PGP SIGNED MESSAGE
Hash: SHA1
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:022
Date: Fri, 08 Sep 2006 17:00:00 +0000
Cross-References: CVE-2006-2563, CVE-2006-2658, CVE-2006-3083
CVE-2006-3468, CVE-2006-3745, CVE-2006-4020
CVE-2006-4093
Content of this advisory:
1) Solved Security Vulnerabilities:
- heimdal potential setuid return value checking problems
- xsp directory traversal
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- php4/php5 security update
- kernel security update
3) Authenticity Verification and Additional Information
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Update.
- heimdal potential setuid return value checking problems
A potential security problem was fixed in the heimdal tools.
Missing setuid return checking might be used by local users
to escalate their privileges to root.
This is similar to the MIT krb5 problem as tracked by the Mitre
CVE ID CVE-2006-3083.
- xsp directory traversal
Insufficient path checks in the Mono/C# web server component 'xsp'
allowed remote attackers to access arbitrary files via relative
path names in the HTTP request. The affected code is only used
by mod_mono.
This issue has been assigned the Mitre CVE ID CVE-2006-2658 and
affected Enterprise Server 1 and SUSE Linux 9.2 up to 10.1.
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- php4/php5 security update
We are currently QA testing fixes for several security problems in PHP4 and PHP5.
These include:
- The CURL module lacked checks for control characters (CVE-2006-2563))
- str_repeat() contained an integer overflow.
- ext/wddx contained a buffer overflow.
- memory_limit() lacked checks for integer overflows.
- A bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020)
- Corrupt GIF images could crash php.
We expect a release of the updates early next week.
- kernel security update
We are currently QA testing a kernel update fixing the following security problems:
- CVE-2006-3745: A double userspace copy in a SCTP ioctl allows
local attackers to overflow a buffer in the kernel,
potentially allowing code execution and privilege
escalation.
- CVE-2006-4093: Local attackers were able to crash PowerPC systems
with PPC970 processor using a not correctly disabled
privileged instruction ("attn").
- CVE-2006-3468: Remote attackers able to access an NFS of a ext2 or
ext3 filesystem can cause a denial of service
(file system panic) via a crafted UDP packet with
a V2 lookup procedure that specifies a bad file
handle (inode number), which triggers an error
and causes an exported directory to be remounted
read-only.
We hope to release the updates early next week.
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg <file>
replacing <filewith the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATEusing RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security (AT) suse (DOT) de>"
where <DATEis replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v <file.rpm>
to verify the signature of the package, replacing <file.rpmwith the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build (AT) suse (DOT) de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security (AT) suse (DOT) com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe (AT) suse (DOT) com>.
suse-security-announce (AT) suse (DOT) com
- SUSE's announce-only mailing list.
SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<@suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info (AT) suse (DOT) comor
<suse-security-faq (AT) suse (DOT) com>.
SUSE's security contact is <security (AT) suse (DOT) comor <security (AT) suse (DOT) de>.
The <security (AT) suse (DOT) depublic key is listed below.
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security (AT) suse (DOT) de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build (AT) suse (DOT) de>
- PGP PUBLIC KEY BLCK
Version: GnuPG v1.4.2 (GNU/Linux)
+
=ypVs
- PGP PUBLIC KEY BLCK
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
=6HQM
PGP SIGNATURE