-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2007:006
Date: Fri, 13 Apr 2007 18:00:00 +0000
Cross-References: CVE-2006-7139, CVE-2007-0177, CVE-2007-0242
CVE-2007-0451, CVE-2007-0537, CVE-2007-0653
CVE-2007-0654, CVE-2007-1351, CVE-2007-1564
Content of this advisory:
1) Solved Security Vulnerabilities:
- Qt UTF-8 sequence decoding problem
- kdelibs3 security update
- mediawiki XSS problem
- freetype2 BDF overflow
- xmms skin handling overflow problem
- spamassassin update to version 3.1.8
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- various X security problems
- clamav 0.90.2 version upgrade
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- Qt UTF-8 sequence decoding problem
The QT library, versions 2,3 and 4 wrongly accept overly long
UTF-8 sequences due to a bug in the UTF-8 decoder. This may lead
to security problems under certain circumstances, where you could
inject "../" into path names or XSS into web pages.
The bug for example allows for script tag injection in konqueror
(CVE-2007-0242).
This problem was fixed in all SUSE Linux based products.
- kdelibs3 security update
The kdelibs3 packages were updated to fix 3 security problems and
one potential problem:
A bug in KHTML could be exploited to conduct cross site scripting
(XSS) attacks (CVE-2007-0537).
Another bug allowed attackers to abuse the FTP passive mode for
port scans (CVE-2007-1564).
Encountering empty frameset rows/cols could crash khtml
(CVE-2006-7139).
Also overlong sequences might get handled by the javascript
interpreter engine, similar problem as CVE-2007-0242. It is not
thought to be exploitable and was only fixed for completeness.
This problem was fixed for all affected kdelibs3 packages.
- mediawiki XSS problem
A cross site scripting problem was fixed in the AJAX features
of MediaWiki.
This is tracked by the Mitre CVE ID CVE-2007-0177 and was fixed
for openSUSE 10.2.
- freetype2 BDF overflow
This update of freetype2 fixes an integer overflow in the BDF font
parsing code. This bug can be exploited only with user assistance
to potentially execute arbitrary code.
This problem was assigned the Mitre CVE ID CVE-2007-1351 and it
was fixed for all affected products.
- xmms skin handling overflow problem
Two integer overflows when processing BMP skin images potentially
allows attackers to execute arbitrary code via specially crafted
files. This requires user interaction to actually apply the crafted
skins.
These problems are tracked by the Mitre CVE IDs CVE-2007-0653 and
CVE-2007-0654 and were fixed for all products containing xmms.
- spamassassin update to version 3.1.8
Spamassassin was brought to version 3.1.8 with following security
related changes:
* fix for CVE-2007-0451: Possible DoS due to incredibly
long URIs found in the message content.
and following bugfixes:
* Disable perl module usage in update channels unless
--allowplugins is specified
* Files with names starting/ending in whitespace weren't usable
* Remove Text::Wrap related code due to upstream issues
* Update spamassassin and sa-learn to better deal with STDIN
* Improvements and bug fixes related to DomainKeys
and DKIM support
* Several updates for Received header parsing
* Several documentation updates and random taint-variable related
issues
This update also adds some missing RPM dependencies.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- Various X security problems
Various Xorg/Xfree86 security problems have been identified.
The updates for them are currently in QA and expected to be released
next week.
- clamav 0.90.2 version upgrade
A security update release of clamav was announced today, to version
0.90.2 fixing several security issues.
We are preparing updates for these problems and also expect updates
early next week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team