SuSE Essential and Critical Security Patch Updates - Page 800

SuSE: 2006-034: php4 bugfix update Security Update

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

In SUSE-SA:2006:031 we announced bugfixes for PHP4. In SUSE-SA:2006:031 we announced bugfixes for PHP4. Unfortunately the patches to fix CVE-2006-2657 contained a bug which made arrays work unreliable or not all and so broke several PHP applications. We have released fixed packages for this problem, as listed below.

LinuxSecurity.com Team
Jun 22, 2006

SuSE: 2006-033: awstats remote code execution Security Update

This update fixes remote code execution vulnerabilities in the WWW This update fixes remote code execution vulnerabilities in the WWW statistical analyzer awstats. statistical analyzer awstats. Since back porting awstats fixes is error prone we have upgraded it to upstream version 6.6 which also includes new features. Following security issues were fixed:

LinuxSecurity.com Team
Jun 20, 2006

SuSE: 2006-032: sendmail remote denial of service attack Security Update

The Mail Transfer Agent sendmail has a remote exploitable problem, The Mail Transfer Agent sendmail has a remote exploitable problem, where a specially crafted MIME messages can crash sendmail and block where a specially crafted MIME messages can crash sendmail and block queue processing. This issue is tracked by the Mitre CVE ID CVE-2006-1173 and CERT VU#146718.

LinuxSecurity.com Team
Jun 14, 2006

SuSE: 2006-031: php4,php5 problems Security Update

This update fixes the following security issues in the PHP scripting This update fixes the following security issues in the PHP scripting language, both version 4 and 5: language, both version 4 and 5: - Invalid characters in session names were not blocked. - CVE-2006-2657: A bug in zend_hash_del() allowed attackers to preventunsetting of some variables

LinuxSecurity.com Team
Jun 14, 2006

SuSE: 2006-030: PostgreSQL SQL injection attacks Security Update

Two character set encoding related security problems were fixed in the Two character set encoding related security problems were fixed in the PostgreSQL database server: PostgreSQL database server: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its e [More...]

LinuxSecurity.com Team
Jun 09, 2006

SuSE: 2006-029: rug Security Update

RedCarpet allows the remote administration of systems by running the rc RedCarpet allows the remote administration of systems by running the rc daemon (rcd) on the server side to accept SSL encrypted commands from the daemon (rcd) on the server side to accept SSL encrypted commands from the client. The tool rug is such a client application that can be run from command-line. The client does not ver [More...]

LinuxSecurity.com Team
May 31, 2006

SuSE: 2006-028: kernel Security Update

The Linux kernel has been updated to fix various security problems, The Linux kernel has been updated to fix various security problems, listed below. listed below. Note that some of the updates have already been released end of last week. - AppArmor in SUSE Linux 10.0 and SUSE Linux Enterprise Server 9 SP3

LinuxSecurity.com Team
May 31, 2006

SuSE: 2006-027: cron local privilege escalation Security Update

Vixie Cron is the default CRON daemon in all SUSE Linux based Vixie Cron is the default CRON daemon in all SUSE Linux based distributions. distributions. The code in do_command.c in Vixie cron does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits.

LinuxSecurity.com Team
May 31, 2006

SuSE: 2006-026: foomatic-filters shellcode injection Security Update

A bug in cupsomatic/foomatic-filters that allowed remote printer A bug in cupsomatic/foomatic-filters that allowed remote printer users to execute arbitrary commands with the UID of the printer users to execute arbitrary commands with the UID of the printer daemon has been fixed (CVE-2004-0801). While the same problem was fixed in earlier products, the fix got lost during package upgrade of fooma [More...]

LinuxSecurity.com Team
May 30, 2006

SuSE: 2006-025: cyrus-sasl-digestmd5 denial of service attack Security Update

If a server or client is using DIGEST-MD5 authentication via the cyrus-sasl If a server or client is using DIGEST-MD5 authentication via the cyrus-sasl libraries it is possible to cause a denial of service attack against the other libraries it is possible to cause a denial of service attack against the other side (client or server) by leaving out the "realm=" header in the authentication. This is [More...]

LinuxSecurity.com Team
May 05, 2006

SuSE: 2006-024: php4,php5 various security problems Security Update

This update fixes the following security issues in the scripting languages This update fixes the following security issues in the scripting languages PHP4 and PHP5: PHP4 and PHP5: - copy() and tempnam() functions could bypass open_basedir restrictions (CVE-2006-1494) - Cross-Site-Scripting (XSS) bug in phpinfo() (CVE-2006-0996) - mb_send_mail() lacked safe_mode checks (CVE-2006-1014, CVE-2006-101 [More...]

LinuxSecurity.com Team
May 05, 2006

SuSE: 2006-023: xorg-x11-server Security Update

Miscalculation of a buffer size in the X Render extension of the Miscalculation of a buffer size in the X Render extension of the X.Org X11 server could potentially be exploited by users to cause a X.Org X11 server could potentially be exploited by users to cause a buffer overflow and run code with elevated privileges. 2) Solution or Work-Around

LinuxSecurity.com Team
May 03, 2006

SuSE: 2006-022: MozillaThunderbird various problems Security Update

Various security bugs have been fixed in Mozilla Thunderbird, bringing Various security bugs have been fixed in Mozilla Thunderbird, bringing it up to bugfix level of version 1.0.8. it up to bugfix level of version 1.0.8. This also catches up on earlier Thunderbird security releases. Detailed list of issues and affected SUSE Linux versions:

LinuxSecurity.com Team
Apr 25, 2006

SuSE: 2006-021: Mozilla Firefox, Mozilla Suite various problems Security Update

A number of security issues have been fixed in the Mozilla browser A number of security issues have been fixed in the Mozilla browser suite and the Mozilla Firefox browser. suite and the Mozilla Firefox browser. These problems could be used by remote attackers to gain privileges, gain access to confidential information or to cause denial of service attacks. The updates of the Firefox packages bri [More...]

LinuxSecurity.com Team
Apr 20, 2006

SuSE: 2006-020: clamav various problems Security Update

Clamav was updated to version 0.88.1 to fix the following security Clamav was updated to version 0.88.1 to fix the following security problems: problems: - An integer overflow in the PE header parser (CVE-2006-1614). - Format string bugs in the logging code could potentially beexploited to execute arbitrary code (CVE-2006-1615).

LinuxSecurity.com Team
Apr 11, 2006

SuSE: 2006-019: freeradius authentication bypass Security Update

Insufficient input validation was being done in the EAP-MSCHAPv2 Insufficient input validation was being done in the EAP-MSCHAPv2 state machine of the FreeRADIUS authentication server. state machine of the FreeRADIUS authentication server. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassin [More...]

LinuxSecurity.com Team
Mar 28, 2006

SuSE: 2006-018: RealPlayer security problems Security Update

This update fixes the following security problems in Realplayer: This update fixes the following security problems in Realplayer: - Specially crafted SWF files could cause a buffer overflow andcrash RealPlayer (CVE-2006-0323). - Specially crafted web sites could cause heap overflow and lead toexecuting arbitrary code (CVE-2005-2922). This was already fixedwith the previously released 1.0.6 versi [More...]

LinuxSecurity.com Team
Mar 23, 2006

SuSE: 2006-017: sendmail remote code execution Security Update

The popular MTA sendmail is vulnerable to a race condition when handling The popular MTA sendmail is vulnerable to a race condition when handling signals. signals. Under certain circumstances this bug can be exploited by an attacker to execute commands remotely. Sendmail was the default MTA in SuSE Linux Enterprise Server 8. Later products use postfix as MTA.

LinuxSecurity.com Team
Mar 22, 2006

SuSE: 2006-016: xorg-x11-server local privilege escalation Security Update

A programming flaw in the X.Org X Server allows local attackers to A programming flaw in the X.Org X Server allows local attackers to gain root access when the server is setuid root, as is the default gain root access when the server is setuid root, as is the default in SUSE Linux 10.0. This flaw was spotted by the Coverity project. Only SUSE Linux 10.0 is affected, older products do not include [More...]

LinuxSecurity.com Team
Mar 21, 2006

SuSE: 2006-015: flash-player buffer overflow Security Update

A critical security vulnerability has been identified in the Adobe A critical security vulnerability has been identified in the Adobe Macromedia Flash Player that allows an attacker who successfully Macromedia Flash Player that allows an attacker who successfully exploits these vulnerabilities to take control of the application running the flash player. A malicious SWF must be loaded in the Flash [More...]

LinuxSecurity.com Team
Mar 21, 2006