-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:021
Date: Fri, 01 Sep 2006 17:00:00 +0000
Cross-References: CVE-2006-2314, CVE-2006-3124, CVE-2006-3125
CVE-2006-3468, CVE-2006-3694, CVE-2006-3745
CVE-2006-4089, CVE-2006-4093, CVE-2006-4111
CVE-2006-4112, CVE-2006-4434
Content of this advisory:
1) Solved Security Vulnerabilities:
- dovecot character set injection
- openldap2 self write access problems
- gtetrinet remote buffer overflow
- ruby "safe level" bypass
- sendmail denial of service
- rubygem-actionpack remote code injection
- streamripper remote buffer overflow
- alsaplayer remote buffer overflow
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- kernel security problems
- php4/php5 security problems
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list md5 sums or download URLs like the SUSE Security Announcements
that are released for more severe vulnerabilities.
Fixed packages for the following incidents are already available on
our FTP server and via the YaST Online Update.
- dovecot character set injection
Dovecot might have been affected by the multibyte character set
SQL injection issues for instance described in CVE-2006-2314.
This patch fixes the MySQL and PostgreSQL backend to use the correct
quoting methods when passing user supplied strings.
All SUSE Linux versions containing dovecot were affected by this
problem.
- openldap2 self write access problems
A security problem was fixed in openldap concerning Access Control
Processing that allowed users with "selfwrite" access to an
attribute to modify arbitrary values of that attribute, instead of
just allowing them to add/delete their own DN to/from that attribute.
All SUSE Linux based products are affected by this problem.
- gtetrinet remote buffer overflow
Malicious tetrinet servers could overflow a buffer within the
gtetrinet client, making it possible to execute code.
This is tracked by the Mitre CVE ID CVE-2006-3125 and affects all
SUSE Linux versions.
- ruby "safe level" bypass
A security fix for ruby was released. An attacker could bypass the
"safe level" checks.
This is tracked by the Mitre CVE ID CVE-2006-3694 and affects all
SUSE Linux based products.
- sendmail denial of service
A denial of service problem in sendmails header processing could
be used to crash sendmail due to referencing a freed variable.
This is tracked by the Mitre CVE ID CVE-2006-4434 and affects all
SUSE Linux based products.
- rubygem-actionpack remote code injection
A remote code injection bug was fixed in rubygem-actionpack.
The routing code allowed injection using specially crafted headers.
This problem was assigned the Mitre CVE IDs CVE-2006-4111 and
CVE-2006-4112 and affected only the SLE 10 SDK.
- streamripper remote buffer overflow
This update fixes a buffer overflow in the HTTP header parsing
in streamripper.
This bug can be exploited to cause a denial-of-service attack and
possibly execute arbitrary code via crafted HTTP headers sent by
malicious servers.
This is tracked by the Mitre CVE ID CVE-2006-3124 and affects SUSE
Linux 9.2 and 9.3.
- alsaplayer remote buffer overflow
Various bugs were fixed in alsaplayer that could lead to a denial of
service or even buffer overflows caused by malicious remote servers.
This problem is tracked by the Mitre CVE ID CVE-2006-4089 and
affects SUSE Linux 9.2 and 9.3.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- kernel security problems
We are currently QA testing kernel updates for all 2.6 based
SUSE Linux based products to fix various security issues.
Security issues to be fixed by this round of updates:
- CVE-2006-3745: A double user space copy in a SCTP ioctl allows
local attackers to overflow a buffer in the kernel,
potentially allowing code execution and privilege
escalation.
- CVE-2006-4093: Local attackers were able to crash PowerPC systems
with PPC970 processor using a not correctly disabled
privileged instruction ("attn").
- CVE-2006-3468: Remote attackers able to access an NFS of a ext2 or
ext3 filesystem can cause a denial of service (file
system panic) via a crafted UDP packet with a V2
lookup procedure that specifies a bad file handle
(inode number), which triggers an error and causes an
exported directory to be remounted read-only. [#192988]
- php4/php5 security problems
We are also preparing new PHP4 and PHP5 update packages to fix
the currently known PHP security problems. This affects all
distributions.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team