3… 71dd0dbbb20df191317f21d56aa63c0c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-nb-2.0.4-38.… b691eccab9c25a1bac7819ba2a58be77 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-nl-2.0.4-38.… 5ed4070198506a82861b8e708d5bceda ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-nn-2.0.4-38.… b97c9536f0a91c7ddf5d0f8bf99fe59c ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-officebean-2… 40d1a9db46a5c5b0171e2cc2e62ed58f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-pl-2.0.4-38.… 8e0e173102a5da12a6826d4cebc28fa0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-pt-BR-2.0.4-… a056df3542aca406e9f26d95a1817814 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-ru-2.0.4-38.… 5ad6c26cc6013cbac9993674b83564a8 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-sk-2.0.4-38.… cfded44e33f0b1a267f2b4cf291c78ea ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-sv-2.0.4-38.… 70cc334bab2f02f763f0947172159b10 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-xh-2.0.4-38.… 3a464f80deaa474cb2b1bcd1a1e7d89f ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-zh-CN-2.0.4-… f198fba8a33bfb6fd508bf7f31f46833 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-zh-TW-2.0.4-… 34c7f5ff4ee8e6970e3bbaa217d55cbf ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/OpenOffice_org-zu-2.0.4-38.… 5bc0afbf6cd598b18b16a0627c86ca80 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-2.0.0-1… e3d0f25cba93eb8f00be159a21afe32f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-af-2.0.… c97e84fe4fde0ad309be0a2181f36112 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-ar-2.0.… a6aa012656e39f92ec1535fddccb44bd ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-ca-2.0.… 840e74376bc5d48e3a094c8d3a8651d2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-cs-2.0.… d4a4cf9b2fe60c2e8a25e2261c0c7c7a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-da-2.0.… e26c8ce4611318a0a35ed2c0e25afad4 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-de-2.0.… da0ee7b9433a602d4deb05ac17dab1d1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-es-2.0.… aec4bdd8d179885b70a8e17e80ec7e5c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-fi-2.0.… c8410ee0c6184e46368d69b6e72be530 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-fr-2.0.… 043ac0569601bc0a46b6db595a354b6b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-galleri… 95a946ec1a53f01032e63d644023d285 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-gnome-2… 3acc47fb9374cf13aa48455a8543e74b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-gu-IN-2… b907cfe5f464b12b7e376b419dcb8cea ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-hu-2.0.… 4f95b0a6b16d7d729f15c261fe70d69c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-hunspel… 3ef8c3c6b76d7ecb2038d686898ce560 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-it-2.0.… 9f601df2c2af641e14db296042e4273c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-ja-2.0.… 33f96a1f23813334a364a574617b7db5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-kde-2.0… d1bfaf976c989045f196d2aa3013c62b ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-mono-2.… 8d52e0022f6907314ee17fb6c4ad2645 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-nb-2.0.… 98d2ed1d3dbe0793d1ca6abbbb98cb7f ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-nl-2.0.… 4009d4f2b2eb1ef5ac286b49c2dadac9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-nn-2.0.… 5dc9c921ae41181b10372321f47225cf ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-officeb… bb37d6e97c4516e66b873e27df98cd95 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-pl-2.0.… 4077641eaa4e76522eeaea3dae7bc7ae ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-pt-BR-2… de53bbc54d5f02adea2bc67509d38096 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-ru-2.0.… 40ac647fb7053630e6a369ced8c8a09d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-sk-2.0.… c70749cb38e3e5c75296d06823ef6d3e ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-sv-2.0.… 1fc89a11a00e857ef21cabcfbea14eee ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-xh-2.0.… 341e135ea68e735ab9ebd0be2ed543a5 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-zh-CN-2… 4ae56fa8a58693307cc7394d47eaae8c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-zh-TW-2… 738ab8ab519b2bac4639c4199a08f88a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/OpenOffice_org-zu-2.0.… e68c694fd63b9e990c7342df9b337019 Sources: openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/OpenOffice_org-2.0.4-38.5.s… 56ea32ccffc078652052979c8ad603d9 SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/OpenOffice_org-2.0.4-38.2.5… a354b1077f3cc6885d5bbd43839dd3ee ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/OpenOffice_org-de-templates… c3cd051ec445f40cdf25569af37a2b86 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/OpenOffice_org-2.0.0-1… a919ad5158eae993cb05ee637442e141 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/OpenOffice_org-de-temp… e9ac63ea9d41641cbebbb8d31d90a3b5 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/d79c3af9a7a1e5ce0c949b94c3420e14.… SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/d79c3af9a7a1e5ce0c949b94c3420e14.… Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/572ad014bcb9bd7a3a8b6d695fbc1fc9.… SuSE Linux Desktop 1.0 http://support.novell.com/techcenter/psdb/572ad014bcb9bd7a3a8b6d695fbc1fc9.… ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security(a)suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build(a)suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum <filename.rpm> after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security(a)suse.de) the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security(a)opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe(a)opensuse.org>. suse-security-announce(a)suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <suse-security-announce-subscribe(a)suse.com>. ===================================================================== SUSE's security contact is <security(a)suse.com> or <security(a)suse.de>. The <security(a)suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRoPHkHey5gA9JdPZAQJtywf9GGsZhq6EfQUjCYhS8N7p18ZVSio4DS+L IPHUl319DPoXDNS2InWcNF7P2gacS7fm6XZ+XMyZid3d50bjAFRNnIlnFFRrAYQ6 2IByxo3DOV0y3fnwxQTZPoYL17ccCOWYh4BjDUBdRFsDwE9h9/Enj/UKeDtU8Dr0 2ZsLvO2O6pfhZM0nyL3eJ4j0typmv27YQSKpJGl5kt3rxeoOjNE72o2XY2aw7FNN T+ozFrPFLo2S1lSXAPdQBXpRXCO9eC+T57SQkf0hT+BRV47VbyJKKXrRJ1I0zQj6 S35kruLteVfkTrx9OnEnKC7Q2GGIm+jPdN/7VFyFQzmy4X6NfYPqKg== =CfrE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0