[security-announce] SUSE Security Summary Report SUSE-SR:2008:002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2008:002
Date: Fri, 25 Jan 2008 16:00:00 +0000
Cross-References: CVE-2006-7217, CVE-2007-5339, CVE-2007-5340
CVE-2007-5360, CVE-2007-5848, CVE-2007-5849
CVE-2007-5894, CVE-2007-5902, CVE-2007-5965
CVE-2007-5971, CVE-2007-5972, CVE-2007-6284
CVE-2007-6351, CVE-2007-6352, CVE-2007-6599
CVE-2008-0225, MFSA 2007-29
Content of this advisory:
1) Solved Security Vulnerabilities:
- tog-pegasus buffer overflow in authentication
- xine rtsp buffer overflows
- libxml2 denial of service in UTF8 handling
- libqt4 incorrect SSL certificate handling
- XFree86/X.Org updates reissued
- krb5 various small issues
- libexif overflows and denial of service
- openafs server denial of service
- Apache derby post-authentication denial of service
- MozillaThunderbird 1.5.0.14 release
- Xen denial of service problems
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- kernel updates in preparation
- wireshark 0.99.7 security release
- various MySQL security issues
- various Apache security problems
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- tog-pegasus buffer overflow in authentication
A stack based buffer overflow in local PAM authentication
for tog-pegasus could be used by attackers to execute
code. (CVE-2007-5360)
This package only exists on and was updated for the SUSE Linux
Enterprise 10 SDK.
- xine rtsp buffer overflows
Specially crafted rtsp-Streams could cause a buffer overflow in
xine. Attackers could potentially exploit that to execute arbitrary
code (CVE-2008-0225).
Xine-lib has been updated on all affected distributions.
- libxml2 denial of service in UTF8 handling
libxml2 contained a DoS condition in xmlCurrentChar()'s UTF-8
processing. CVE-2007-6284 has been assigned to this problem.
Updates were released for all SUSE Linux based products.
- libqt4 incorrect SSL certificate handling
A bug in the QSslSocket class could under certain circumstances
lead to incorrect SSL certificates beeing accepted as valid
(CVE-2007-5965).
This problem only affected openSUSE 10.3.
- XFree86/X.Org updates reissued
We reissued the previously released X.org and XFree86 packages to
fix a regression in the MIT SHM handling, which caused some programs
(vlc, eclipse, other SWT programs) to abort.
- krb5 various small issues
This update fixes multiple vulnerabilities in krb5. It's unlikely
that those vulnerabilities can actually be exploited. (CVE-2007-5894,
CVE-2007-5902, CVE-2007-5971, CVE-2007-5972)
Updates have been released for SUSE Linux Enterprise 10, SUSE Linux
10.1 and openSUSE 10.2, and 10.3.
- libexif overflows and denial of service
Two bugs in libexif were identified by a Google Security Audit done
by Meder Kydyraliev.
CVE-2007-6351: Loading EXIF data could be used to cause a infinite
recursion and crash
CVE-2007-6352: Integer overflows in the thumbnail handler could be
used to overflow buffers and potentially execute
code or crash a program using libexif.
Updates have been released for libexif and libexif5 packages on
all distributions.
- openafs server denial of service
This update fixes a remote denial of service (crash) against the
openafs server. (CVE-2007-6599)
This problem affected only SUSE Linux 10.1.
- Apache derby post-authentication denial of service
Apache Derby did not determine schema privilege requirements during
the DropSchemaNode bind phase, which allows remote authenticated
users to execute arbitrary drop schema statements in SQL
authorization mode. (CVE-2006-7217)
This update also brings a new requirement of a Java 1.5 JRE.
Unfortunately this makes an update for Itanium impossible, so
Itanium packages are left out for now.
- MozillaThunderbird 1.5.0.14 release
Mozilla Thunderbird was brought to security update version 1.5.0.14
on SUSE Linux 10.1 and openSUSE 10.2.
Following security problems were fixed:
- MFSA 2007-29: Crashes with evidence of memory corruption As part
of the Firefox 2.0.0.8 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of
these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.
- CVE-2007-5339 Browser crashes
- CVE-2007-5340 JavaScript engine crashes
- Xen denial of service problems
Various Xen issues have been fixed, two of them security related:
- CVE-2007-5906: Xen allowed virtual guest system users to cause
a denial of service (hypervisor crash) by using a debug register
(DR7) to set certain breakpoints.
- CVE-2007-5907: Xen 3.1.1 does not prevent modification of the
CR4 TSC from applications, which allows pv guests to cause a denial
of service (crash).
Updates had already been released for SUSE Linux 10.1, openSUSE
10.3 and SUSE Linux Enterprise Server 10. openSUSE 10.2 updates
were now released too.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- kernel updates in preparation
We are currently preparing kernel security updates for SUSE Linux
Enterprise 10, SUSE Linux 10.1 and openSUSE 10.2 and 10.3 to fix
various security issues and bugs. They will probably be released
mid of next week.
- wireshark 0.99.7 security release
Multiple bugs were fixed in wireshark 0.99.7, updated packages for
these problems are currently in QA.
- various MySQL security issues
We are currently testing a MySQL update to fix various security
issues discovered.
- Various Apache security problems
Various Apache security problems have been found in the last weeks
and we are currently preparing updates for them.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team
participants (1)
-
Marcus Meissner