-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: php4,php5
Announcement ID: SUSE-SA:2007:020
Date: Thu, 15 Mar 2007 12:00:00 +0000
Affected Products: SUSE LINUX 9.3
SUSE LINUX 10.0
SUSE LINUX 10.1
openSUSE 10.2
UnitedLinux 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SuSE Linux Standard Server 8
SuSE Linux School Server
SUSE LINUX Retail Solution 8
SUSE SLES 9
Open Enterprise Server
Novell Linux POS 9
SLE SDK 10
SUSE SLES 10
Vulnerability Type: remote code execution
Severity (1-10): 5
SUSE Default Package: no
Cross-References: CVE-2006-6383, CVE-2007-0906, CVE-2007-0907
CVE-2007-0908, CVE-2007-0909, CVE-2007-0910
CVE-2007-0911, CVE-2007-1380, CVE-2007-1399
Content of This Advisory:
1) Security Vulnerability Resolved:
php5 and php4 security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Multiple bugs have been fixed in the PHP4 and PHP5 script interpreters.
These include the following security related problems:
CVE-2007-0906: Multiple buffer overflows in PHP before 5.2.1
allow attackers to cause a denial of service and possibly execute
arbitrary code via unspecified vectors in the (1) session, (2) zip,
(3) imap, and (4) sqlite extensions; (5) stream filters; and the (6)
str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user,
and (10) ibase_modify_user functions.
CVE-2007-0907: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the
sapi_header_op function.
CVE-2007-0908: The wddx extension in PHP before 5.2.1 allows remote
attackers to obtain sensitive information via unspecified vectors.
CVE-2007-0909: Multiple format string vulnerabilities in PHP before
5.2.1 might allow attackers to execute arbitrary code via format string
specifiers to (1) all of the *print functions on 64-bit systems, and
(2) the odbc_result_all function.
CVE-2007-0910: Unspecified vulnerability in PHP before 5.2.1 allows
attackers to "clobber" certain super-global variables via unspecified
vectors.
CVE-2007-0911: Off-by-one error in the str_ireplace function in PHP
5.2.1 might allow context-dependent attackers to cause a denial of
service (crash).
CVE-2006-6383: PHP 5.2.0 and 4.4 allows local users to bypass safe_mode
and open_basedir restrictions via a malicious path and a null byte
before a ";" in a session_save_path argument, followed by an allowed
path, which causes a parsing inconsistency in which PHP validates
the allowed path but sets session.save_path to the malicious path.
This security update also fixes some bugs reported by the Month of
PHP bugs project:
MOPB-10-2007 / CVE-2007-1380: The php_binary serialization handler
in the session extension in PHP before 4.4.5, and 5.x before 5.2.1,
allows context-dependent attackers to obtain sensitive information
(memory contents) via a serialized variable entry with a large length
value, which triggers a buffer over-read.
MOPB-16-2007 / CVE-2007-1399: Stack-based buffer overflow in the zip://
URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0
and 5.2.1, allows remote attackers to execute arbitrary code via a
long zip:// URL, as demonstrated by actively triggering URL access
from a remote PHP interpreter via avatar upload or blog pingback.
Note that this problem is caught by the FORTIFY SOURCE extension in
SUSE Linux 10.0 and newer products and just leads to a controlled
abort of the PHP interpreter.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of Apache after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.2:
f2f48e532fef257c6e7a9594b395bbbd
503528c34dd46c11b626a1115e4e7acc
f0d2552bdec0eeb3ab8bf2545ba3cddb
bf3d450e2eb99b34a06daf7513983471
f818ce63be457d9c1a1239cb4df43140
21e05debffe309a6d726152c54f76051
b0c379af470fca3c2f3f4c12182a4f7a
cb7afff7393ef5e7fe9a40787decb6f9
0951fe02fb2f0c604dbcc8ac5eeaf16c
3dd7c25a21d2a484ca879904f3bee4a9
4a813bc9d22f5a9e7764f4ac6685609d
098c31663c9da3e220773c7f02d0c0fd
f439e2e8c687ce0dbd07b9575a4365f3
02d86d4c8630df2a1c011a0b8b36bce3
0ef98613fdd02136e71e41c8140172db
fe27a4c38d1a60a263ee224759e3ac44
72593a052c560bf67e13b0023f3853cf
a28748136ac0c812336dbb526a640388
a6fddefdd69e1cd16a2dbc05a00d307c
e4fc9ceaf7f994f7d071984b27986cb5
c1e3ca85fcf3eab7528c08d96d87b2ba
93b3138e1440d984979131c4b6811c83
5130d3ba12debbce19e36104880dc379
f3328696c8419532be94f0c9a9e17b2d
ce718ed9e21a8ff508da8c27a270e703
7cdc2d0d8fa4848dac1f8fca234082c5
SUSE LINUX 10.1:
3927e0480ecf4c74be6b5a8cc1060eb0
c4cedba0d109f6ceffaa13a6bf682e7e
a8fd499fa084131487ec38812b64e8b1
e22cac0de384f810e51c2e677c0beded
ed084d4f73e420ac65bbb6478ea90d94
805c64b2bcd4acc30457292c4727c3cf
632ab11aa56d0e845a32ecc08d8d0c2b
6253f962a8ea1edd629d9fafebca88d3
00e6376b3ea3ed8eef975ded52a2652d
369c20a57b8040440ff7d7e25b00206f
b0932eb0d69a3416e507bd3f9f0c1c8d
039b6caa677523d29bcbfb4c7c28171b
f94f405677516b60a1c5dffcd5d81aa7
82927d40442d020d64798565dd0301a2
3e420f4f25f7dfd4b8cd9c325c687569
ffde7c9bb5717808234d366e1a0df80a
70b78fcb59a61b121b72a4672b32426b
77d1917ebfb039869b07dbd3f73463db
257ef91fab5b5ff97f7f2a3c641b852b
67fd6fbfe544bf149dad76a187949588
45f165b82620c8a7ec97da3ed835c825
2841c3c4d8085801dbd078358e2d3120
2a0db72494fa3c9a3600897660b879f2
b9a3634905d99004644396707d9dd12e
88d1174b3880fc99aaf6f9ad0f639d2c
1932e85a7a064be2220e09a29b404227
SUSE LINUX 10.0:
ce1d9363eb0efdeeedea70eae077659a
d928f472fa80d6c73723688297aaa32c
707f34cea2252ae1d40f80bfbd7a2b65
3aa9a918847df1f3a95e7501c28fdd0f
b5e399b9ed76f9687b0691aeaf303989
fcc4a39cc6f5c94ba268a02f13350c56
0dcfff6ecd68539c58781c00e9874b53
8c3801ddfa4777f3b58f2385112bd1e3
df7885a9a69c5bbb3866a30b31744a1f
b2e7e4f2625f414546cfe099173d37f2
09f8fe0946bd6dcc6b41bbd1aaf00436
33addc9de8ab5247f336211ef9c015d0
afe58d2b22065a51a81a9ee03bb177e4
98ef5c8ee8c37debb35b4be7bd4795e0
2159657aefb7e679864d794266a230ee
2ac681c5b3c5f6dfbec713aa00a75df0
e3de03a595f64256ad9506e5bb05bae0
96751ce807d72d437018d97d63a82d54
707833a0c9377312de2eb3517fdb06c5
f366c3f53d8d39a0ed258b6904b570f9
2690790d45e14b5309731b86f5ee88ad
b991a6bb83d0e60552ac441c7f2b2ba7
1d3804bb3efe9e97cc9405c3c277ec02
1ced5441f663014c78796844a672ac99
abf2b770c25ce0f593b8cf5aa603d3f8
84e4e07f2983d5f4f03731c3baaac83f
d8cb2cc83f823e502ae6ca24ff65a9d8
8536c90069d133cfef77f70647911d05
e4363b38b9f803e5f7127240de2bcd55
2a4482240e2e4205973fcbd13023400a
ef2978fa60e61107842ea4a9fba29a94
9d9369aa0bf820fde4ec8beca7ed9a9c
1f64e8ec3d4dc75fca197ed080c5ea58
f2854c347f1df295c8665ed0c3cee408
219f71b053b5adfdc10bc981a914840a
94f545526d60f3d9791023dec171c4de
175b6bee59231a8f0821de0ef3e62708
c3a909e0c962aea9294434c2ecd8f625
f703e49dbf9f78f77b299cc0b2cef2d0
e7a7868d5f63a672fd7a87480dc6bb77
ec6963d22bb68e0ec3024fb8d4b6cd40
SUSE LINUX 9.3:
b64d7ea34f122ff8e4ee5dc84c93b88f
76629e3c134e05c294d5ee117544acc2
9fb5247d927e2b32f79a434358082e33
1a6e808bc51cb4ba8c030c6dd3c5702c
83a2ec6069c1ee73be65ff7639111294
b2f89a8fd833330d7181b370fa3aadf8
c8fb2468da1145b1d3a0185bd5a966b0
0b421bcafe05955dc6c36cfbfb43ee58
913d64b9b6cae70aa6052c995e44a226
768f56aee0e7e87980b5fca599c00017
5aeef12f372eb3c9dfc0e74bf59fbcca
afa6ce46410733abef5979f8abfdeb04
58ab5812623571cc7f9414a4e03949c9
a2d6221d6bded4e29c14b96da228e72d
d1166b80e8548e8f6e812191a2184505
71990d9cf8819507c6bd69270335d50c
71b45ae6fc694a409d3a75efe7996551
e311d27cc61cd047f2fb8ee5fd37fa5d
0ffdb01631d22f06cfea0c8b0010030b
b37021436773bde8fb80fd1ce600cc2c
8e25e4d8a92e0b0000517dd29b3413e6
cba8aef706c8a77bbbe1f635465ffcdb
fe6738ae4f9f9e0f01b21ffac3b82f0c
41935fd3c56d91600938ccc257428adc
7e610b3b503d663c46fc3e5649b729ec
542df95c1575f41ff5fa41e205f4cbc3
1e5916878e1b6878b48beb3c01a5acb3
0262910f143b23d984ba50b2e08f2361
ff696b891fea9466a6e79d823870727b
5a6d4ce953115979cc1d871b4db3e070
45da7460e75de58b6908dba002e0544b
fbf8501fcabb5524d52c7f38f005d01a
984403d4e005c35544e513c5652f3fff
b7ba99118504fab1f9be54dec3bccb67
7e86de685685af5f0876a375a54a03de
ab74c1e6f503b99867a481e61f16d43f
7605693d2583717f368a255944a27cb5
d1a33171f22821d2c0805544d5d6983a
93c363acc0194d21d9f5c27585d833fc
3f17403906b03dd1ab8a4ddbff7f6bf8
63b9061a3c379a19b1225a03920f91fa
13fd64117d5407e7f6ca87ba22500049
Power PC Platform:
openSUSE 10.2:
49370a0dac0af9a5d35b9c3b28d766ad
91bdda88f54fc85e17b0e9f00a95518b
4e7a334891c9e5049aee295b8a4c4b63
5958c63254a663131ce88a052983638a
09fb2c7747dd2f37e7cfced288d1e171
3e22fb6fa31665f53a4b94bb12e7b18e
9e3d96b8b3f86b7fa2460b6f7c7d82c5
c49f1ef80d881fd5c8e545ebaa7b00cd
e1d39a0fa46bbabe26e04885f35a5f28
90c6e1db4a5b488ccc7699eb22afdc88
c9f97777204d0a881a7c42e01bb16f04
6c8777fe96a505a132b223ac8b21056a
b7b9e653f01e0cbc0bbe485e53ad81f1
35065a9c2a2b857b2f00f7b1a3e73c0c
987da01184a438f28dc3c8f7cbc0b56c
76c973da08f1d782a951374d474283f4
fa821e797ecd0276bb88a0528d67405b
1cd3cfabdb8dd36b7c3e7ee15c8e0404
dfc209b1fee0fb75039bac84717a2370
ba18af0da3667f2dcc87aea49cb13073
59d20f1fe24c3d70f5fea4a1233cfdf6
08f9b28ff19364d8eb4fd29642264038
5fdb9372584b410de2501d7cd0908f8e
e077f3a24ea9bab13f22065ac51abd9c
fb14edcb82d13d48250488160fc96f2b
27f8a733b70b5b3df9bcab5fd2e26605
SUSE LINUX 10.1:
96a8765eb048051895047b98b14cef79
7f152ba79bf24394a3db4e1a4746fd9b
8452c7f97658cc67fc7696b1cf5e2202
6d89109092b50b323f529251c5b8dfa9
11e429790c8c3b273a8fe5d3de2a5730
de04a3a5aaf7794e9b62d1921f6ab19b
a8849faaa13421176972ea3304e19aaf
8abedac9d65993b5505abb8bde861df9
1cf5ba89a4301274e0f6522fbf46786b
9073d1860574d46aadfe11d3221e0f2c
fad3f6cd03fa37ea5bed275d9d802bcb
e5a6b5b333829d8e479edb9c26b70e2a
8a6b54dec45bbe4890c3bc6d221fbd22
5a15f6184aed34830276f59a8d441e35
7ff6fbf4934a09ba47d09f6fb1c992ae
6978dbf06c3a6e8bd1c159ef3b84c46a
cd5c52bb5d8864869fa0882687a4a40a
444322bafbe6c41f59320cdf08c3ee8e
726ec744656ac7100a0cd7d4b1d1a4fc
22559ce0e3c5c525f38f989238d1684b
55bb9238a9932d679206f329d0c209ac
afac8eb1a744c9dd4613d19cf95f651c
db6069e3f3e98706463eb73bdd7729f6
d7f0ec56d89508cdb6b02e1c9cce6cf5
e194b94cc138f9765fb582afa9ef091f
a5c84f731f22831ee6ccbe4b13435247
SUSE LINUX 10.0:
2e07d17e6a777b893c9526c9db744996
760d7139a5d09b2d012112d32058a618
1dfa7c78ff075809dff0a5471a1a88b6
32e9ad8b13d43b28335e567e5a48eed6
40ff643bebdfd44a38af18554f29ab9e
59d340c1856945f0165b04c1f2420e24
f3bff51a10bf47b8443b59947c9195c9
e76e10edac3c6484152704068f9c0bb5
7ae3436f4ee555608ac8c9e4aebe2b35
d63bfae1763e0b3ad03f68ee8bb1de18
05e60500a1e87eaa1baac699682efeea
63980ae15254d7394ed32bc954522295
0c888a0c88659d4bf5471a3be5f0831a
273438360f55e1207d096eb2156bdfe8
d99a9ad906511d7d11e19bb11da7284f
2cfbfa4449c283f946c62053e28e47cb
1d7704379ba7118f307da5351a426ed5
0681bfaa2b5e66a6c1f02acb262700f3
94481066b3a4c00263529fe7b5cdc696
3d4c9be7f6bce2ee3b09b8d1ea1a3927
005a5b23fbd021818b4307c8a9509832
75cc453f1128bce8513159bfb86fb1ff
05048c18601503c8ffdeab2b0a1635c1
5af7337aa8964eb2eadb0d22c40ecb79
45746aacd4d4beb608249d0fe7d18da2
118b9ac1abf8b214938272bbde0bf38b
dfe7ef4c738ea4506092c07d77889e61
f5490695fbaa5bde29f0b59c58622b0c
7a4e24ba512e78dfecebc2f6ec1e436d
2129bba97312f6c3071fbbdab99d07f7
533ebb1bfe2af508654e4444cf94f591
c2c34c2c8d46416cb181f0dfac480cf9
059f696f5241cfad83f450f0022fd925
657db304cbbe3ee7971495d1eb5191d2
1657b02e4c593b193a26d1d1f34c5004
cd53e8ea3ed08ac9be063cc5f742dcd8
6e6b8cf312472043135f7b7a993c24e4
8670cdcffb49b9b611d117a52342bf84
26223d4dcd3942c504c9da98e12e5907
x86-64 Platform:
openSUSE 10.2:
6fc7baec7b5ec5ca6d3d07d74827aecc
c66d9af139ad3b400508853dfeda09fd
8035f925c26a0d4fb06e91e54b8c6d05
17dd2121b6710e9ba18210ef531bec1e
d95da72c9e77724d3b603ede1bb9c914
80ad1109a779bfab84da41ad3207ef71
5c23b8279a5a7073de28c855983214b1
9cb38772ebb7de686872c6d82d648ab0
99feebfe9a7630874a604af784f181f1
1df97f146a31b34de52bda12a845112a
0860a628bc53fb46d396e594e62cd3fd
8b08709305f9a322df6de8e3f6bccf27
a82697ed69ed138c77213abbebfcf853
56376e6c7983e3232a786ce3b7be4aa7
68e744f409ece9e3ebb54e1635cbea81
8ad060629c9e4ecee5f4e5b1bead92e6
bf08f399b780a8eefd9a1f573c780932
e65570a8f2ea458189ff915928473b5b
db54468157f4a51fe8326c873b8d1549
00a8f2f1950d34746791d59261f5fb1a
1530d575261ccd4b23c001d2312933f4
c4dbd19e34ab84061524cadbe7cd2c4e
192f1ff8ae9bb423185a62a28e521ad7
98e74d43115262bf5c2acba07f465fbe
b025401b4013248ec586278e3d1ce23b
9cdcaee5b2f2e5c0c980e18168c321af
SUSE LINUX 10.1:
4fd8d3fa9744edd5d7f83f95efde8dbf
f0c2f62a61536c536fc7823604f535ae
af10d837432c9c73f1dba82d638cd3b2
3d16d559e804d068804c7309357ce14a
c2f82c5c554f2ff5fd94c427245f6075
ada96bd2d11eefbae636d523f0a907fa
aaf4d830ec47a2414d0549d8d2ec54d2
f765f9ffc0227e75c5bed9da63a83b57
3b2ea32c19c591563c7b190f250b7cea
ff5fc5fcc18190628c179273efcb0fc0
36e911e68dd41699ba5204709b77a92e
c9ff817e3e3567ae57208f4741fae3a6
39c26262a603f6435621efb4bedcc466
e281185be8f10044c02c8fd072c50f75
e1c9750409ed17ff024d6921d06f5eb2
bb2606332148cc2ccb43421e95364fa0
b75e42616ee017fa1af98ef0fb9abdfc
aa3d99e202f326161d32a5492c95fd15
2c4e75b9d7bc4fc950e64caa9d8849f2
09042a4bb4fe75fe1d13910dc3b271be
3ec76fa30dce97bf39a38b30349487a0
0cb6f0ca7ca0d4ed78b60e99fc510b38
742992ef40458fa2b94c9d1405d92701
d1251f1b468f444e858b8be6c60e6a77
90c1320bbc5e7354ba9d189a152c4559
1e79521e5a2febd20ccfa3b0573c3432
SUSE LINUX 10.0:
925516a11b920e10489c1cf5bdf871eb
f6f15dc828084191ec5d2e2641638371
d8285a7d9a4631a3b136e3df02905ac4
d1dea83ebba87c93da8c0c10cc50518f
7f8be06667f3be70c50fff464396bc00
f326c18b79cb38ae322d6fa4d017fc33
0eae16871bdded2a254141349320cdc3
e77f72fa9dcd5c221b95a72a7d28392f
a0a6b70c368de79f4dc67e08ba669d38
81f36a9101e13af4851cfd3352c970b8
6446a1e4eaa2d7491d7e6cf77bafc605
4b1dd084f492c2146461978c4b32e3f4
2a376b42917264e6ca0272071394eca6
a277896ba45191dfc4e8c1f227101aa3
3a174a8827455f05f31cbcb64365c7ff
de9be6eb9df1d511643e2556d8db3e15
8de27ff48379f08e3432ca68796fe4fb
302e716290d6d25fe5e2856d686e1e6d
67c3765f4c290ec2374601cb37fb14dc
84e87d9548fdc8e58d25c21b32785d61
412ee31631d23f0ea69a49b6f3476855
5d665cecdb179352d9daee78ae341d3c
8e73ad5f45a549b415e2f0377de76a90
03a0a80e990d92e864d48bcd60c95677
bc51d867ec17930815a177831072f623
797ac418702fa602aae8954c9015d613
00e4f452b244b388f992ce71e0877b2d
a30de85bf0749d4d2926b65d24234c4c
063d3d4eb77d8c6d3fff329384f02c0a
70464454a2fceab33e4cea0b254d7e51
df8ff7a4420eb8ba7033f333a87bae43
d22609c830fe2374d836acd72396740f
3c3c04769a76c72ecc861a2885e17ec7
30d795b17a5466d9b084804558ad9752
df3ef7d2905ae6d7cf142b32f572aad6
4c7cc9ec050f864d7a59a7279cddeaa7
25c9dce3ae41bb304979a849e4053442
d342f0ede7e2c551981c0c21da51e730
c7112ad40246f8266184ec7ef8b7d3fa
dbf8bf0d818a3546bc6afb376c89b401
87332ebcf13f46c8b5c688cab2866058
f2c73bc637cd12522ae8c86f70a62ad1
SUSE LINUX 9.3:
24c98fc36a7faedeb779ee3b4e7f73d5
f149fb043389b18f07636d5420d04859
e4b857236ec89f4df684f395fe2a61f7
19beaafa8455cb98942d0f3d5b02040b
020249f005fc4c83ddc82d93a9af555d
b5f0f23719fee99f7be239f4626bfaf8
c107e9024a50fa776cc86f1b92772b38
32e519b534c9cb80317846887c72ed48
05364fe8e32876398df9969cdc3449d3
ec18bfb5c0951198107b689ebb10ad43
1e16bdfb510fb7fa16d83f8b4cd0785f
2b55db2d8f7e96ede5620e0d8f7eae1f
1ba53024f74739ce15112572c2a4bda0
61a8c92d790f1c57de862ca0a9f4ecb4
5f29a4a5e1070e69392839babfc9d807
df12f1e25c87c6759e9345e43b581aad
0dd8c6e5334e71c05d9ca288d47d02cc
90c2e65ea424eec06c2bfa8f66e3723a
37037d199b1b98deaac852867a598c40
49e60a5c8a34eb49259d7715ec41997f
ec2da88d11ffc3f4bd44e208b5a067fa
7d92a633ec5c977ec9a6a397c95f6b93
3e8bd1deb04c3c43f6cb93c48f71aba8
e7e43bd96742374b7ab5863b685a28b3
d5b0ab6c51eed967c8349436bcfdff45
cdef9f778140ce0b1e1341c7825a44af
591036b10c3fd895ec839670e2ed054d
d93d1069b2fa4d18c362ce32196b3e28
165d04fe427b8aa5156a5e25e382855b
dec99b3448519cc4de53ecc46de2d857
d59f0276ea7d364677954f97b4d75a34
758be866ae6ac8579d2f35f061832b72
aaff90fa07e919e693d28775d8bb9836
d37113b54225deaf5429e0a500ab1bce
3b18b0e056a97101eaacdfb6ba0afb66
5a2d02e6e6ee2d9f1d835084356598bb
1df56255aeaacdbb2f3cda07f4415bc0
2d1022c22576ab61220752954d3d2c6b
61ccceb26be012b279c3ad6c7caefd64
3a21ebb1f5044c1230b4951bb49b3108
368d4b69de42fd1710c7e0d2578fe124
8e19f2b753c8db27b07fb9fa19390e78
0ab3c2307a3acf9da9fda3f7b7fc58d1
Sources:
openSUSE 10.2:
a1df0dc4add87807ff937b0b03d3e2f1
SUSE LINUX 10.1:
1d5a89b185eb0dd5a5b62f4b711dc2ac
SUSE LINUX 10.0:
bc4579898653534197b3203e5b2c8c17
6993a1bafdb3a19e1a66e5eda2d862ef
SUSE LINUX 9.3:
f87c049c55af281c456769dc620b0ee7
ce9e2f1c8500dbb0b8b1edead40d2550
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLES 10
http://support.novell.com/techcenter/psdb/f36e1cd46e4c288ce275fae334efd2b8.html
SLE SDK 10
http://support.novell.com/techcenter/psdb/f36e1cd46e4c288ce275fae334efd2b8.html
Open Enterprise Server
http://support.novell.com/techcenter/psdb/9331ab8ca1a0615674f5dd979bd4b413.html
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/9331ab8ca1a0615674f5dd979bd4b413.html
SUSE SLES 9
http://support.novell.com/techcenter/psdb/9331ab8ca1a0615674f5dd979bd4b413.html
UnitedLinux 1.0
http://support.novell.com/techcenter/psdb/301e29c1284be2d64596c7d1fbd6cca0.html
SuSE Linux Openexchange Server 4
http://support.novell.com/techcenter/psdb/301e29c1284be2d64596c7d1fbd6cca0.html
SuSE Linux Enterprise Server 8
http://support.novell.com/techcenter/psdb/301e29c1284be2d64596c7d1fbd6cca0.html
SuSE Linux Standard Server 8
http://support.novell.com/techcenter/psdb/301e29c1284be2d64596c7d1fbd6cca0.html
SuSE Linux School Server
http://support.novell.com/techcenter/psdb/301e29c1284be2d64596c7d1fbd6cca0.html
SUSE LINUX Retail Solution 8
http://support.novell.com/techcenter/psdb/301e29c1284be2d64596c7d1fbd6cca0.html
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
