-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Summary Report

        Announcement ID:        SUSE-SR:2010:014
        Date:                   Mon, 02 Aug 2010 15:00:00 +0000
        Cross-References:       CVE-2009-2625, CVE-2009-2663, CVE-2009-3560
                                CVE-2009-3700, CVE-2009-3720, CVE-2009-3826
                                CVE-2009-4270, CVE-2010-0211, CVE-2010-0212
                                CVE-2010-0395, CVE-2010-0438, CVE-2010-0547
                                CVE-2010-0653, CVE-2010-0731, CVE-2010-0733
                                CVE-2010-0787, CVE-2010-0926, CVE-2010-1166
                                CVE-2010-1169, CVE-2010-1170, CVE-2010-1321
                                CVE-2010-1325, CVE-2010-1411, CVE-2010-1459
                                CVE-2010-1507, CVE-2010-1512, CVE-2010-1628
                                CVE-2010-1639, CVE-2010-1640, CVE-2010-1869
                                CVE-2010-1975, CVE-2010-1993, CVE-2010-2023
                                CVE-2010-2024, CVE-2010-2055, CVE-2010-2059
                                CVE-2010-2063, CVE-2010-2067, CVE-2010-2074
                                CVE-2010-2077, CVE-2010-2228, CVE-2010-2229
                                CVE-2010-2230, CVE-2010-2231, CVE-2010-2251
                                CVE-2010-2451, CVE-2010-2452, CVE-2010-2480
                                CVE-2010-2494, CVE-2010-2532, CVE-2010-2713
                                CVE-2010-2785

    Content of this advisory:
        1) Solved Security Vulnerabilities:
            - OpenOffice_org
            - apache2-slms
            - aria2
            - bogofilter
            - cifs-mount/samba
            - clamav
            - exim
            - ghostscript-devel
            - gnutls
            - krb5
            - kvirc
            - lftp
            - libpython2_6-1_0
            - libtiff
            - libvorbis
            - lxsession
            - mono-addon-bytefx-data-mysql/bytefx-data-mysql
            - moodle
            - openldap2
            - opera
            - otrs            - popt
            - postgresql
            - python-mako
            - squidGuard
            - vte
            - w3m
            - xmlrpc-c
            - XFree86/xorg-x11
            - yast2-webclient
        2) Pending Vulnerabilities, Solutions, and Work-Arounds:
            none
        3) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Solved Security Vulnerabilities

   To avoid flooding mailing lists with SUSE Security Announcements for minor
   issues, SUSE Security releases weekly summary reports for the low profile
   vulnerability fixes. The SUSE Security Summary Reports do not list or
   download URLs like the SUSE Security Announcements that are released for
   more severe vulnerabilities.

   Fixed packages for the following incidents are already available on our FTP
   server and via the YaST Online Update.

   - OpenOffice_org
     This update of OpenOffice_org does not allow macros written in Python to
     be executed without permission, CVE-2010-0395.
     This also provides the maintenance update to OpenOffice.org-3.2.1.
     Details about all upstream changes can be found at
     http://www.openoffice.org/development/releases/3.2.1.html
     Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - apache2-slms
     Insufficient quoting of parameters in SLMS could allow for
     cross-site-request-forgery (CSRF) attacks (CVE-2010-1325).
     Affected Products: SLE11

   - aria2
     This aria2 update to 1.9.3 fixes a metalink name Directory Traversal
     issue (CVE-2010-1512).
     Affected Products: openSUSE 11.2
     
   - bogofilter
     This update of bogofilter/bogolexer fixes a heap based buffer underflow
     vulnerability which could be exploited to cause a denial of service or
     potentially execute arbitrary code (CVE-2010-2494).
     Affected Products: SLE11, openSUSE 11.0, 11.1, 11.2

   - cifs-mount/samba
     This update of the Samba server package fixes security issues and bugs.
     Following security issues were fixed:
     - CVE-2010-2063: A buffer overrun was possible in chain_reply code in
                      3.3.x and below, which could be used to crash the
                      samba server or potentially execute code.
     - CVE-2010-0787: Take extra care that a mount point of mount.cifs is
                      not changed during mount.
     - CVE-2010-0926: With enabled "wide links" samba follows symbolic links
                      on the server side, therefore allowing clients to
                      overwrite arbitrary files. This update changes the
                      default setting to have "wide links" disabled by default.
                      The new default only works if "wide links" is not set
                      explicitly in smb.conf.
     - CVE-2010-0547: Due to a race condition in mount.cifs a local attacker
                      could corrupt /etc/mtab if mount.cifs is installed setuid
                      root. mount.cifs is not setuid root by default and it is
                      not recommended to change that. 
     Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1

   - clamav
     This update fixes a off-by-one buffer overflow (CVE-2010-1640) and a
     crash while parsing PDFs (CVE-2010-1639, CVE-2010-2077) in clamav
     that can be used as a remote denial of service attack.
     Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - exim
     Two local vulnerabilities have been fixed in the exim MTA
     which allowed attackers to create arbitrary files or
     to change ownership of arbitrary files. CVE-2010-2023 and
     CVE-2010-2024 have been assigned to these issues.
     Affected Products: openSUSE 11.1, 11.2, 11.3

   - ghostscript
     Specially crafted postscript (.ps) files could cause buffer
     overflows in ghostscript that could potentially be exploited to
     execute arbitrary code (CVE-2010-1628, CVE-2010-1869, CVE-2009-4270)
     Additionally ghostscript, by default, reads some initialization files from
     the current working directory. Local attackers could potentially exploit
     that to have other users execute arbitrary commands by placing such
     files e.g. in /tmp (CVE-2010-2055).
     Affected Products: SLE11, openSUSE 11.0, 11.1, 11.2, 11.3

   - gnutls
     The ASN.1 parser for X.509 certificates used a wrong integer type for
     extracting a certficiate's serial number. On 64bit big-endian
     architectures this could result in bypassing CRL checks (CVE-2010-0731).
     Affected Products: SLES9

   - krb5
     This update fixes a denial-of-service vulnerability in kadmind. A
     remote attack can send a malformed GSS-API token that triggers a
     NULL pointer dereference.
     (CVE-2010-1321: CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:C))
     Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - kvirc
     This update of KVirc fixes a remotely exploitable format string and
     directory traversal vulnerability (CVE-2010-2451, CVE-2010-2452).
     Additionally KVirc does not further allow remote client to send
     arbitrary CTCP commands. (CVE-2010-2785)
     Affected Products: openSUSE 11.1, 11.2, 11.3

   - lftp
     This update of lftp improves the filename handling of downloaded files
     to avoid downloading arbitrary content to unexpected locations (like
     .login). (CVE-2010-2251)
     Affected Products: openSUSE 11.0, 11.1, 11.2

   - libpython2_6-1_0
     This update of python has a copy of libxmlrpc that is vulnerable to
     denial of service bugs that can occur while processing malformed XML
     input.
     - CVE-2009-2625: CVSS v2 Base Score: 5.0: Permissions, Privileges,
                      and Access Control (CWE-264)
     - CVE-2009-3720: CVSS v2 Base Score: 5.0: Insufficient Information
     - CVE-2009-3560: CVSS v2 Base Score: 5.0: Buffer Errors (CWE-119)
     Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - libtiff
     This update of libtiff fixes several integer overflows that could lead
     to a corrupted heap memory. This bug can be exploited remotely with a
     crafted TIFF file to cause an application crash or probably to execute
     arbitrary code. (CVE-2010-1411)
     Affected Products: SLES9, SLE10-SP3, openSUSE 11.0, 11.1, 11.2

   - libvorbis
     This update of libvorbis fixes a memory corruption while parsing OGG
     files. This bug was exploitable by remote attackers to cause an
     application crash and could probably be exploited to execute arbitrary
     code.
     CVE-2009-2663: CVSS v2 Base Score: 6.8: Resource Management Errors (CWE-399)
     Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - lxsession
     lxsession-logout did not properly lock the screen before suspending,
     hibernating and switching between users which could allow attackers with
     physical access to take control of the system to obtain sensitive infor-
     mation and / or execute arbitrary code in the context of the user who is
     currently logged in (CVE-2010-2532).
     Affected Products: openSUSE 11.3

   - mono-addon-bytefx-data-mysql/bytefx-data-mysql
     Mono's ASP.NET implementation did not set the 'EnableViewStateMac'
     property by default. Attackers could exploit that to conduct cross-     site-scripting (XSS) attacks. (CVE-2010-1459)
     Affected Products: SLE10-SP2, SLE11, openSUSE 11.0, 11.1, 11.2

   - moodle
     Moodle was prone to several Cross-Site Scripting (XSS) vulnerabilities
     (CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231).
     Affected Products: openSUSE 11.0, 11.1

   - openldap2
     Specially crafted MODRDN operations can crash the OpenLDAP server.
     (CVE-2010-0211 and CVE-2010-0212)
     Affected Products: openSUSE 11.0

   - opera
     Opera was upgraded to the 10.60 release.
     - CVE-2010-0653: Opera permits cross-origin loading of CSS style sheets
                      even when the style sheet download has an incorrect
                      MIME type and the style sheet document is malformed,
                      which allows remote HTTP servers to obtain sensitive
                      information via a crafted document.
     - CVE-2010-1993: Opera 9.52 does not properly handle an IFRAME element
                      with a mailto: URL in its SRC attribute, which allows
                      remote attackers to cause a denial of service (resource
                      consumption) via an HTML document with many IFRAME
                      elements.
     Affected Products: openSUSE 11.0, 11.1, 11.2, 11.3

   - otrs     OTRS was prone to multiple SQL-injection vulnerabilities which could
     allow remote authenticated attackers to execute arbitrary SQL code via
     unspecified vectors. (CVE-2010-0438)
     Affected Products: openSUSE 11.0, 11.1, 11.2

   - popt
     This update fixes the problem where RPM misses to clear the SUID/SGID
     bit of old files during package updates. (CVE-2010-2059)
     Affected Products: openSUSE 11.0

   - postgresql
     This update of postgresql was pblished to fix several minor security
     vulnerabilities:
     - CVE-2010-1975: postgresql does not properly check privileges during
                      certain RESET ALL operations, which allows remote
                      authenticated users to remove arbitrary parameter
                      settings.
     - CVE-2010-1170: The PL/Tcl implementation in postgresql loads Tcl
                      code from the pltcl_modules table regardless of the
                      table's ownership and permissions, which allows remote
                      authenticated users, with database-creation privileges,
                      to execute arbitrary Tcl code.
     - CVE-2010-1169: Postgresql does not properly restrict PL/perl procedures,
                      which allows remote authenticated users, with database-
                      creation privileges, to execute arbitrary Perl code via
                      a crafted script.
     - CVE-2010-0733: An integer overflow in postgresql allows remote authen-                      ticated users to crash the daemon via a SELECT statement.
     Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - python-mako
     Python-mako was prone to a Cross-Site Scripting flaw due to improperly
     escaped single quotes (CVE-2010-2480).
     Affected Products: openSUSE 11.2, 11.3

   - squidGuard
     Two buffer overflows in squidGard were fixed:
     - CVE-2009-3700: Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4
                      allows remote attackers to cause a denial of service
                      (application hang or loss of blocking functionality)
                      via a long URL with many / (slash) characters, related
                      to "emergency mode."
     - CVE-2009-3826: Multiple buffer overflows in squidGuard 1.4 allow remote
                      attackers to bypass intended URL blocking via a long URL,
                      related to (1) the relationship between a certain buffer
                      size in squidGuard and a certain buffer size in Squid and
                      (2) a redirect URL that contains information about the
                      originally requested URL.
     Affected Products: openSUSE 11.1, 11.2, 11.3

   - vte
     VTE was vulnerable to an old title set+query attack which could be used
     by remote attackers to execute arbitrary code (CVE-2010-2713).
     Affected Products: openSUSE 11.2, 11.3

   - w3m
     w3m did not handle embedded nul characters in the common name and in
     subject alternative names of x509 certificates.
     CVE-2010-2074 has been assigned to this issue.
     This update also turns on verification of x509 certificates by default
     which was not the case before.
     Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2

   - xmlrpc-c
     This update of libxmlrpc is not vulnerable to denial of service bugs
     that can occur while processing malformed XML input.
     - CVE-2009-2625: CVSS v2 Base Score: 5.0: Permissions, Privileges,
                      and Access Control (CWE-264)
     - CVE-2009-3720: CVSS v2 Base Score: 5.0: Insufficient Information
     - CVE-2009-3560: CVSS v2 Base Score: 5.0: Buffer Errors (CWE-119)
     Affected Products: SLES9, SLE11

   - XFree86/xorg-x11
     X clients could cause a memory corruption in the X Render extension
     which crashes the X server (CVE-2010-1166).
     Affected Products: SLES9, SLE10-SP3

   - yast2-webclient
     WebYaST generates the secret key used to create session cookies
     after package installation. Since WebYaST appliances use
     pre-installed images all such instances end up using the same secret
     key (CVE-2010-1507).
     Affected Products: SLE11

______________________________________________________________________________

2) Pending Vulnerabilities, Solutions, and Work-Arounds

   none
______________________________________________________________________________

3) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify 

    replacing  with the name of the file containing the announcement.
    The output for a valid signature looks like:

      gpg: Signature made  using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team "

    where  is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and integrity of a
    package needs to be verified to ensure that it has not been tampered with.

    The internal RPM package signatures provide an easy way to verify the
    authenticity of an RPM package. Use the command

      rpm -v --checksig 

    to verify the signature of the package, replacing  with the
    filename of the RPM package downloaded. The package is unmodified if it
    contains a valid signature from build@suse.de with the key ID 9C800ACA.

    This key is automatically imported into the RPM database (on RPMv4-based
    distributions) and the gpg key ring of 'root' during installation. You can
    also find it on the first installation CD and included at the end of this
    announcement.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    opensuse-security@opensuse.org
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    opensuse-security-announce@opensuse.org
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================