openSUSE Security Update: tar security update
______________________________________________________________________________
Announcement ID: openSUSE-SU-2010:0189-1
Rating: low
References: #579475
Cross-References: CVE-2010-0624
Affected Products:
openSUSE 11.2
openSUSE 11.1
openSUSE 11.0
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
A malicious remote tape server could cause a buffer
overflow in tar. In order to exploit that an attacker would
have to trick the victim to extract a file that causes tar
to open a connection to the rmt server (CVE-2010-0624).
It's advisable to always use tar's
--force-local local option to avoid such tricks.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.2:
zypper in -t patch tar-2127
- openSUSE 11.1:
zypper in -t patch tar-2127
- openSUSE 11.0:
zypper in -t patch tar-2127
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.2 (i586 src x86_64):
tar-1.21-4.3.1
- openSUSE 11.2 (noarch):
tar-lang-1.21-4.3.1
- openSUSE 11.1 (i586 ppc src x86_64):
tar-1.20-23.12.1
- openSUSE 11.0 (i586 ppc src x86_64):
tar-1.19-35.2
References:
http://support.novell.com/security/cve/CVE-2010-0624.htmlhttps://bugzilla.novell.com/579475
openSUSE Security Update: irssi security update
______________________________________________________________________________
Announcement ID: openSUSE-SU-2010:0183-1
Rating: moderate
References: #596005
Cross-References: CVE-2010-1155 CVE-2010-1156
Affected Products:
openSUSE 11.2
openSUSE 11.1
openSUSE 11.0
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
irssi did not check the identity information of a remote
hosts's certificate. Attackers could exploit that for a
man-in-the-middle attack (CVE-2010-1155).
irssi could crash if someone changed nick while the victim
was leaving the channel (CVE-2010-1156).
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.2:
zypper in -t patch irssi-2368
- openSUSE 11.1:
zypper in -t patch irssi-2368
- openSUSE 11.0:
zypper in -t patch irssi-2368
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.2 (i586 src x86_64):
irssi-0.8.13-2.2.1
- openSUSE 11.2 (i586 x86_64):
irssi-devel-0.8.13-2.2.1
- openSUSE 11.1 (i586 ppc src x86_64):
irssi-0.8.12-30.71.1
- openSUSE 11.1 (i586 ppc x86_64):
irssi-devel-0.8.12-30.71.1
- openSUSE 11.0 (i586 ppc src x86_64):
irssi-0.8.12-49.4
- openSUSE 11.0 (i586 ppc x86_64):
irssi-devel-0.8.12-49.4
References:
http://support.novell.com/security/cve/CVE-2010-1155.htmlhttp://support.novell.com/security/cve/CVE-2010-1156.htmlhttps://bugzilla.novell.com/596005
openSUSE Security Update: cacti security update
______________________________________________________________________________
Announcement ID: openSUSE-SU-2010:0181-1
Rating: low
References: #599239
Cross-References: CVE-2010-1431
Affected Products:
openSUSE 11.0
______________________________________________________________________________
An update that fixes one vulnerability is now available. It
includes one version update.
Description:
Missing input sanitation in the template export feature
allowed for SQL injection attacks (CVE-2010-1431).
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.0:
zypper in -t patch cacti-2365
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.0 (noarch src) [New Version: 0.8.7e]:
cacti-0.8.7e-0.3
References:
http://support.novell.com/security/cve/CVE-2010-1431.htmlhttps://bugzilla.novell.com/599239
openSUSE Recommended Update: timezone: Data update
______________________________________________________________________________
Announcement ID: openSUSE-RU-2010:0177-1
Rating: low
References: #583745
Affected Products:
openSUSE 11.2
openSUSE 11.1
openSUSE 11.0
______________________________________________________________________________
An update that has one recommended fix can now be
installed. It includes one version update.
Description:
Updated tzdata version to 2010h:
* DST changes: Asia/Dhaka, Asia/Karachi, Asia/Gaza,
Asia/Damascus, Pacific/Apia, Pacific/Fiji, Africa/Tunis
America/Santiago, Pacific/Easter, America/Asuncion
* New zones: America/Matamoros, America/Ojinaga,
America/Santa_Isabel
* GMT offset changes: Europe/Samara, Asia/Kamchatka,
Asia/Anadyr
* Various Antarctica timezone changes
* Number of Time Zones used in Russia were reduced to 9
and several regions changed timezones.
Patch Instructions:
To install this openSUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.2:
zypper in -t patch timezone-2276
- openSUSE 11.1:
zypper in -t patch timezone-2276
- openSUSE 11.0:
zypper in -t patch timezone-2276
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.2 (i586 src x86_64) [New Version: 2010h]:
timezone-2010h-1.1.1
- openSUSE 11.1 (i586 ppc src x86_64) [New Version: 2010h]:
timezone-2010h-1.1.1
- openSUSE 11.0 (i586 ppc src x86_64) [New Version: 2010h]:
timezone-2010h-1.1
References:
https://bugzilla.novell.com/583745
openSUSE Security Update: dovecot security update
______________________________________________________________________________
Announcement ID: openSUSE-SU-2010:0175-1
Rating: low
References: #587356
Cross-References: CVE-2010-0745
Affected Products:
openSUSE 11.2
______________________________________________________________________________
An update that fixes one vulnerability is now available. It
includes one version update.
Description:
Huge mail headers could cause dovecot to consume excessive
amounts of CPU (CVE-2010-0745)
dovecot was updated to version 1.2.11 which fixes the
problem.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.2:
zypper in -t patch dovecot12-2363
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.2 (i586 src x86_64) [New Version: 1.2.9]:
dovecot12-1.2.9-0.2.1
- openSUSE 11.2 (i586 x86_64) [New Version: 1.2.9]:
dovecot12-backend-mysql-1.2.9-0.2.1
dovecot12-backend-pgsql-1.2.9-0.2.1
dovecot12-backend-sqlite-1.2.9-0.2.1
dovecot12-devel-1.2.9-0.2.1
dovecot12-fts-lucene-1.2.9-0.2.1
References:
http://support.novell.com/security/cve/CVE-2010-0745.htmlhttps://bugzilla.novell.com/587356
openSUSE Recommended Update: evolution-data-server: This update improves the stability of the package.
______________________________________________________________________________
Announcement ID: openSUSE-RU-2010:0173-1
Rating: low
References: #595936
Affected Products:
openSUSE 11.2
______________________________________________________________________________
An update that has one recommended fix can now be
installed. It includes one version update.
Description:
evolution-data-server can abort with a trace. It is fixed
by this update.
Patch Instructions:
To install this openSUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.2:
zypper in -t patch evolution-data-server-2334
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.2 (src x86_64) [New Version: 2.28.2]:
evolution-data-server-2.28.2-0.2.13
- openSUSE 11.2 (i586 src) [New Version: 2.28.2]:
evolution-data-server-2.28.2-0.3.1
- openSUSE 11.2 (x86_64) [New Version: 2.28.2]:
evolution-data-server-32bit-2.28.2-0.3.1
evolution-data-server-devel-2.28.2-0.2.13
evolution-data-server-doc-2.28.2-0.2.13
- openSUSE 11.2 (noarch) [New Version: 2.28.2]:
evolution-data-server-lang-2.28.2-0.3.1
- openSUSE 11.2 (i586) [New Version: 2.28.2]:
evolution-data-server-devel-2.28.2-0.3.1
evolution-data-server-doc-2.28.2-0.3.1
References:
https://bugzilla.novell.com/595936
openSUSE Security Update: systemtap: fix for remote code execution and denial of service
______________________________________________________________________________
Announcement ID: openSUSE-SU-2010:0166-1
Rating: important
References: #574243
Cross-References: CVE-2009-4273 CVE-2010-0411
Affected Products:
openSUSE 11.2
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
It includes one version update.
Description:
This updates systemtap to version 1.0. The version update
was required to fix two issues; a shell meta.character
injection vulnerability that allowed remote users to
execute arbitrary commands () with the privileges of the
stap-server. (CVE-2009-4273: CVSS v2 Base Score: 7.9
(important) (AV:A/AC:M/Au:N/C:C/I:C/A:C)) and a remote
denial of service bug in the __get_argv() function
(CVE-2010-0411: CVSS v2 Base Score: 4.9 (MEDIUM)
(AV:L/AC:L/Au:N/C:N/I:N/A:C)). Version 1.0 is also subject
to advisory CVE-2009-2911 fixing three denial of service
issues when using unprivileged mode.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.2:
zypper in -t patch systemtap-2088
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.2 (i586 src x86_64) [New Version: 1.0]:
systemtap-1.0-1.1.1
- openSUSE 11.2 (i586 x86_64) [New Version: 1.0]:
systemtap-client-1.0-1.1.1
systemtap-runtime-1.0-1.1.1
systemtap-sdt-devel-1.0-1.1.1
systemtap-server-1.0-1.1.1
References:
http://support.novell.com/security/cve/CVE-2009-4273.htmlhttp://support.novell.com/security/cve/CVE-2010-0411.htmlhttps://bugzilla.novell.com/574243