-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: samba
Announcement ID: SUSE-SA:2007:068
Date: Wed, 12 Dec 2007 09:00:00 +0000
Affected Products: SUSE LINUX 10.0
SUSE LINUX 10.1
openSUSE 10.2
openSUSE 10.3
UnitedLinux 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SuSE Linux Desktop 1.0
SuSE Linux Standard Server 8
SuSE Linux School Server
SUSE LINUX Retail Solution 8
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP1
SLE SDK 10 SP1
SUSE Linux Enterprise Server 10 SP1
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE Default Package: no
Cross-References: CVE-2007-6015
Content of This Advisory:
1) Security Vulnerability Resolved:
buffer overflow fixed in send_mailslot()
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Samba suite is an open-source implementatin of the SMB protocol.
This update of samba fixes a buffer overflow in function send_mailslot()
that allows remote attackers to overwrite the stack with 0 (via memset(3))
by sending specially crafted SAMLOGON packets.
This bug can only be triggered if option "domain logon" is enabled.
2) Solution or Work-Around
Please install the update.
3) Special Instructions and Notes
restart the samba daemon
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.3:
0e5535e4f9c58befed9342a7ab1189ab
2a0a8ce1d69d105590e054cc301085e6
9354979f15b5abef17072f0203745ddf
74629f5f4b761042b30d9336c97e5b6f
dbcbee4977b3beeb2a46e5b56003604c
7a6c5f65bb9aed832cec9221e41f76ef
f04c0399479ecc681daa1330a187009b
92f8de627f39372775c46cc588000e31
1ee63cc24bb7862c3f80a492883a6e82
b7dcfa6d0918bb8b872901d14360824e
4a4c54c5e1bdc81d1072d547de7568bf
84c34910588e03462d122272b12abd22
c0da4925b38c010df8ea8cfbe22b17b8
68cdda40cb0ccd5bd66bc6d0c6a967b9
93cdaa0a3be9f28b1f72606cd7b13dfe
openSUSE 10.2:
afaa4c73ed2b630be1851db84b9c125d
7666f91e8d67dc1f8bee49e4cb0901eb
1601f1584035d7cb330067365af4acb4
b36d408ad52e39846e24c92546ff0517
3997a33f24a9f6c7fa02e5d4747f134f
6e3587e997434f4dab0c3cd531cbcc98
b6b9ad383af96ca2cd910785db95048d
b0d9d68df8b89a51a831d3cfa742ce71
37f8f48ac1843b8e97a7c987d7079e64
9b6c38491f7468a6a7615d436898fa5b
e4ab347d68622fc88ddc67a93d626eaf
ce4f8adcdbf52a0d5dd7f935e69639af
e955a157680e5b6247c18bc5034c82d1
SUSE LINUX 10.1:
2f05943a1460501e9ca60a4bd549da08
cd3711d293c3fe75869ec5988cc67573
686c003b70948a3be1fd08abfa1f3dcc
d1bcf481db15df72b33a08c3d7c3e5d9
6b57bda44d4f6ab9bb8f461d822f5788
7b273fe131866037e60772b159b1c5b0
845322afd91dddf6ac2dc8e0fbc39945
1c55254ce8e2deeae55b091bb8e94f87
7e2a2c98c8aca6585fe596e2a54eb88d
250037bcd87bc1bc224777c8e851228f
b30796df04b4a725e8d84f3f67c59db1
34acf5453bb5af282aef0ecd1f7abdb3
SUSE LINUX 10.0:
aa3510d45fee741cbc686ea61c80ec54
350c28feca2c5df9aa60126d7e1bb307
e3db796664063204bc235d770050dc55
2755f1fb5543a12616e6e5d63bd02fd9
6aff05575f28129adc6854e9bbb19d2b
5b46e739f2710e67832bf349b7d701de
f13a8777d576b78696f5093cc7ee29ff
d3eab9eace2d9f4f4da161aeb1ad7a16
720af50848e8fda98933c816a7ad556e
36ef7b26083b51ade9b0faf74c916834
51f4572af72d962929017527b7d5efdd
Platform Independent:
openSUSE 10.3:
39467dee7de97fbfe021ad192ef3d572
openSUSE 10.2:
a1b924be38bc5da02cf397271403fb15
SUSE LINUX 10.1:
5926d68856a69a339b6f9932ccd8b1fd
Power PC Platform:
openSUSE 10.3:
0cd62968d1c4aa6d9211c3439a117a68
a6f9195f03ab26487b52f60fd78698ed
6a185e53ce56877e6ce11553820eabe7
9a34657070463217e9e9df9687143d60
c5f7822d14047a6bcc5f9be210ef6e7b
a3b16e3141481d5f1790324f03833d61
c42d71369f0149e83c55ebb7181588a3
56bfac393c26f8ed185cf288c0ec3284
07d93ee1ba0f8ba800dd225d4b9f952a
2b3b282ca2d9a71ac62ab4419345016b
1f01b5a13517cc5ccf12528c8b50d68a
05a65ebf61b618b1c4c4db4ab5f8ca33
f3be951b3cfdc871ff36e592d498e4b3
74292b93b66f7b2bbefb5187adfed6e4
4b281ee450b53b2982e5183e35b2f5c9
openSUSE 10.2:
f2444c5e913e2d84a6cded6c5c794ee6
78c64dc20ebb8a3a6a175f15d504d92c
db9db8c1ecfc417ec2f2720d42940d70
58a63d9a08dcd9a13129fd1f880fa1b6
d64260ddfa5bc6b5e3c9c3c2447c8f0f
5c7c53ccd7b10d89165bcbed29aded9e
eed181f7254fed5b96356607c6d03389
026fba74fd7dceab4eab79eb8bef8d45
36877bb2af6e0cc2acef236e242e5b52
d28ad04339a82d79124ad9abedd2dcf6
f42c732902e8af6717129cc14a6a974f
4ee6aa7c5a5dfb0fc0bf91c5ce170b18
98521632e3273836892abfc9a8850ec8
SUSE LINUX 10.1:
f0e56f33899d4868cd4ae6ac7d6eacab
481cabc078d52395d07a03afb9260a43
f460869c64684d95096e1331586dacdb
acf03549cb101d7173c0412e12edad1d
d53304f19b32f5b93a62e0efb69cb039
205ac90f2737fd0d12bec7c21c718a49
88304fbd17ff4f68bff897f83a4eed71
e85c92e8e1069b727de46dc8dba21178
7310693b8985014d3c0e49be93108507
c54bf91f4bf84ee9087aa5f6631c849e
b0f48534514cbfbcccbcaef082c279ee
75c135d1bc2c0242ee467b1ff61da8e8
SUSE LINUX 10.0:
73b81b3856589b55b94fda3dc519f9ec
69e4ba509db113d219bd6d6b4514d74f
67be23ebf3c5690c69daa724c11ca546
4ad9822904c9c1a730ea98ad94b6912c
132d85fe5bafdde591937e905ed1dfdf
28c59d931ef479e419382b1f1c1c10ca
21b923582b3179d48eee80a6204a9f5d
68c41fccb41731ab0b82152c42503fb7
3317974bcf40ecd486874ed515dfbdaa
bed5f00541dbf418ee2c266daa92c6a7
f378061ff72f1d7f2e2512d291575cb9
x86-64 Platform:
openSUSE 10.3:
af0f7a523a45b6db682fe22baa726478
c74da5b770b833e83c2de23763e19d9b
ba8a8c86b2abc2dd07638a14acf8a749
8502b0e45b25df6153622a2ec680d2c6
a2d40bf47101679f432acf277699ab1c
e2261330c01aa2cd610c01c31a3e71b3
8ac32adf2af43277ad39df05885cf004
9c92b0ad6910b5a91801118fd53a3f14
c6b097b4292fec495b59ba09354b12cf
b55934f29d8a486d2abc3b2b4536e7d3
e67397a0cdcca4ffe33d458a078a71ab
216ec6be569f63742ecbf4a787e1824b
068f0ceb354a0f0741c1f1a743710dc0
c138f629b99d53769e8f18581578991d
3a001c4d1796128725e1ead04732ece1
d3cad141787e3e564d2bfd88823261e3
3479f65df3061ec6fe2f4c5f5d3e4364
b24df7dd9097e4c35385fa60d638aea2
08ca3c1773eccba6cebe600f0198bc57
openSUSE 10.2:
9081c59e9c88c537f7fecb4999070fa1
5b5d5cc40f7b51b5473c2effec7a961d
b5f5bbd929ccbfb4fdeef987f1a0a7f2
3e0f3ac7cbcc182a66f99ce147812123
64377e86d45de128b22af942cab575ea
8e21116ddd67f748ba49b453e64f16af
36a4c1b65cfdd027a4726b85df6d7e75
6bd4864e67f9450d119029b8744289ad
514f048e68196dc85787ed84a209be48
cec9ba17ea0abb1962bcbc9b8791f72a
af7c9a1aed49df4020a7720f5f5721f0
8d1faa3f69aeaaf9cc20d22c9dc369d9
39e1bdfdcca7e49a911efb00f33717e7
e7ac921e2ed73fce7463b0dbb2b96461
106e3660b76b9499501a0e61b01059c8
43465347bf1d998eeb3e40c3b50995a6
44fa9cfafb953cdc2e183dc8d6937acb
SUSE LINUX 10.1:
f399c965065c9d15fa9eb6c25d75dfd0
6ebe4219211e90da6771db9c5fa17e65
d268f0edf1ec53bdfdcc9193dab34a1a
a60678ede2d3c252b2dbc907585f9059
5de55c73b1addb72fec37b90ee33b5ab
d5e9f4362f7b93a23a89509b5529fab7
f0847fd830347f01686ff8ff10f01cfb
b3b21034e364084d9a0437943b126007
c01154efe5c8703ba2eefb765ad92c8b
fe1c09a1bd074c5b5eafdffa6dbe8690
754ec0cfbd5dc4f698c8d5d1ee6fac6b
c657a9008ec9c024efbb58938e922c73
7b3a2dab4dcd936e9e9cc3165a9d5a9f
e87a1a9191785d22210da556bd31da5f
dff37b747c895070babb9638702a3750
827202c10aeeb251e2e40a0065abb0ab
SUSE LINUX 10.0:
2aad8134654b11f9fdfcb658ed8637a5
723e5b47831f247b8f5e37dca0a2bfdb
4a5a603903cb13158895e26baec491c5
29814d08bf2348e753a19819df3beb14
4bb34360311fad4524d5167a025b145c
99aaf715ae30f7774842f1eba35820f3
c2646918e6044d0052c36dab4ffd0e93
93ffe07900ccd4c5d8e0cbacfc5e5403
5226a870eb989b475cc6a871cc024cf3
73adc1b93d86c22df501076a9a41bb68
a0f2c6fbcb92acc477370ff5609e177c
35e2801afd91d1fd4f1663c61aaa7fb4
Sources:
openSUSE 10.3:
0c51e5e8c284b4a4d92e75c8e8eb8831
482dcc2dfce7d00c253ace3465400e6e
openSUSE 10.2:
6d6bcf35be28199114f4e43bba61f43b
4ed2b2447d2ef68f982e803270dc9b1b
SUSE LINUX 10.1:
3319209b169a2f45f066ab8934148b88
bb2e30f3bbcd5181e0d6ad6b6868d225
SUSE LINUX 10.0:
ae95f8c0dc92a4096ff84ab83c8753fd
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
UnitedLinux 1.0
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SuSE Linux Openexchange Server 4
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
Open Enterprise Server
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SuSE Linux Enterprise Server 8
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SuSE Linux Standard Server 8
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SuSE Linux School Server
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SUSE LINUX Retail Solution 8
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SuSE Linux Desktop 1.0
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SUSE Linux Enterprise Server 10 SP1
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SLE SDK 10 SP1
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SUSE Linux Enterprise Desktop 10 SP1
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
SUSE SLES 9
http://support.novell.com/techcenter/psdb/62b9c0440dd934e47058664687d5b084.html
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
