PGP SIGNED MESSAGE
Hash: SHA1
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:021
Date: Fri, 01 Sep 2006 17:00:00 +0000
Cross-References: CVE-2006-2314, CVE-2006-3124, CVE-2006-3125
CVE-2006-3468, CVE-2006-3694, CVE-2006-3745
CVE-2006-4089, CVE-2006-4093, CVE-2006-4111
CVE-2006-4112, CVE-2006-4434
Content of this advisory:
1) Solved Security Vulnerabilities:
- dovecot character set injection
- openldap2 self write access problems
- gtetrinet remote buffer overflow
- ruby "safe level" bypass
- sendmail denial of service
- rubygem-actionpack remote code injection
- streamripper remote buffer overflow
- alsaplayer remote buffer overflow
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- kernel security problems
- php4/php5 security problems
3) Authenticity Verification and Additional Information
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list md5 sums or download URLs like the SUSE Security Announcements
that are released for more severe vulnerabilities.
Fixed packages for the following incidents are already available on
our FTP server and via the YaST Update.
- dovecot character set injection
Dovecot might have been affected by the multibyte character set
SQL injection issues for instance described in CVE-2006-2314.
This patch fixes the MySQL and PostgreSQL backend to use the correct
quoting methods when passing user supplied strings.
All SUSE Linux versions containing dovecot were affected by this
problem.
- openldap2 self write access problems
A security problem was fixed in openldap concerning Access Control
Processing that allowed users with "selfwrite" access to an
attribute to modify arbitrary values of that attribute, instead of
just allowing them to add/delete their own DN to/from that attribute.
All SUSE Linux based products are affected by this problem.
- gtetrinet remote buffer overflow
Malicious tetrinet servers could overflow a buffer within the
gtetrinet client, making it possible to execute code.
This is tracked by the Mitre CVE ID CVE-2006-3125 and affects all
SUSE Linux versions.
- ruby "safe level" bypass
A security fix for ruby was released. An attacker could bypass the
"safe level" checks.
This is tracked by the Mitre CVE ID CVE-2006-3694 and affects all
SUSE Linux based products.
- sendmail denial of service
A denial of service problem in sendmails header processing could
be used to crash sendmail due to referencing a freed variable.
This is tracked by the Mitre CVE ID CVE-2006-4434 and affects all
SUSE Linux based products.
- rubygem-actionpack remote code injection
A remote code injection bug was fixed in rubygem-actionpack.
The routing code allowed injection using specially crafted headers.
This problem was assigned the Mitre CVE IDs CVE-2006-4111 and
CVE-2006-4112 and affected only the SLE 10 SDK.
- streamripper remote buffer overflow
This update fixes a buffer overflow in the HTTP header parsing
in streamripper.
This bug can be exploited to cause a denial-of-service attack and
possibly execute arbitrary code via crafted HTTP headers sent by
malicious servers.
This is tracked by the Mitre CVE ID CVE-2006-3124 and affects SUSE
Linux 9.2 and 9.3.
- alsaplayer remote buffer overflow
Various bugs were fixed in alsaplayer that could lead to a denial of
service or even buffer overflows caused by malicious remote servers.
This problem is tracked by the Mitre CVE ID CVE-2006-4089 and
affects SUSE Linux 9.2 and 9.3.
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- kernel security problems
We are currently QA testing kernel updates for all 2.6 based
SUSE Linux based products to fix various security issues.
Security issues to be fixed by this round of updates:
- CVE-2006-3745: A double user space copy in a SCTP ioctl allows
local attackers to overflow a buffer in the kernel,
potentially allowing code execution and privilege
escalation.
- CVE-2006-4093: Local attackers were able to crash PowerPC systems
with PPC970 processor using a not correctly disabled
privileged instruction ("attn").
- CVE-2006-3468: Remote attackers able to access an NFS of a ext2 or
ext3 filesystem can cause a denial of service (file
system panic) via a crafted UDP packet with a V2
lookup procedure that specifies a bad file handle
(inode number), which triggers an error and causes an
exported directory to be remounted read-only. [#192988]
- php4/php5 security problems
We are also preparing new PHP4 and PHP5 update packages to fix
the currently known PHP security problems. This affects all
distributions.
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg <file>
replacing <filewith the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATEusing RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security (AT) suse (DOT) de>"
where <DATEis replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v <file.rpm>
to verify the signature of the package, replacing <file.rpmwith the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build (AT) suse (DOT) de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security (AT) suse (DOT) com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe (AT) suse (DOT) com>.
suse-security-announce (AT) suse (DOT) com
- SUSE's announce-only mailing list.
SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<@suse.com>.
For general information or the frequently asked questions (FAQ)
send mail to <suse-security-info (AT) suse (DOT) comor
<suse-security-faq (AT) suse (DOT) com>.
SUSE's security contact is <security (AT) suse (DOT) comor <security (AT) suse (DOT) de>.
The <security (AT) suse (DOT) depublic key is listed below.
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security (AT) suse (DOT) de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build (AT) suse (DOT) de>
- PGP PUBLIC KEY BLCK
Version: GnuPG v1.4.2 (GNU/Linux)
+
=ypVs
- PGP PUBLIC KEY BLCK
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
=MM9D
PGP SIGNATURE