-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:020
Date: Mon, 14 Aug 2006 17:00:00 +0000
Cross-References: CVE-2006-1168, CVE-2006-3083, CVE-2006-3084
CVE-2006-3627, CVE-2006-3628, CVE-2006-3629
CVE-2006-3630, CVE-2006-3631, CVE-2006-3632
CVE-2006-3746, CVE-2006-4020
Content of this advisory:
1) Solved Security Vulnerabilities:
- gpg / gpg2 denial of service attack
- krb5 missing setuid return checks
- ncompress buffer overflow
- ethereal various security problems
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- Kernel Update for SUSE Linux Enterprise 10
- Mozilla Firefox / Thunderbird / Suite Security Updates
- php4 / php5 updates in preparation
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- gpg / gpg2 denial of service attack
The gpg and gpg2 packages have been updated to fix a segmentation
fault when using the--no-armor option.
This failure leads to a denial-of-service attack and could be used
execute arbitrary code. (CVE-2006-3746)
This issue affects all SUSE Linux based products.
- krb5 missing setuid return checks
Various return checks of setuid() and seteuid() calls have been
fixed in the MIT Kerberos client and server applications.
If these applications are setuid, it might have been possible for
local attackers to gain root access (CVE-2006-3083).
We are not affected by the seteuid() problems, tracked by
CVE-2006-3084.
This issue affects SUSE Linux 9.3, 10.0, 10.1 and SUSE Linux
Enterprise Server and Desktop 10.
- ncompress buffer overflow
Lack of bounds checking in the decompression routine could result in
a heap buffer underflow. Attackers could potentially exploit this
to execute arbitrary code by tricking users into decompressing a
specially crafted archive (CVE-2006-1168).
This issue affects SUSE Linux Enterprise Server 9 and 10.
- ethereal various security problems
Various security related bugs ranging from crashes to arbitrary
code execution have been fixed in ethereal (now called WireShark).
More details can be found on:
http://www.wireshark.org/docs/relnotes/wireshark-0.99.2.html
The Mitre CVE IDs for which the update include fixes are:
CVE-2006-3627, CVE-2006-3628, CVE-2006-3629, CVE-2006-3630,
CVE-2006-3631, CVE-2006-3632
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- Kernel Update for SUSE Linux Enterprise 10
The update kernels for the last 2 local root privilege escalations
have been released for all but the SUSE Linux Enterprise 10
products. For those we are investigating XEN regressions we found
during QA.
Kernels for all retail products and SUSE Linux Enterprise 9 have
been released, please see SUSE-SA:2006:047 and SUSE-SA:2006:042.
- Mozilla Firefox / Thunderbird / Suite Security Updates
- Mozilla Firefox:
All Mozilla Firefox on released distributions will be upgraded
to version 1.5.0.6.
SUSE Linux 10.1, Novell Linux Desktop 9 and SUSE Linux Enterprise
10 have received updates already. SUSE Linux 9.2 up to 10.0 will
follow soon.
- Mozilla Thunderbird
Mozilla Thunderbird updates have been released, the version was
bumped to 1.5.0.5. (The patch summary lists it incorrectly at
1.5.0.6, but it is 1.5.0.5)
- Mozilla Suite discontinuation / replacement by Seamonkey.
Since the Mozilla Suite is no longer maintained, we will replace
it by Seamonkey 1.0.3.
This update affects: SUSE Linux Desktop 1, SUSE Linux Enterprise
Server 8, SUSE Linux Enterprise Server 9, Novell Linux Desktop 9,
SUSE Linux 9.2 - 10.0.
This will likely also require updates of evolution, beagle,
and other dependent packages, so it might take some time.
In general we recommend not using the Mozilla Suite any longer.
- php4 / php5 updates in preparation
A critical PHP 4 / 5 problem was found, we are preparing updates
for this problem. (CVE-2006-4020)
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team