-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2008:005
Date: Thu, 06 Mar 2008 13:00:00 +0000
Cross-References: CVE-2005-2090, CVE-2006-4484, CVE-2006-7196
CVE-2007-1860, CVE-2007-3382, CVE-2007-3385
CVE-2007-4770, CVE-2007-4771, CVE-2007-5135
CVE-2007-5461, CVE-2007-6170, CVE-2007-6430
CVE-2007-6613, CVE-2008-0128, CVE-2008-0783
CVE-2008-0784, CVE-2008-0785, CVE-2008-0786
CVE-2008-0883, CVE-2008-1070, CVE-2008-1071
CVE-2008-1072
Content of this advisory:
1) Solved Security Vulnerabilities:
- acroread wrapper script /tmp race
- asterisk security issues
- cacti various vulnerabilities
- compat-openssl097g security fixes
- icu regular expression problems
- libcdio buffer overflow
- wireshark/ethereal security problems
- Jakarta tomcat security problems
- perl-Tk GIF security problem
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
None listed this week.
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- Acroread wrapper script minor /tmp race
Adobe Acrobat Reader 8.1.2 contained a /tmp race in its "acroread"
wrapper script in the SSL certificate handling. (CVE-2008-0883)
This problem is not triggered by just starting acrobat reader,
but only on certificate handling.
Furthermore Acrobat Reader contained several duplicated copies of
system libraries, which have been removed by this update to make sure
they are up-to-date security wise by using the system provided ones.
Also on x86-64 platforms, the Mozilla embedding detection did not
work and was fixed, so the Splashscreen and Help are again displayed.
Updates have been released on SUSE Linux Enterprise Desktop 10,
SUSE Linux 10.1, openSUSE 10.2 and 10.3.
Updates for version 7 for Novell Linux Desktop 9 and SUSE Linux
Enterprise Server 9 are still pending.
- Asterisk security issues
A security update was released for the PBX Asterisk, fixing following
security issues:
CVE-2007-6430: Attackers could bypass host based authentication by
using a valid user name.
CVE-2007-6170: Attackers could inject SQL commands under certain
circumstances if 'cdr_pgsql' was used.
Asterisk was updated on SUSE Linux 10.1 and openSUSE 10.2.
- cacti various vulnerabilities
The following vulnerabilities were fixed in cacti:
- CVE-2008-0783: multiple XSS vulnerabilities
- CVE-2008-0784: path disclosure
- CVE-2008-0785: multiple SQL injections
- CVE-2008-0786: HTTP response splitting on very old PHP instances
Cacti is included in SUSE Linux 10.1, openSUSE 10.2 and 10.3 and
was fixed there.
- compat-openssl097g security fixes
This update of compat-openssl097g fixes a off-by-one buffer overflow
in function SSL_get_shared_ciphers(). This vulnerability potentially
allows remote code execution; depending on memory layout of the
process. (CVE-2007-5135)
We released updates for openssl already, but an update for the compat
0.9.7g openssl libraries was missing and is provided with this patch.
Released for SUSE Linux Enterprise 10, SUSE Linux 10.1 and openSUSE
10.2, 10.3.
- icu regular expression problems
Certain regular expressions could crash the ICU library
(CVE-2007-4770, CVE-2007-4771).
Updated icu packages have been released for all distributions.
- libcdio buffer overflow
A security bug was fixed in libcdio. Long file names in ISO file
systems with Joliet extension could cause a buffer overflow in
libcdio (CVE-2007-6613).
libcdio fixes were released for all SUSE Linux products.
- wireshark/ethereal security problems
The network analyzer wireshark (formerly known as ethereal) was
updated to fix the following security bugs:
- CVE-2008-1070: The SCTP dissector could crash on reception of bad packets
- CVE-2008-1071: The SNMP dissector could crash on reception of bad packets
- CVE-2008-1072: The TFTP dissector could crash Wireshark (maybe
a bug in the Cairo library on specific platforms)
- Jakarta Tomcat security problems
Various security issues in Jakarta Tomcat have been fixed:
- CVE-2006-7196: Cross-site scripting (XSS) vulnerability in
example JSP applications
- CVE-2007-3382: Handling of cookies containing a ' character
- CVE-2007-3385: Handling of \" in cookies
- CVE-2007-5461: tomcat path traversal / information leak
- CVE-2007-1860: directory traversal
- CVE-2008-0128: tomcat https information disclosure
- CVE-2005-2090: tomcat HTTP Request Smuggling
Updates have been released for all distributions.
- perl-Tk GIF security problem
Specially crafted GIF files could crash perl-Tk (CVE-2006-4484).
Fixed packages have been released for all distributions.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
None listed this week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team