June 2014 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] Unsubscribe
by splatflys 25 Jun '14

25 Jun '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/06/14 18:04, opensuse-security(a)opensuse.org wrote: > openSUSE Security Update: ctdb: Upgrade to version 2.3 to fix one security issue > ______________________________________________________________________________ > > Announcement ID: openSUSE-SU-2014:0842-1 > Rating: moderate > References: #836064 #867815 > Cross-References: CVE-2013-4159 > Affected Products: > openSUSE 13.1 > openSUSE 12.3 > ______________________________________________________________________________ > > An update that solves one vulnerability and has one errata > is now available. > > Description: > > ctdb was updated to version 2.3 to fix several temp file vulnerabilities > (CVE-2013-4159). Various other bugs were fixed by this upgrade, most > notably bnc#867815: Avoid lockwait congestion by using an overflow queue. > > > Patch Instructions: > > To install this openSUSE Security Update use YaST online_update. > Alternatively you can run the command listed for your product: > > - openSUSE 13.1: > > zypper in -t patch openSUSE-2014-442 > > - openSUSE 12.3: > > zypper in -t patch openSUSE-2014-442 > > To bring your system up-to-date, use "zypper patch". > > > Package List: > > - openSUSE 13.1 (i586 x86_64): > > ctdb-2.3-2.4.1 > ctdb-debuginfo-2.3-2.4.1 > ctdb-debugsource-2.3-2.4.1 > ctdb-devel-2.3-2.4.1 > ctdb-pcp-pmda-2.3-2.4.1 > ctdb-pcp-pmda-debuginfo-2.3-2.4.1 > > - openSUSE 12.3 (i586 x86_64): > > ctdb-2.3-2.4.1 > ctdb-debuginfo-2.3-2.4.1 > ctdb-debugsource-2.3-2.4.1 > ctdb-devel-2.3-2.4.1 > ctdb-pcp-pmda-2.3-2.4.1 > ctdb-pcp-pmda-debuginfo-2.3-2.4.1 > > > References: > > http://support.novell.com/security/cve/CVE-2013-4159.html > https://bugzilla.novell.com/836064 > https://bugzilla.novell.com/867815 > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTqqC3AAoJEAIlXR9XEAejoP8H/2nPWrEADMzjWPWcQaNSofMC CV1h9VIiOTGAzbuh4xYqjsKfGbPEZnnfZJ9LjoZjweFCLvYgihR9J6iWznI97g5g ZVJsDnMvRdvXMdrKNY+rUJzMl7dznEJAPdo+IoYS35xMmCVs1dIGiHf/3BCLBR3i 4zpKTD20qnlNcYykLAmeO1ewkYI3a/y6b50kjzlIzOF2HCYY21rmIJrIBxE84qGJ CCwgXLcz8HmcwntQMLhWk+uEy7eujOeOHPSkUk/6xONPl8d9afHZgiv1Js0uaIw+ 7q3OvIpcIllHqWCs22Ut1RWYcU3Ru4jnUHmdXefCyXZKznGa8gEfVmCvW6BWX00= =52dh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] What should we do in order to put cups-pdf into official repository?
by 1xx 24 Jun '14

24 Jun '14

We want "cups-pdf" to go into official repository. I wrote a mail to pensuse-factory(a)opensuse.org. http://lists.opensuse.org/opensuse-factory/2014-06/msg00116.html But Ludwig said that I need to ask security to take a look. http://lists.opensuse.org/opensuse-factory/2014-06/msg00117.html We saw that we need to define AppArmor. http://lists.opensuse.org/opensuse-factory/2014-06/msg00120.html Others, what should we do? -- 1xx <ItSANgo(a)gmail.com> <https://twitter.com/ItSANgo> Mitsutoshi NAKANO <bkbin005(a)rinku.zaq.ne.jp> <http://d.hatena.ne.jp/Itisango/> -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 2

[opensuse-security] Re: [security-announce] SUSE-SU-2014:0775-1, USE-SU-2014:0807-1: critical: Security update for Linux Kernel CVE-2014-3153
by George Dimitrov 20 Jun '14

20 Jun '14

Hi, Can someone tell me if the latest kernel-default-3.0.101-0.7.19.1 in SLES 11 SP2 is affected by CVE-2014-3153? Can I test if my kernel is affected? Background: I saw this announcement aboutCVE-2014-3153. It is reported against SLES 11 SP3 and there are some references to SLES 11 SP1 LTSS but nothing about SP2. Thanks, --george Original mail: SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0807-1 Rating: important References: #630970 #661605 #663516 #761774 #792407 #852553 #852967 #854634 #854743 #856756 #857643 #863335 #865310 #866102 #868049 #868488 #868653 #869563 #871561 #873070 #874108 #875690 #875798 #876102 #878289 #880892 Cross-References: CVE-2012-6647 CVE-2013-6382 CVE-2013-6885 CVE-2013-7027 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7339 CVE-2014-0101 CVE-2014-0196 CVE-2014-1737 CVE-2014-1738 CVE-2014-1874 CVE-2014-2523 CVE-2014-2678 CVE-2014-3122 CVE-2014-3153 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 17 vulnerabilities and has 9 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP1 LTSS kernel received a roll-up update to fix security and non-security issues. The following security issues have been fixed: * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation for non root users. (bnc#880892) -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] security considerations when Factory is rolling
by Ludwig Nussel 20 Jun '14

20 Jun '14

Hi, With the new development process that includes staging projects and openQA, Factory is getting sufficiently good enough to be used by a wider audience of distro hackers. If more people use Factory that raises the questions how security issues are handled in Factory though. Right now I think it has rather low priority as long as there is no release pending, right? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 3

[opensuse-security] RE: [security-announce] SUSE-SU-2014:0788-2: important: Security update for GnuTLS
by tedrb＠wellsfargo.com 13 Jun '14

13 Jun '14

LTSS; N/A for us. We have the patches for 11SP3 already. Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: opensuse-security(a)opensuse.org [mailto:opensuse-security@opensuse.org] Sent: Friday, June 13, 2014 11:04 AM To: opensuse-security-announce(a)opensuse.org Subject: [security-announce] SUSE-SU-2014:0788-2: important: Security update for GnuTLS SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0788-2 Rating: important References: #880730 #880910 Cross-References: CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 <http://www.gnutls.org/security.html#GNUTLS-SA-2014-3> These security issues have been fixed: * Possible memory corruption during connect (CVE-2014-3466) * Multiple boundary check issues could allow DoS (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length (CVE-2014-3468) * Possible DoS by NULL pointer dereference (CVE-2014-3469) Security Issue references: * CVE-2014-3466 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.40.1 gnutls-devel-1.2.10-13.40.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.40.1 gnutls-devel-32bit-1.2.10-13.40.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.40.1 gnutls-devel-1.2.10-13.40.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.40.1 gnutls-devel-32bit-1.2.10-13.40.1 References: http://support.novell.com/security/cve/CVE-2014-3466.html http://support.novell.com/security/cve/CVE-2014-3467.html http://support.novell.com/security/cve/CVE-2014-3468.html http://support.novell.com/security/cve/CVE-2014-3469.html https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880910 http://download.suse.com/patch/finder/?keywords=3a664138948d527c37403de9fef… http://download.suse.com/patch/finder/?keywords=ce2995d7d37c598d89a8e91d407… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] CVE-2014-3153 and opensuse
by R.Vickers＠rhul.ac.uk 12 Jun '14

12 Jun '14

Yesterday I saw the SLES patch announcement for CVE-2014-3153, i.e kernel: futex: pi futexes requeue issue. I'm guessing that opensuse systems are also vulnerable, and that the SuSE guys are furiously working on patches, so if that's true please don't let me interrupt you. On the other hand, if by happy chance your analysis shows opensuse systems are not vulnerable it would be great if we could have an announcement to that effect. Regards, Bob -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] File System Monitoring tool for Nagios?
by Keith Roberts 10 Jun '14

10 Jun '14

Greetings all. Can anyone please recommend a tool for monitoring changes to the filesystem on OpenSuSE 12.3 that could also be run as a Nagios plugin so this can be alerted if any changes are detected? We need to watch for any possible intrusions that would modify the core OS directories and/or files and then send an alert to Nagios. Kind Regards, Keith Roberts-- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] unsubscribe
by Zeltmann, Peter (Zeltmann Imp.-Exp. GmbH) 06 Jun '14

06 Jun '14

unsubscribe Mit freundlichen Grüßen Peter Zeltmann Zeltmann Import-Export GmbH Igelbachstr. 14, 76597 Loffenau Tel. 07083 / 924 828 - 2 Fax. 07083 / 924 828 - 7 mailto:peter@zeltmann.net http://www.zeltmann.net ---------------------------------------------------------------------------- ---------------------------------------------------- Sitz der Gesellschaft: D-76597 Loffenau Registergericht: 68159 Mannheim, HRB 530137 Ust-Id-Nr: DE 811 22 32 32 Geschäftsführer: Kurt Zeltmann, Achim Zeltmann, Peter Zeltmann Qualitätsmanagement nach DIN EN ISO 9001:2008 Zertifikat Registrier-Nr.: 042906070 ---------------------------------------------------------------------------- ---------------------------------------------------- Alle zur Verfügung gestellten Unterlagen unterliegen der Geheimhaltung und dürfen nicht an Dritte weitergegeben werden. -----Ursprüngliche Nachricht----- Von: opensuse-security(a)opensuse.org [mailto:opensuse-security@opensuse.org] Gesendet: Freitag, 6. Juni 2014 12:04 An: opensuse-security-announce(a)opensuse.org Betreff: [security-announce] openSUSE-SU-2014:0765-1: critical: update to version 1.0.0m openSUSE Security Update: update to version 1.0.0m ____________________________________________________________________________ __ Announcement ID: openSUSE-SU-2014:0765-1 Rating: critical References: #880891 Cross-References: CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: openSUSE 11.4 ____________________________________________________________________________ __ An update that fixes four vulnerabilities is now available. Description: The openssl library was updated to version 1.0.0m fixing various security issues and bugs: Security issues fixed: - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2014-60 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): libopenssl-devel-1.0.0m-18.53.1 libopenssl1_0_0-1.0.0m-18.53.1 libopenssl1_0_0-debuginfo-1.0.0m-18.53.1 openssl-1.0.0m-18.53.1 openssl-debuginfo-1.0.0m-18.53.1 openssl-debugsource-1.0.0m-18.53.1 - openSUSE 11.4 (x86_64): libopenssl1_0_0-32bit-1.0.0m-18.53.1 libopenssl1_0_0-debuginfo-32bit-1.0.0m-18.53.1 - openSUSE 11.4 (noarch): openssl-doc-1.0.0m-18.53.1 - openSUSE 11.4 (ia64): libopenssl1_0_0-debuginfo-x86-1.0.0m-18.53.1 libopenssl1_0_0-x86-1.0.0m-18.53.1 References: http://support.novell.com/security/cve/CVE-2014-0195.html http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/880891 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] Announcement: openssl 1.0.1h released to fix several vulnerabilities
by Thomas Biege 05 Jun '14

05 Jun '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today the openssl project released a new version of the openssl library (openssl-1.0.1h) that fixes six/seven vulnerabilities. Details about the vulnerabilities can be found in their advisory: http://www.openssl.org/news/secadv_20140605.txt List of issues: 1. SSL/TLS MITM vulnerability (CVE-2014-0224) 2. DTLS recursion flaw (CVE-2014-0221) 3. DTLS invalid fragment vulnerability (CVE-2014-0195) 4. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) 5. SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) 6. Anonymous ECDH denial of service (CVE-2014-3470) 7. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD (CVE-2014-0076) We ship the following openssl versions which are affected by...: - - SLES9: openssl 0.9.7d + SSL/TLS MITM vulnerability (CVE-2014-0224) - - SLE10: openssl 0.9.8a + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) - - SLE11: openssl 0.9.8j + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) + Anonymous ECDH denial of service (CVE-2014-3470) - - Security AddON for SLES11: openssl 1.0.1g + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) + DTLS invalid fragment vulnerability (CVE-2014-0195) + SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) + Anonymous ECDH denial of service (CVE-2014-3470) - - opensuse: openssl 1.0.1* + SSL/TLS MITM vulnerability (CVE-2014-0224) + DTLS recursion flaw (CVE-2014-0221) + DTLS invalid fragment vulnerability (CVE-2014-0195) + SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) + Anonymous ECDH denial of service (CVE-2014-3470) An update package for CVE-2014-0076 was released in April 2014, see http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html. DTLS invalid fragment vulnerability (CVE-2014-0195): This issue affects only versions starting from 0.9.8o, therefore 0.9.8j is not affected by this remote buffer overflow. The updates will be released as soon as possible. Best regards, Thomas - -- Thomas Biege <thomas(a)suse.de>, Team Leader MaintenanceSecurity, CSSLP SUSE LINUX Products GmbH GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 21284 (AG Nürnberg) - -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEVAwUBU5CEfHey5gA9JdPZAQLC0gf/Y4M29yMsWf1fBUZP6VCFbDK03UAT0HhI Srdx4FgSwr3Rda6M52UKqP8HdP2yv9/G30NGHihX7Gz6hStc8G/bvj8RyVGPlUh4 XadWUVztnSct1v68z45Z1zk53XBVsK5lIpxORX04LW0EPQytYAltD7/W4wvNtwBU Y7Ji1WDb+L6sGHyZn9Cp2Zvs30+jraf10MK/L7tYuvdNoOJTVfgrlzt+dfFKIuuW 5Az7KXb8J21CEk4DVhO5CG2ogNjsVR/K7b7vlWFxYorhfkKr1tXi5SKSXooD1WPY ovMhZFfopkKuuor898Xpyzb54Qjcc7eMDS3Pk7jDo9lBifY6loJqLw== =bSsy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] UNSUBSCRIBE
by Araluen 04 Jun '14

04 Jun '14

-- This message was created in a Microsoft-free computing environment.

1 0