July 2011 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] otrs and permissions file
by Christian 24 Apr '12

24 Apr '12

Hi, for otrs I need this config: (https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs…) %defattr(0644,%{name},www,0775) %dir /opt/%{name}/var/article %dir /opt/%{name}/var/log %dir /opt/%{name}/var/tmp but obs is complaining: permissions-directory-setuid-bit and I should contact security(a)suse.de Here I am :) Is this acceptable ? Kind Regards Chris -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

2 6

[opensuse-security] strange digest verification errors
by Hans-Peter Jansen 18 Jul '11

18 Jul '11

Hi, during some package updates from a 11.4-x86_64 system, I noticed some digest verification errors, but only in security related packages: Retrieving: libcares2-1.7.4-29.1.x86_64.rpm [done] Digest verification failed for libcares2-1.7.4-29.1.x86_64.rpm. Expected 7a98495e2080a92d3ff0b7e59972c318b8788d7d9f69efc07ad6e261369224c6, found a051c3bcf760baf230b975a4c4f5814a4c112e98b57ae281655bd8bd282c94fb. Retrieving: libssh2-1-1.2.7-12.1.x86_64.rpm [done] Digest verification failed for libssh2-1-1.2.7-12.1.x86_64.rpm. Expected e8cc318266c32b7820efb858244282562605848b91eeef18ba37180400eb7cf4, found b0b1beacfcbcd84f161a8ad39633bfe6eb597b303df6210a2a23f99b72653059. Retrieving: libcurl4-7.21.7-60.1.x86_64.rpm [done (230.1 KiB/s)] Digest verification failed for libcurl4-7.21.7-60.1.x86_64.rpm. Expected 3cd167cab18efa90062b43e5afb696dd650c2c62098fa752461bdbda7289e510, found 88d094b4b5f50dc402fd17258a21f74e39bd616d26e2296298254ea4b2364575. Continue? [yes/no] (no): y Invalid answer 'y'. Enter 'y' for 'yes' or 'n' for 'no' if nothing else works for you. [yes/no] (no): Failed to provide Package libcurl4-7.21.7-60.1. Do you want to retry retrieval? [download.opensuse.org-python| http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE…] Can't provide file './x86_64/libcurl4-7.21.7-60.1.x86_64.rpm' from repository 'download.opensuse.org-python' History: - libcurl4-7.21.7-60.1.x86_64.rpm has wrong checksum Abort, retry, ignore? [a/r/i] (a): i As being shown in the last paragraph, they all came from devel:languages:python. Is that something to be concerned about or is the repo under attack? TIA, Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

2 2

[opensuse-security] openSSH, 11.3 and CVE-2011-0539
by paul 18 Jul '11

18 Jul '11

We failed a pci-dss compliance test because the version of openSSH for 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update to openSSH for 11.3 since Jun 2010. I can see that the fix is in the version in factory. The change log has: - Update to 5.8p1 * Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski. which looks like the fix for CVE-2011-0539. Two questions: 1/ Is there any reason why this fix hasn't been ported to 11.3? 2/ Any reason why I might have problems taking the factory source and building it for myself? Paul -- Paul Reeves -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

4 5