openSUSE Security March 2012

security@lists.opensuse.org

15 participants
16 discussions

[opensuse-security] otrs and permissions file

by Christian

Hi, for otrs I need this config: (https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs…) %defattr(0644,%{name},www,0775) %dir /opt/%{name}/var/article %dir /opt/%{name}/var/log %dir /opt/%{name}/var/tmp but obs is complaining: permissions-directory-setuid-bit and I should contact security(a)suse.de Here I am :) Is this acceptable ? Kind Regards Chris -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

10 years, 2 months

[opensuse-security] SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver

by Steffen Dettmer

Hi, when using PostgreSQL JDBC driver version 8.1 to connect to a PostgreSQL version 9.1 database, escaping of JDBC statement parameters does not work and SQL injection attacks are possible. The problem can be reproduced for example with version 8.1-415 (released 2010-05-11), which still can be downloaded from the official download location (although in `Archived Section'), however this version is included in Linux distributions that are still supported (for example SuSE Linux Enterprise Edition with long-term support). Connecting Java applications from such a server to a recent PostgreSQL database, SQL injection attacks are possible. Java Web Applications using JDBC running on such Linux versions could allow to exploit this remotely, for example through a web app. Vendor reponse (from <security(a)postgresql.org>): > Anything not identified there as current or supported is, by > reasonable inference, neither. Reporting a security bug > against anything that's not current or supported is pointless. However, such unsupported driver versions are included in supported Linux distributions. Since I think it is possible to accidentally use older (but still supported) Linux application servers against recent databases, I think a public information could be of interest. Possible fix or workaround: Do not use PostgreSQL JDBC driver version 8.1 but upgrade to most recent version. If the distribution offers no suited package (RPM), driver should be downloaded from jdbc.postgresql.org and installed manually. This breaks package management consitency but seems to be the smaller issue. How to reproduce: When the small code Postgres.java (attached) is compiled and runned with Java 1.7 and the Postgres 8.1 JDBC3 driver against a Postgres 9.1 database: $ java -cp postgresql-8.1-415.jdbc3.jar:. Postgres the following Exception occures: Exception in thread "main" org.postgresql.util.PSQLException: ERROR: syntax error at or near "(" at character 134 The driver can be downloaded under http://jdbc.postgresql.org/download/postgresql-8.1-415.jdbc3.jar In the "Archived Versions"-section of http://jdbc.postgresql.org/download.html. (They are supported anymore, but there is no hint that downloading and using them in our point of view opens a security treat, so we think this is not good) When the application is run with the Postgres 9.1 JDBC3 driver, it behaves correctly. We think it is likely that JDBC drivers with 8.1-x are still used productively, for example SuSE Linux Enterprise Edition with long-term support and we are not aware of some security bulletin telling that an upgrade is recommended for security reasons, since there might be not much interest in changing running systems without need. Regards, Steffen Dettmer ------------------------------------------------------------------->8======= * Steffen Dettmer wrote on Mon, Feb 27, 2012 at 17:36 +0100: > Hi, > > we think we have found an escaping problem in JDBC driver 8.1 allowing > SQL injection attacks when connecting to PostgreSQL 9.1 . According to > http://jdbc.postgresql.org/changes.html#version_8.1-415, this > issue is not known (not fixed). [...] > Our software relys on correct parameter escaping when using a > java.sql.PreparedStatement for "SELECT stored_procedure(?, ?) AS > result" used with "statement.setString()" etc., which according to our > understanding should be the usual and safe way to call stored > procedures on PostgreSQL. > > We found that it fails with at least postgresql-8.1-407.jdbc3.jar > from http://jdbc.postgresql.org/download.html and Postgres 9.1 > database. > > The exact case where it occured in production was the query: > > SELECT appendJobEvent(?, ?, ?, ?) AS result > > with parameters set via "setString(pos, value)". Parameter > number 4 contained single quote characters, but they should be > escaped and end up in the database literally. > > Instead, we get: > > ERROR: syntax error at or near "(" at character 163 (ERROR: > syntax error at or near "(" at character 163)' > > we tested and got exactly the same error message when using the string > directly (i.e. not via "?" and setString), which is expected. > > Connecting to an older database version (7.1) or updating the driver > to postgresql-9.1-901.jdbc3.jar from > http://jdbc.postgresql.org/download.html both make the same query > with the same parameters work. > > Since our development environment unit tests check for a similar > issue, it seems that when using the same version of JDBC driver and > database (the normal configuration when having a test database on > localhost), escaping probably works well in a probably wide range of > versions, but not in at least this combination (8.1-407 JDBC driver to > 9.1 DBMS). --[ Postgres.java ]------------------------------------------------>8======= // "Sascha BAER" <Sascha.BAER(a)ingenico.com> -- SFR-1315206 // SQL injection when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Properties; public class Postgres { public static void main(String[] args) throws Exception { Properties connectionProps = new Properties(); // Load postgres Driver: this is needed for 8.1 Drivers. Class jdbcDriver = Class.forName("org.postgresql.Driver"); connectionProps.put("user", "sfr1315206"); connectionProps.put("password", "secret"); // protocolVersion 2 is needed to trigger the problem. connectionProps.put("protocolVersion", "2"); Connection conn = DriverManager.getConnection( "jdbc:postgresql://pg9-test/test1315206", connectionProps); String hint = new String("com.ingenico.de.data.DataException: " + "(Bitmap 2: ( (Data exceeds format length!); " + "Producer f = `PropLLXPVar(19): null') (F1F2672191104016...)): " + "class com.ingenico.de.data.DataException (5): " + "[thrown in `consume()' at BitmapConsumer.java, line 84]"); PreparedStatement ps = conn.prepareStatement( "SELECT foo(?) AS result"); ps.setString(1, hint); ResultSet result = ps.executeQuery(); result.next(); System.out.println(result.getString(1)); } } // Configuration stuff for the emacs editor. Please don't remove // Local Variables: // tab-width: 4 // End: // Modeline for VIM. Please don't remove. // (Help: autoindent, expandtab, shiftwidth=4, tabstop=4, textwidth=75) // vi: set ai et sw=4 ts=4 tw=75: -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] Christoph WAGNER ist außer Haus.

by Christoph WAGNER

Ich werde ab 27.03.2012 nicht im Büro sein. Ich kehre zurück am 30.03.2012. In dringenden Fällen wenden Sie sich bitte für Firewall/VPN-Themen an firewall(a)grz.at und für alle übrigen Themen an network(a)grz.at. I am out of office till 30.03.2012. In urgent cases please send an email to firewall(a)grz.at (for firewall stuff) or to network(a)grz.at (for all other topics). Die Rückmeldung bezieht sich auf ein Mail mit folgendem Thema: [security-announce] SUSE-SU-2012:0425-1: critical: Security update for Mozilla Firefox ____________________________________________________________________________________________ Gesendet (c) GRZ/RACON Linz 2010 Agent 'Abwesenheit' Der Austausch von Nachrichten mit o.a. Absender via e-mail dient ausschließlich Informationszwecken. Rechtsgeschäftliche Erklärungen dürfen über dieses Medium nicht ausgetauscht werden. Correspondence with a.m. sender via e-mail is only for information purposes. This medium is not to be used for the exchange of legally-binding communications. -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] Christoph WAGNER ist außer Haus.

by Christoph WAGNER

Ich werde ab 27.03.2012 nicht im Büro sein. Ich kehre zurück am 30.03.2012. In dringenden Fällen wenden Sie sich bitte für Firewall/VPN-Themen an firewall(a)grz.at und für alle übrigen Themen an network(a)grz.at. I am out of office till 30.03.2012. In urgent cases please send an email to firewall(a)grz.at (for firewall stuff) or to network(a)grz.at (for all other topics). Die Rückmeldung bezieht sich auf ein Mail mit folgendem Thema: [security-announce] SUSE-SU-2012:0424-1: critical: Security update for Mozilla Firefox ____________________________________________________________________________________________ Gesendet (c) GRZ/RACON Linz 2010 Agent 'Abwesenheit' Der Austausch von Nachrichten mit o.a. Absender via e-mail dient ausschließlich Informationszwecken. Rechtsgeschäftliche Erklärungen dürfen über dieses Medium nicht ausgetauscht werden. Correspondence with a.m. sender via e-mail is only for information purposes. This medium is not to be used for the exchange of legally-binding communications. -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] Silvio Erdenberger is out of the office.

by Silvio Erdenberger

I will be out of the office starting 23.03.2012 and will not return until 30.03.2012. Ich bin nicht im Office. I' out of Office. I have (tentative) no access to my mail.I will respond to your message when I return. In case of System x questions please contact Techline. In case of defects please call 01805-253558 and have machine type-model-serial number ready. -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] Christoph WAGNER ist außer Haus.

by Christoph WAGNER

Ich werde ab 15.03.2012 nicht im Büro sein. Ich kehre zurück am 19.03.2012. In dringenden Fällen wenden Sie sich bitte für Firewall/VPN-Themen an firewall(a)grz.at und für alle übrigen Themen an network(a)grz.at. I am out of office till 19.03.2012. In urgent cases please send an email to firewall(a)grz.at (for firewall stuff) or network(a)grz.at. Die Rückmeldung bezieht sich auf ein Mail mit folgendem Thema: [security-announce] openSUSE-SU-2012:0374-1: important: update for chromium, v8 ____________________________________________________________________________________________ Gesendet (c) GRZ/RACON Linz 2010 Agent 'Abwesenheit' Der Austausch von Nachrichten mit o.a. Absender via e-mail dient ausschließlich Informationszwecken. Rechtsgeschäftliche Erklärungen dürfen über dieses Medium nicht ausgetauscht werden. Correspondence with a.m. sender via e-mail is only for information purposes. This medium is not to be used for the exchange of legally-binding communications. -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] [SpamBLK] Authentication required for mail: [security-announce] SUSE-SU-2012:0337-1: critical: Security update for Samba (oaw387cxuvrafn6h0xgj)

by exp＠whitemail.de

(deutsche version, siehe unten) The following email has been queued: From: opensuse-security(a)opensuse.org To: exp(a)whitemail.de Subject: [security-announce] SUSE-SU-2012:0337-1: critical: Security update for Samba Date: Thu Mar 8 19:10:24 2012 The person you tried to send this email to is using SpamBLK to prevent spam. SpamBLK is based on the dynamic whitelist technology. Only emails from known senders are accepted for delivery. To add your email address to the users address book and to allow further delivery of your email please click the link below: http://www.spamblk.net/cgi-bin/auth.pl?id=10004&token=oaw387cxuvrafn6h0xgj&… If you don't click the link above your previous email will be deleted. -------------------------------------------------------------- :::::::::::::: DEUTSCHE VERSION ::::::::::::::: -------------------------------------------------------------- Sie haben versucht folgendes Email zu versenden: Von: opensuse-security(a)opensuse.org An: exp(a)whitemail.de Betreff: [security-announce] SUSE-SU-2012:0337-1: critical: Security update for Samba Datum: Thu Mar 8 19:10:24 2012 Der Empfaenger dieser Email verwendet SpamBLK um effektiv gegen die Flut von Spam Emails vorzugehen. SpamBLK basiert auf dem dynamischen Whitelist Prinzip. Ausschliesslich Emails von, im Adressbuch des Users eingetragenen, Emailadressen werden diesem zugestellt. Um Ihre Emailadresse zum Adressbuch des Users hinzuzufuegen, muessen Sie auf den folgenden Link klicken. Ihre urspruengliche Email wird dann automatisch weitergeleitet. http://www.spamblk.de/cgi-bin/auth.pl?id=10004&token=oaw387cxuvrafn6h0xgj&l… Sollten Sie den Link nicht anklicken so wird das oben aufgefuehrte Email geloescht und nicht an den Empfaenger ausgeliefert. ------------------------------------------------- : : : SpamBLK - The Ultimate Anti-Spam Solution (http://www.spamblk.de) : : : -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] Undelivered Mail Returned to Sender

by Mail Delivery System

This is the mail system at host zazu.alpenland.local. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <faichele(a)alpenland.local>: Host or domain name not found. Name service error for name=zugspitze.alpenland.local type=AAAA: Host not found

10 years, 3 months

[opensuse-security] [SpamBLK] Authentication required for mail: [security-announce] SUSE-SU-2012:0332-2: important: Security update for flash-player (spqsoff3idjmr311ades)

by exp＠whitemail.de

(deutsche version, siehe unten) The following email has been queued: From: opensuse-security(a)opensuse.org To: exp(a)whitemail.de Subject: [security-announce] SUSE-SU-2012:0332-2: important: Security update for flash-player Date: Thu Mar 8 17:11:25 2012 The person you tried to send this email to is using SpamBLK to prevent spam. SpamBLK is based on the dynamic whitelist technology. Only emails from known senders are accepted for delivery. To add your email address to the users address book and to allow further delivery of your email please click the link below: http://www.spamblk.net/cgi-bin/auth.pl?id=10004&token=spqsoff3idjmr311ades&… If you don't click the link above your previous email will be deleted. -------------------------------------------------------------- :::::::::::::: DEUTSCHE VERSION ::::::::::::::: -------------------------------------------------------------- Sie haben versucht folgendes Email zu versenden: Von: opensuse-security(a)opensuse.org An: exp(a)whitemail.de Betreff: [security-announce] SUSE-SU-2012:0332-2: important: Security update for flash-player Datum: Thu Mar 8 17:11:25 2012 Der Empfaenger dieser Email verwendet SpamBLK um effektiv gegen die Flut von Spam Emails vorzugehen. SpamBLK basiert auf dem dynamischen Whitelist Prinzip. Ausschliesslich Emails von, im Adressbuch des Users eingetragenen, Emailadressen werden diesem zugestellt. Um Ihre Emailadresse zum Adressbuch des Users hinzuzufuegen, muessen Sie auf den folgenden Link klicken. Ihre urspruengliche Email wird dann automatisch weitergeleitet. http://www.spamblk.de/cgi-bin/auth.pl?id=10004&token=spqsoff3idjmr311ades&l… Sollten Sie den Link nicht anklicken so wird das oben aufgefuehrte Email geloescht und nicht an den Empfaenger ausgeliefert. ------------------------------------------------- : : : SpamBLK - The Ultimate Anti-Spam Solution (http://www.spamblk.de) : : : -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 3 months

[opensuse-security] [SpamBLK] Authentication required for mail: [security-announce] SUSE-SU-2012:0332-1: important: Security update for flash-player (ipf5ikqqobwebzkvdqmh)

by exp＠whitemail.de

(deutsche version, siehe unten) The following email has been queued: From: opensuse-security(a)opensuse.org To: exp(a)whitemail.de Subject: [security-announce] SUSE-SU-2012:0332-1: important: Security update for flash-player Date: Wed Mar 7 19:11:40 2012 The person you tried to send this email to is using SpamBLK to prevent spam. SpamBLK is based on the dynamic whitelist technology. Only emails from known senders are accepted for delivery. To add your email address to the users address book and to allow further delivery of your email please click the link below: http://www.spamblk.net/cgi-bin/auth.pl?id=10004&token=ipf5ikqqobwebzkvdqmh&… If you don't click the link above your previous email will be deleted. -------------------------------------------------------------- :::::::::::::: DEUTSCHE VERSION ::::::::::::::: -------------------------------------------------------------- Sie haben versucht folgendes Email zu versenden: Von: opensuse-security(a)opensuse.org An: exp(a)whitemail.de Betreff: [security-announce] SUSE-SU-2012:0332-1: important: Security update for flash-player Datum: Wed Mar 7 19:11:40 2012 Der Empfaenger dieser Email verwendet SpamBLK um effektiv gegen die Flut von Spam Emails vorzugehen. SpamBLK basiert auf dem dynamischen Whitelist Prinzip. Ausschliesslich Emails von, im Adressbuch des Users eingetragenen, Emailadressen werden diesem zugestellt. Um Ihre Emailadresse zum Adressbuch des Users hinzuzufuegen, muessen Sie auf den folgenden Link klicken. Ihre urspruengliche Email wird dann automatisch weitergeleitet. http://www.spamblk.de/cgi-bin/auth.pl?id=10004&token=ipf5ikqqobwebzkvdqmh&l… Sollten Sie den Link nicht anklicken so wird das oben aufgefuehrte Email geloescht und nicht an den Empfaenger ausgeliefert. ------------------------------------------------- : : : SpamBLK - The Ultimate Anti-Spam Solution (http://www.spamblk.de) : : : -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

10 years, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security March 2012