SuSE: Weekly Summary 2009:004
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2009:004
Date: Tue, 17 Feb 2009 10:00:00 +0000
Cross-References: CVE-2006-3835, CVE-2007-0184, CVE-2007-0185
CVE-2007-2377, CVE-2007-2449, CVE-2007-2450
CVE-2007-3382, CVE-2007-3385, CVE-2007-3386
CVE-2007-5333, CVE-2007-5342, CVE-2007-5461
CVE-2007-5613, CVE-2007-5615, CVE-2007-6286
CVE-2008-0002, CVE-2008-1232, CVE-2008-1586
CVE-2008-1947, CVE-2008-2235, CVE-2008-2370
CVE-2008-2938, CVE-2008-3231, CVE-2008-3651
CVE-2008-3652, CVE-2008-3663, CVE-2008-3796
CVE-2008-4577, CVE-2008-5086, CVE-2008-5233
CVE-2008-5234, CVE-2008-5235, CVE-2008-5236
CVE-2008-5237, CVE-2008-5238, CVE-2008-5239
CVE-2008-5240, CVE-2008-5241, CVE-2008-5242
CVE-2008-5243, CVE-2008-5244, CVE-2008-5245
CVE-2008-5246, CVE-2008-5247, CVE-2008-5248
CVE-2008-5250, CVE-2008-5252, CVE-2008-5256
CVE-2008-5302, CVE-2008-5557, CVE-2008-5587
CVE-2008-5658, CVE-2008-5718, CVE-2009-0030
CVE-2009-0310, CVE-2009-0313, CVE-2009-0416
CVE-2009-0490
Content of this advisory:
1) Solved Security Vulnerabilities:
- apache-jakarta-tomcat-connectors - apache2-mod_php5
- audacity
- dovecot
- libtiff-devel
- libvirt
- mediawiki
- netatalk
- novell-ipsec-tools
- opensc
- perl
- phpPgAdmin
- sbl
- sblim-sfcb
- squirrelmail
- swfdec
- tomcat5
- virtualbox
- websphere-as_ce
- wine
- xine-devel
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements
for minor
issues, SUSE Security releases weekly summary reports for the low
profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on
our FTP
server and via the YaST Online Update.
- apache-jakarta-tomcat-connectors Two old but not yet fixed security issues in tomcat5 were spotted and
are fixed by this update:
CVE-2006-3835: Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with
a mapped extension, as demonstrated by URLs ending with /;index.jsp
and /;help.do.
Cross-site scripting (XSS) vulnerability in certain applications
using Apache Tomcat allowed remote attackers to inject arbitrary
web script or HTML via crafted "Accept-Language headers that do not
conform to RFC 2616".
These issues were rated "low" by the Apache Tomcat team.
Affected products: SLES9
- apache2-mod_php5
This update of php5 fixes a directory traversal bug in ZipArchive
(CVE-2008-5658) and a buffer overflow in the mstring extension
(CVE-2008-5557).
Affected products: openSUSE 10.3-11.1, SLE10-SP2
- audacity
Specially crafted GRO files could cause a stack based buffer in
audacity (CVE-2009-0490).
Affected products: openSUSE 10.3-11.1
- dovecot
Dovecot didn't properly treat negative access rights therefore
allowing attackers to bypass intended access restrictions
(CVE-2008-4577)
Affected products: openSUSE 10.3-11.0
- libtiff-devel
specially crafted tiff images could lead to allocating large amounts
of memory therefore crashing applications that process such files
(CVE-2008-1586).
Affected products: openSUSE 10.3-11.1
- libvirt
libvirt misses some read-only connection checks for certain methods.
This flaw enables local unprivileged users for example to migrate
virtual machines without authentication (CVE-2008-5086).
Affected products: openSUSE 10.3-11.1, SLE10-SP2
- mediawiki
Missing checks allowed remote attackers to conduct cross-site
scripting (XSS) or cross-site request forgery (CSRF) attacks against
MediaWiki (CVE-2008-5250, CVE-2008-5252).
Affected products: openSUSE 10.3-11.0
- netatalk
This update of netatalk adds a filter for characters of user-supplied
data to papd. Prior to this update it was possible to execute
arbitrary shell commands remotely. (CVE-2008-5718)
Affected products: openSUSE 10.3-11.1, SLE10-SP2
- novell-ipsec-tools
Remote attackers could exploit memory leaks in the 'racoon' daemon
to crash it (CVE-2008-3651, CVE-2008-3652)
Affected products: openSUSE 10.3-11.0
- opensc
This update fixes a security issues with opensc that occured when
initializing blank smart cards with Siemens CardOS M4. After the
initialization anyone could set the PIN of the smart card without
authorization (CVE-2008-2235).
NOTE: Already initialized cards are still vulnerable after this
update. Please use the command-line tool pkcs15-tool with option
--test-update and --update when necessary.
Don't forget to reinitialize your smart cards if you are using cards
with Siemens CardOS M4 operating system that were initialized
using opensc!
Please find more information at
This is the second attempt to fix this problem. The previous update
was unforunately incomplete.
Affected products: openSUSE SLE10-SP2
- perl
This perl update fixes a race condition in rmtree. (CVE-2008-5302)
Affected products: openSUSE 11.0-11.1
- phpPgAdmin
Attackers could read arbitrary files due to a directory traversal
vulnerability in phpPgAdmin (CVE-2008-5587).
Affected products: openSUSE 10.3-11.1
- sbl
A buffer overflow in the sbl package has
been fixed. Incoming data and authentication-strings have
not been checked properly.
CVE-2009-0310 has been assigned to this
issue.
Affected products: openSUSE 10.3-11.0
- sblim-sfcb
A tmp file race condition in the genSslCerts.sh helper script could
be used by local attackers to gain root privileges. (CVE-2009-0416)
Affected products: openSUSE 11.0-11.1
- squirrelmail
This update of squirrelmail corrects a problem introduced by a patch
for CVE-2008-3663 that caused cookies to be static. (CVE-2009-0030)
Affected products: openSUSE 10.3
- swfdec
The free Flash decoder engine "swfdec" was updated to version 0.6.8
to fix lots of crashers which are likely security relevant and could
be exploited to remotely execute code. (CVE-2008-3796)
Affected products: openSUSE 11.0
- tomcat5
Two old but not yet fixed security issues in tomcat5 were spotted and
are fixed by this update:
CVE-2006-3835: Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with
a mapped extension, as demonstrated by URLs ending with /;index.jsp
and /;help.do.
Cross-site scripting (XSS) vulnerability in certain applications
using Apache Tomcat allowed remote attackers to inject arbitrary
web script or HTML via crafted "Accept-Language headers that do not
conform to RFC 2616".
These issues were rated "low" by the Apache Tomcat team.
Affected products: SLE10-SP2
- virtualbox
Insufficient checks on temporary files could allow users to trick
others into overwriting arbitrary files (CVE-2008-5256).
Affected products: openSUSE 10.3-11.0
- websphere-as_ce
Websphere has been updated to version 2.1.0.1 to fix several
security vulnerability in the included subprojects, such as Apache
Geronimo and Tomcat (CVE-2007-0184, CVE-2007-0185, CVE-2007-2377,
CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3385,
CVE-2007-3386, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,
CVE-2007-5613, CVE-2007-5615, CVE-2007-6286, CVE-2008-0002,
CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938).
Affected products: SLE10-SP2
- wine
A symlink vulnerability in handling tmp files in the winetricks
helper scripts was fixed. (CVE-2009-0313)
Affected products: openSUSE 11.0-11.1
- xine-devel
This update of xine fixes multiple buffer overflows while parsing
files:
- CVE-2008-3231
- CVE-2008-5233
- CVE-2008-5234
- CVE-2008-5235
- CVE-2008-5236
- CVE-2008-5237
- CVE-2008-5238
- CVE-2008-5239
- CVE-2008-5240
- CVE-2008-5241
- CVE-2008-5242
- CVE-2008-5243
- CVE-2008-5244
- CVE-2008-5245
- CVE-2008-5246
- CVE-2008-5247
- CVE-2008-5248
These bugs can lead to remote code execution.
Affected products: openSUSE 10.3-11.0, SLES9, SLE10-SP2
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
none
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement
is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into
a file
and run the command
gpg --verify
References