[security-announce] SUSE Security Summary Report SUSE-SR:200?8:011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2008:011
Date: Fri, 09 May 2008 16:00:00 +0000
Cross-References: CVE-2007-5624, CVE-2007-5803, CVE-2007-5935
CVE-2007-5936, CVE-2007-5937, CVE-2008-1237
CVE-2008-1360, CVE-2008-1372, CVE-2008-1380
CVE-2008-1531, CVE-2008-1612, CVE-2008-1670
CVE-2008-1671, CVE-2008-1693, CVE-2008-1720
CVE-2008-1922, MFSA 2008-15, MFSA 2008-20
Content of this advisory:
1) Solved Security Vulnerabilities:
- rsync heap overflow in xattr code
- MozillaFirefox 2.0.0.14 security release
- poppler PDF problems
- nagios cross site scripting problems
- lighttpd SSL denial of service
- sarg various buffer overflows
- squid denial of service fix
- bzip2 decoder denial of service
- kdelibs3 unix signal handling
- texlive-bin dvips overflows
- kdelibs4 heap overflow in PNG loader of KHTML
- Sun Java 1.6.0 u6 security update
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
None listed this week.
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- rsync heap overflow in xattr code
A remotely exploitable heap overflow in rsync's xattr code has
been fixed. CVE-2008-1720 has been assigned to this issue.
rsync was fixed on openSUSE 10.3.
- MozillaFirefox 2.0.0.14 security release
Mozilla Firefox was brought to security update version 2.0.0.14.
Following security problems were fixed:
- MFSA 2008-20/CVE-2008-1380: Fixes for security problems in the
JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced
a stability problem, where some users experienced frequent crashes
during JavaScript garbage collection. These crashes may be exploitable
if someone finds a reliable way to trigger the crash.
We were not able to reproduce the crashes internally. Updates have been
released on SLE 10, SUSE Linux 10.1, openSUSE 10.2 and 10.3.
- poppler PDF problems
Specially crafted PDF files with embedded fonts could potentially be
abused to trick applications that process PDF files into executing
arbitrary code (CVE-2008-1693).
Fixes for poppler for all distributions containing poppler have
been released.
- nagios cross site scripting problems
Several cross site scripting (XSS) issues in nagios were fixed
(CVE-2007-5624, CVE-2007-5803, CVE-2008-1360).
SLE 10, openSUSE 10.2 and 10.3 received fixed nagios packages.
- lighttpd SSL denial of service
The web server lighttpd had a problem, where an error in one
SSL connection could lead to termination of all SSL connections
(CVE-2008-1531)
This problem has been fixed in SLE 10, SUSE Linux 10.1, openSUSE
10.2 and 10.3.
- sarg various buffer overflows
Multiple stack buffer overflows have been fixed in the Squid logfile
analyzer sarg. (CVE-2008-1922)
sarg updates have been released for SUSE Linux 10.1, openSUSE 10.2
and 10.3.
- squid denial of service fix
A flaw in a previous security update could cause squid to crash
under certain circumstances (CVE-2008-1612).
squid was updated on all distributions.
- bzip2 decoder denial of service
Specially crafted files could crash the bzip2-decoder
(CVE-2008-1372).
bzip2 was updated on all distributions.
- kdelibs3 unix signal handling
Start_kdeinit did not handle unix signals the right way
(CVE-2008-1671)
This was only a problem in openSUSE 10.3 and fixed there.
- texlive-bin dvips overflows
Buffer overflows in dvips and dviljk could be triggered by specially
crafted dvi files (CVE-2007-5935, CVE-2007-5937). dvips additionally
created temporary files in an insecure manner (CVE-2007-5936).
Only openSUSE 10.3 updates were missing for this issue, the others
were released several weeks ago already.
- kdelibs4 heap overflow in PNG loader of KHTML
A heap overflow in the PNG loader of KHTML has been
fixed. CVE-2008-1670 has been assigned to this issue.
Only openSUSE 10.3 was affected and fixed.
- Sun Java 1.6.0 u6 security update
Sun Java was updated to 1.6.0u6 to fix several bugs and potentially
also security problems.
Sun has however not published any details regarding Security
Vulnerabilities in this update.
Only openSUSE 10.3 contains Sun Java 1.6.0 and was fixed.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
None listed this week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team
participants (1)
-
Marcus Meissner