Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


SUSE Linux Advisories: cups, apache2

Sep 16, 2004, 15:14 (0 Talkback[s])

SUSE Security Announcement

Package: cups
Announcement-ID: SUSE-SA:2004:031
Date: Wednesday, Sep 15th, 15:30:00 MEST 2004
Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE default package: Yes.
Cross References: CAN-2004-0801 CAN-2004-0558

Content of this advisory:

  1. security vulnerability resolved:
    • remote command execution and remote DoS in CUPS problem description
  2. solution/workaround
  3. special instructions and notes
  4. package location and checksums
  5. pending vulnerabilities, solutions, workarounds:
    • squid
    • OpenOffice
    • mozilla
    • mpg123
    • ImageMagick
  6. standard appendix (further information)

1) problem description, brief discussion

The Common Unix Printing System (CUPS) enables local and remote users to obtain printing functionallity via the Internet Printing Protocol (IPP). Alvaro Martinez Echevarria has found a remote Denial of Service condition within CUPS which allows remote users to make the cups server unresponsive. Additionally the SUSE Security Team has discovered a flaw in the foomatic-rip print filter which is commonly installed along with cups. It allows remote attackers, which are listed in the printing ACLs, to execute arbitrary commands as the printing user 'lp'.

2) solution/workaround

If you use CUPS, we recommend an update in any case. Additionally the IPP port (TCP port 631) should be firewalled and the printing ACLs should be set up in a way to reflect the local security policy.

3) special instructions and notes

After successfully updating the cups package, you need to run the following command as root:

rccups restart

4) package location and checksums

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

x86 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cups-1.1.20-108.8.i586.rpm 976655f117091c2bbc78399ffedf6c9c
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cups-libs-1.1.20-108.8.i586.rpm f4af26bd260fc756e2070c340105295d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cups-client-1.1.20-108.8.i586.rpm 90cf964bf8b3ea5567754b15c0ab6988
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/foomatic-filters-3.0.1-41.6.i586.rpm b67b7187ecb708d7ec2980f7cdcdaa81
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cups-1.1.20-108.8.i586.patch.rpm ce0f75db69c838557ecda3e3300bb763
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cups-libs-1.1.20-108.8.i586.patch.rpm 213cbdc01c0f39895f75eb6816641b82
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cups-client-1.1.20-108.8.i586.patch.rpm 9c47790dcd6fa339ea7a8d21ad841e54
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/foomatic-filters-3.0.1-41.6.i586.patch.rpm 8ccae3fb4988acf0c829ffe491472716
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/cups-1.1.20-108.8.src.rpm 96a63ac94b63f0d54d16bd2d3ea73a24
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/foomatic-filters-3.0.1-41.6.src.rpm 18816a89350fe3fa234506d40e4812b1

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cups-1.1.19-93.i586.rpm f72e1b1c033695ef9f3fe9a64ace220b
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cups-libs-1.1.19-93.i586.rpm 46f540ce3bcf72a870eeb2ef78d1e7ec
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cups-client-1.1.19-93.i586.rpm 9c9d4eb93c3dbf2ad740f6041224ff90
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/foomatic-filters-3.0.0-100.i586.rpm 4f5c750a1f756161407e4186b378ac51
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cups-1.1.19-93.i586.patch.rpm 91b88efa969bb367ead02dfa686f5711
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cups-libs-1.1.19-93.i586.patch.rpm 9952d1df78213228f1a0fc129c60331a
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cups-client-1.1.19-93.i586.patch.rpm e83d2d6a85445fdaf186e4eba91a68da
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/foomatic-filters-3.0.0-100.i586.patch.rpm 3d91bc3f72cfb8efa4c1a38bf6a46d60
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/cups-1.1.19-93.src.rpm 236dd9aab66ee87ef73cfe9c7a4dd3a4
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/foomatic-filters-3.0.0-100.src.rpm 56b6200d339a0bd727b102b65d327493

SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cups-1.1.18-96.i586.rpm 5092cfbf2d9f71b53cfa571d23ac8e26
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cups-libs-1.1.18-96.i586.rpm 1b52320ac8e50797b9e140ba0339008c
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cups-client-1.1.18-96.i586.rpm b0cc87346a3b2270081123bbb5fd932a
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cups-1.1.18-96.i586.patch.rpm d67014a864afaa86952ed752d89a251a
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cups-libs-1.1.18-96.i586.patch.rpm be6ae574c2f26a7f07d1b5e16f4ede02
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cups-client-1.1.18-96.i586.patch.rpm c176435d584a763ae5b57dcde996f82c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/cups-1.1.18-96.src.rpm 870f0825115fdf9526beb6e1ec867381

SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cups-1.1.15-170.i586.rpm b8a1daf19c2fa58fecc3f9dafb8c4c8d
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cups-libs-1.1.15-170.i586.rpm 9f7a2dbc92804cb54749e72426d79a62
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cups-client-1.1.15-170.i586.rpm 7a82aedac6586fa27109e3576f5c4c27
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cups-1.1.15-170.i586.patch.rpm 341ebcf57e793a836b5475353cb21e7c
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cups-libs-1.1.15-170.i586.patch.rpm 3b75cf2265150044560555785e8e4c82
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cups-client-1.1.15-170.i586.patch.rpm 926eca878ee8c36c4efa509d7b7243d4
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/cups-1.1.15-170.src.rpm ffc7b24d6638f04933621b9b49bb9e9e

x86-64 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cups-1.1.20-108.8.x86_64.rpm fc7b3c21d0bdd1b5617263045a0f0058
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cups-libs-1.1.20-108.8.x86_64.rpm 4490d72429d54417049a4daabc763e56
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cups-client-1.1.20-108.8.x86_64.rpm 23e430a166baef8840b067f71b7ae96d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/foomatic-filters-3.0.1-41.6.x86_64.rpm cfc0d3052c29da4e9b9bccac8cb0211e
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cups-1.1.20-108.8.x86_64.patch.rpm 4f347e2efa5151cee929889b18ddfed4
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cups-libs-1.1.20-108.8.x86_64.patch.rpm 5157c96ec037e965c39ee0139c6287cf
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cups-client-1.1.20-108.8.x86_64.patch.rpm ef1f955450463ee0a751ae1a4f5ceacc
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/foomatic-filters-3.0.1-41.6.x86_64.patch.rpm 4f34ffee4f359ca09eaf481c2904796e
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/cups-1.1.20-108.8.src.rpm 00ecd612999696c7f3a4e531c1a2198e
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/foomatic-filters-3.0.1-41.6.src.rpm 33e32a64142f72a224691d64c50f9f66

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cups-1.1.19-93.x86_64.rpm 1b68c217134d058a5036f9a0058ddd0d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cups-libs-1.1.19-93.x86_64.rpm 1d48cc152e891fb3baeb2d2409830878
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cups-client-1.1.19-93.x86_64.rpm a313c4956f44e230c0df9909ba0a7d25
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/foomatic-filters-3.0.0-100.x86_64.rpm 9b4d8b411702153be4a73222e6a12553
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cups-1.1.19-93.x86_64.patch.rpm f7bda7125579c9bda8cfd9f4e0f6f4a0
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cups-libs-1.1.19-93.x86_64.patch.rpm 608d96f3f6566a65e70a57fcc367f777
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cups-client-1.1.19-93.x86_64.patch.rpm a7d38ee463699f6152f8e42ee1da745d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/foomatic-filters-3.0.0-100.x86_64.patch.rpm c83d5f8d7d41083bdad779505b777d11
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/cups-1.1.19-93.src.rpm c05016dadf2756e7e66c32c2c2b25858
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/foomatic-filters-3.0.0-100.src.rpm aa0436134b6b46418455e1c5235c36c0


5) Pending vulnerabilities in SUSE Distributions and Workarounds:

  • squid
    The NTLM authentication in squid suffers from a DoS vulnerability. New packages are currently being tested and will soon be available on our ftp servers.
  • OpenOffice
    OpenOffice sets the permissions of tmp-files according to the umask, which might be unsuitable. This will be fixed in upcoming distributions. If you work in an untrusted environment, you may set the $TEMP, $TMP and $TMPDIR environment variables to a location within your $HOME as a workaround.
  • mozilla
    We are in the process of releasing updates for mozilla (and related browsers), fixing various issues: CAN-2004-0597, CAN-2004-0718, CAN-2004-0722, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759, CAN-2004-0760, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763, CAN-2004-0764 and CAN-2004-0765. We will give you concrete details in a separate mozilla advisory when the updates are available.
  • mpg123
    A buffer overflow in the decoding of data streams has been fixed. New packages are available on our ftp servers. CAN-2004-0805 has been assigned to this issue.
  • ImageMagick
    A buffer overflow in the code handling BMP images has been fixed. New packages are available on our ftp servers. CAN-2004-0827 has been assigned to this issue.

6) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • SUSE runs two security mailing lists to which any interested party may subscribe:

    suse-security@suse.com

  • general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com

  • SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to

    <suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively.


SUSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>


SUSE Security Announcement

Package: apache2
Announcement-ID: SUSE-SA:2004:032
Date: Wednesday, Sep 15th 2004 16:00 MEST
Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Enterprise Server 9
Vulnerability Type: remote denial-of-service
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2004-0747 CAN-2004-0786

Content of this advisory:

  1. security vulnerability resolved:
    • remote denial-of-service
    • local buffer overflow problem description
  2. solution/workaround
  3. special instructions and notes
  4. package location and checksums
  5. pending vulnerabilities, solutions, workarounds:
    • samba
    • a2ps
    • mozilla
    • mc
    • squid
    • gtk2
    • gaim
    • nessus
  6. standard appendix (further information)

1) problem description, brief discussion

The Apache daemon is running on most of the web-servers used in the Internet today.
The Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each.
The first vulnerability appears in the apr_uri_parse() function while handling IPv6 addresses. The affected code passes a negative length argument to the memcpy() function. On BSD systems this can lead to remote command execution due to the nature of the memcpy() implementation. On Linux this bug will result in a remote denial-of-service condition. The second bug is a local buffer overflow that occurs while expanding ${ENVVAR} in the .htaccess and httpd.conf file. Both files are not writeable by normal user by default.

2) solution/workaround

There is no known workaround.

3) special instructions and notes

After the new apache2 packages have been installed you have to restart the apache2 daemon by executing the following command as root: /usr/sbin/rcapache2 restart

4) package location and checksums

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

x86 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-2.0.49-27.14.i586.rpm 9b845c3d735cbd1bcac668d8c750b676
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-prefork-2.0.49-27.14.i586.rpm 0384d427dfc90eb86c2905676e9adc07
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-worker-2.0.49-27.14.i586.rpm 5be402effc8131d5565591cfe10d7526
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libapr0-2.0.49-27.14.i586.rpm 05220b62526e03cb6c2b183b523754d0
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-2.0.49-27.14.i586.patch.rpm 81de5904923e436a8ef5b69d30e785ae
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-prefork-2.0.49-27.14.i586.patch.rpm 61e2e118d9fe7065de566292f08a1345
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-worker-2.0.49-27.14.i586.patch.rpm 49ebf40839bc3481cacd83756b326d11
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libapr0-2.0.49-27.14.i586.patch.rpm f37b330d2eb4f0540886fbb26c32413e
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/apache2-2.0.49-27.14.src.rpm 08cbcb0efed1d5555bb0613b865a6053

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-2.0.48-139.i586.rpm 27840b6a3af5fd22aa6514e5160a8069
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-prefork-2.0.48-139.i586.rpm 2b6472921d506546a0b3d949b7228839
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-worker-2.0.48-139.i586.rpm deb73562cbd878dad304b8aff2b00466
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libapr0-2.0.48-139.i586.rpm f6233d3447b716cedb7bc1b7e7e470ae
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-leader-2.0.48-139.i586.rpm 66f5c0630ebfc80409eaf9c9bb11ccb0
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-metuxmpm-2.0.48-139.i586.rpm 17edb6c60cb0a9b10a76feb97f49f755
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-2.0.48-139.i586.patch.rpm d1f0678ce5caf6d31afb324d4bffbce3
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-prefork-2.0.48-139.i586.patch.rpm 86ac5cf3e6d9bd9eb03184fd2bdc9905
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-worker-2.0.48-139.i586.patch.rpm 52aa93198d5e20eaccf0b9f841f10c4d
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libapr0-2.0.48-139.i586.patch.rpm df994be46d4dc9d00616750dd6b0b0c1
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-leader-2.0.48-139.i586.patch.rpm 33ba4684fc5259f05ff6708ab5d48350
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-metuxmpm-2.0.48-139.i586.patch.rpm 85252f1966a4be547c6771642fc738dd
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/apache2-2.0.48-139.src.rpm 464180f4e7e4c39cdecac9a802d589fd

SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-2.0.48-139.i586.rpm 05260a9f52cc71c1818e3787c46b27dc
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-prefork-2.0.48-139.i586.rpm 17ebbca6883fe62d9a9161103229e31a
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-worker-2.0.48-139.i586.rpm 2eb72f1af2c80a64922580a2408bb8e6
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libapr0-2.0.48-139.i586.rpm d2509b369c4a41dd3f2089e175449be0
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-leader-2.0.48-139.i586.rpm fe40ce0f5a3421f0242a689155375b4f
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-2.0.48-139.i586.patch.rpm 191173d3e403cdac75fb7a9f7bec870c
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-prefork-2.0.48-139.i586.patch.rpm 0f059ac6202f4e3589a50eb018b34244
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-worker-2.0.48-139.i586.patch.rpm 3b34bab03c462e153d539afaf5deeb77
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libapr0-2.0.48-139.i586.patch.rpm b3e42a5dbbd6b68052bb09482204725c
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-leader-2.0.48-139.i586.patch.rpm ba77a1ad221299e6cd413e6bc76a13de
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/apache2-2.0.48-139.src.rpm f18c560ad459b862730916f79b8bb3b8

SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-2.0.48-139.i586.rpm 1c77aab21c333c1e1f3498ae61eac987
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-prefork-2.0.48-139.i586.rpm b8b07652ebcb57d588cfaaa6bbb2ac84
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-worker-2.0.48-139.i586.rpm bc71f335963a9fdf52adf6d99a93d69d
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apr-2.0.48-139.i586.rpm 48df09d3a351cf7f5a718e71e48aa33e
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-perchild-2.0.48-139.i586.rpm 68d781d4efe000a6a5ad5c7aeebbaccf
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-2.0.48-139.i586.patch.rpm dddd28b031ebdcee9e7c184db14a8318
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-prefork-2.0.48-139.i586.patch.rpm fa6ac0a41463bd39856e54c0b1763ebb
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-worker-2.0.48-139.i586.patch.rpm d9704298ea9e359edccf824cc525f0e7
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apr-2.0.48-139.i586.patch.rpm afc83912677b81ce2ec47eb94a401bff
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/apache2-perchild-2.0.48-139.i586.patch.rpm 28929bae30f7789f1945c457ba12bf9b
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/apache2-2.0.48-139.src.rpm 0132de4f1d42009a6ef81ddb2b5fc55e

x86-64 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-2.0.49-27.14.x86_64.rpm 9e0f9899d4f9e5bb64bdb09e0bec316e
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-prefork-2.0.49-27.14.x86_64.rpm 2c4ea232129aa2e1589b528b39ba4727
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-worker-2.0.49-27.14.x86_64.rpm 80d8e4d121c34d250793427050d4d0d0
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/libapr0-2.0.49-27.14.x86_64.rpm 7b0fb31d24bde01c46f4b361c23e208c
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-2.0.49-27.14.x86_64.patch.rpm 8acab2f576039bd291d94012d1658568
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-prefork-2.0.49-27.14.x86_64.patch.rpm f1fe28267d4e49bcbeaf3207b2ce28a6
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-worker-2.0.49-27.14.x86_64.patch.rpm 154f87e3acb64512c415828a866810d7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/libapr0-2.0.49-27.14.x86_64.patch.rpm 8a6bb234f6e467f0c620c1edcd34efa0
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/apache2-2.0.49-27.14.src.rpm 55f7b18ef66d6db039936a811906cb86

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-2.0.48-139.x86_64.rpm 023e3977f7c6cad342b112a98a784934
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-prefork-2.0.48-139.x86_64.rpm 8bd2e882f197d842484c520e94921545
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-worker-2.0.48-139.x86_64.rpm 254aa465d3477520b799e58e8540b72d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/libapr0-2.0.48-139.x86_64.rpm d2f3fdcbf23c0795e945792be8e30fb5
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-leader-2.0.48-139.x86_64.rpm af40e228c3967470c45b3a56fee5b18b
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-metuxmpm-2.0.48-139.x86_64.rpm 8454ccf5f9e799e66507386ee3c6d516
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-2.0.48-139.x86_64.patch.rpm 673aac30385aef7e15d65f3d8c2d3e4e
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-prefork-2.0.48-139.x86_64.patch.rpm 37ec566cc3511ca9a6c7e23f24bed85a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-worker-2.0.48-139.x86_64.patch.rpm 1eab9effa42d4d0c54e9bc618f4b97fa
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/libapr0-2.0.48-139.x86_64.patch.rpm d71304c7e348686cd279c9629c17a087
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-leader-2.0.48-139.x86_64.patch.rpm 51b69ec124cfd5d08cf73e77c73271f2
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-metuxmpm-2.0.48-139.x86_64.patch.rpm 1e9168aaaf5b204235635513e1f4c22f
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/apache2-2.0.48-139.src.rpm fee40db2840b32cdd6af4c77f6a1b3cc


5) Pending vulnerabilities in SUSE Distributions and Workarounds:

  • samba
    This version fixes several bugs in the Samba suite including two denial-of-service (DoS) Vulnerabilities. Microsoft Windows XP clients with installed Service Pack 2 crash the Samba (smbd) process while printing. Using macros in the smb.conf 'log file' statement might lead to an infinite recursion. A wrong counter and pointer handling in samba-vscan leads to a crash of the Samba (smbd) process sometimes. A DoS bug in smbd may allow an unauthenticated user to cause smbd to spawn new processes, each one entering an infinite loop. After sending a sufficient amount of packets it is possible to exhaust the memory resources on the server. This issue is known as CAN-2004-0807. A DoS bug in nmbd may allow an attacker to remotely crash the nmbd daemon. This issue is known as CAN-2004-0808. New packages are available on our FTP servers.
  • a2ps
    This update fixes the handling of filenames that include shell metacharacters. Without this patch it was possible to execute shell commands via a2ps by providing a filename that includes metacharacters as an argument. New packages are available on our FTP servers.
  • mozilla
    We are in the process of releasing updates for mozilla (and related browsers), fixing various issues: CAN-2004-0597, CAN-2004-0718, CAN-2004-0722, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759, CAN-2004- 0760, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763, CAN-2004-0764 and CAN-2004-0765. We will give you concrete details in a separate mozilla advisory when the updates are available.
  • mc
    The console filesystem browser mc was found vulnerable to various meta-char attacks in the extfs perl and shell scripts. These bugs can be exploited by providing a malformed archive file to a victim user to execute shell commands with her/his privileges. (CAN-2004-0494) New packages will be available soon.
  • squid
    Certain malformed NTLMSSP packets can crash the NTLM helpers provided by Squid (CAN-2004-0832). New packages will be available soon.
  • gtk2
    This update fixes three vulnerabilities found in the XPM loader code of the GTK Library. They are registered as:
    + CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm
    + CAN-2004-0783 Stack-based overflow in xpm_extract_color
    + CAN-2004-0788 icon loader integer overflow.
    New packages will be available soon.
  • gaim
    This security update fixes four security issues which are registered as:
    + CAN-2004-0754
    An integer overflow in the groupware message handler exists in Gaim.
    + CAN-2004-0784
    A shell escape vulnerability in the handling of smiley theme tarball filenames could lead to arbitrary command execution.
    + CAN-2004-0785
    Buffer overflows in Gaim could lead to a denial of service or arbitrary code execution.
    Additionally a buffer overflow in the URL parsing code of gaim is fixed. This bug let to remote system compromise with the privileges of the user running gaim.
  • nessus
    The nessus-adduser creates temporary files in $TMPDIR in an insecure manner. New packages will be available soon.

6) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • SUSE runs two security mailing lists to which any interested party may subscribe:

    suse-security@suse.com

  • general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com

  • SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to

    <suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.


SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>