dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


SUSE Linux Advisories: squid, cvs

Jun 10, 2004, 03:58 (0 Talkback[s])

SUSE Security Announcement

Package: squid
Announcement-ID: SuSE-SA:2004:016
Date: Wednesday, Jun 9th 2004 16:30 MEST
Affected products: 8.2, 9.0, 9.1
Vulnerability Type: remote system compromise
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2004-0541

Content of this advisory:

  1. security vulnerability resolved:
    • buffer overflow problem description, discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • icecast
    • sitecopy
    • cadaver
    • tla
    • OpenOffice_org
    • tripwire
    • postgresql
    • lha 3) standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

Squid is a feature-rich web-proxy with support for various web-related protocols.
The NTLM authentication helper application of Squid is vulnerable to a buffer overflow that can be exploited remotely by using a long password to execute arbitrary code. NTLM authentication is enabled by default in the Squid package that is shipped by SUSE LINUX.

There is no workaround known other then turning off the NTLM authentication.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

Intel i386 Platform:

SuSE-9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.9.i586.rpm ea3da461f226cc881562b06224a8370e
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.9.i586.patch.rpm f85bd7c071695d0d9c304969c5a35a23
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/squid-2.5.STABLE5-42.9.src.rpm 610caf4de1d7333af0f8613767d40bb0

SuSE-9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-110.i586.rpm fc31dd7379b249d8f9a07d0f4464996d
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-110.i586.patch.rpm 06961779c39bca33ee2d619773f47f39
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/squid-2.5.STABLE3-110.src.rpm 90c171552d03e2efb731d25a4ffbf553

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/squid-2.5.STABLE1-98.i586.rpm d35da0a2719ca8de24c299ef9a8dbe3f
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/squid-2.5.STABLE1-98.i586.patch.rpm 0aa98cf95a23a0ea35a2e6657717243e
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/squid-2.5.STABLE1-98.src.rpm 4fdd84cebf8dbdc7334e48a9f8369efc

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/squid-2.4.STABLE6-9.i386.rpm fa4780901f96712ea22eef28bdf53700
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/squid-2.4.STABLE6-9.i386.patch.rpm 917c26da9c444085d045b708548eae3e
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/squid-2.4.STABLE6-9.src.rpm dc96baf5541829ee6e615861d17146aa

Opteron x86_64 Platform:

SuSE-9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.9.x86_64.rpm 868c4121e1622f6ac91a8eaac414eabe
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.9.x86_64.patch.rpm 0cbc28a5262dfe4eb72ee3fbbb5b4657
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/squid-2.5.STABLE5-42.9.src.rpm 20ab0af37af2139e1de8f1f4edfcc2c6

SuSE-9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-110.x86_64.rpm 616f32f8196ed53a4f5f163f33d2a838
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-110.x86_64.patch.rpm 72ca1d31e833be4d9e9c150349d2bbbc
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/squid-2.5.STABLE3-110.src.rpm 632bd7bdbe116eff14213b9f6245cd0a


2) Pending vulnerabilities in SUSE Distributions and Workarounds:

  • icecast
    The icecast service is vulnerable to a remote denial-of-service attack. Update packages will be available soon.
  • sitecopy
    The sitecopy package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • cadaver
    The cadaver package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • tla
    The tla package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages are available on our FTP servers.
  • OpenOffice_org
    The OpenOffice_org package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • tripwire
    A format string bug in tripwire can be exploited locally to gain root permissions. Update packages will be available soon.
  • postgresql
    A buffer overflow in psqlODBC could be exploited to crash the application using it. E.g. a PHP script that uses ODBC to access a PostgreSQL database can be utilized to crash the surrounding Apache web-server. Other parts of PostgreSQL are not affected. Update packages will be available soon.
  • lha
    Minor security fix for a buffer overflow while handling command line options. This buffer overflow could be exploited in conjunction with other mechanisms to gain higher privileges or access the system remotely.

3) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • SUSE runs two security mailing lists to which any interested party may subscribe:

    suse-security@suse.com

  • general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com

  • SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to

    <suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively.


SUSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>


SUSE Security Announcement

Package: cvs
Announcement-ID: SuSE-SA:2004:015
Date: Wed Jun 9 15:00:00 MEST 2004
Affected products: 8.0, 8.1, 8.2, 9.0, 9.1 SuSE Firewall on CD 2 - VPN SuSE Firewall on CD 2 SuSE Linux Enterprise Server 7, 8 SuSE Linux Office Server UnitedLinux 1.0
Vulnerability Type: remote command execution
Severity (1-10): 6
SUSE default package: No.
Cross References: CAN-2004-0416 CAN-2004-0417 CAN-2004-0418

Content of this advisory:

  1. security vulnerability resolved: various security issues in cvs problem description, discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • icecast
    • sitecopy
    • cadaver
    • tla
    • OpenOffice_org
    • tripwire
    • postgresql
    • lha
    • apache/mod_ssl
  3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. Various remotely exploitable conditions have been found during a source code review of CVS done by Stefan Esser and Sebastian Krahmer (SuSE Security-Team).
These bugs allow remote attackers to execute arbitrary code as the user the CVS server runs as. Since there is no easy workaround we strongly recommend to update the cvs package. The update packages fix vulnerabilities which have been assigned the CAN numbers CAN-2004-0416, CAN-2004-0417 and CAN-2004-0418. The cvs packages shipped by SUSE (as well as our recent updates for CVS) are not vulnerable to CAN-2004-0414.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

Intel i386 Platform:

SuSE-9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cvs-1.11.14-24.6.i586.rpm 47731cff36f671c97e90a8b304dfa508
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cvs-1.11.14-24.6.i586.patch.rpm d9aaad71404029c53d3972f035f58b41
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/cvs-1.11.14-24.6.src.rpm f3fdcd3355df637c34d1c2058be48fba

SuSE-9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-83.i586.rpm b2c14b51a074fd8059af6d084d2684bd
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-83.i586.patch.rpm e22c93b42f31ac7e9319cf31a266f6c0
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/cvs-1.11.6-83.src.rpm 211950707baf445fbe87fd73b243da18

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-114.i586.rpm c9e1680bd0fa4fb5239e89747add07e9
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-114.i586.patch.rpm 8cabcc36b298326e738311cad37f32dc
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/cvs-1.11.5-114.src.rpm ebeca38a0d002044c68c20bfc051b14f

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cvs-1.11.1p1-332.i586.rpm 597bac9a562582828b1f5cadd30f004f
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cvs-1.11.1p1-332.i586.patch.rpm fc1a12767ad7e2fbfb7294cc4112b2f7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/cvs-1.11.1p1-332.src.rpm fb51cfd019b7f84857b6c6454b21418d

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/cvs-1.11.1p1-332.i386.rpm 67de2e7aed4d0cc282965118bd1afb66
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/cvs-1.11.1p1-332.i386.patch.rpm 9a1a381eba6312ab168e22c7d519a93a
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/cvs-1.11.1p1-332.src.rpm b10baa53b3e0e4a1d0839cb5d4696215

Opteron x86_64 Platform:

SuSE-9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cvs-1.11.14-24.6.x86_64.rpm 6aec551d7128a714e40cc30e94b8f885
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cvs-1.11.14-24.6.x86_64.patch.rpm 64cb1180ab428731febd8259da9cf15d
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/cvs-1.11.14-24.6.src.rpm 98bb92fa2691254c2928cb54a9b40767

SuSE-9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-83.x86_64.rpm c913bf7436b3e7b9ccc1dda4a4af6f41
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-83.x86_64.patch.rpm 5bbdbaf7ea7df6d57c8c1581e2ca5d87
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/cvs-1.11.6-83.src.rpm f2953162aa93eb55b9f4c5200bedde6d


2) Pending vulnerabilities in SUSE Distributions and Workarounds:

  • icecast The icecast service is vulnerable to a remote denial-of-service attack. Update packages will be available soon.
  • sitecopy The sitecopy package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • cadaver The cadaver package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • tla The tla package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • OpenOffice_org The OpenOffice_org package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be available soon.
  • tripwire A format string bug in tripwire can be exploited locally to gain root permissions. Update packages will be available soon.
  • postgresql A buffer overflow in psqlODBC could be exploited to crash the application using it. E.g. a PHP script that uses ODBC to access a PostgreSQL database can be utilized to crash the surrounding Apache webserver. Other parts of PostgreSQL are not affected. Update packages will be available soon.
  • lha Minor security fix for a buffer overflow while handling command line options. This buffer overflow could be exploited in conjunction with other mechanisms to gain higher privileges or access the system remotely.
  • apache/mod_ssl A buffer overflow in a uuencode function of mod_ssl has been fixed as well as various minor bugs (CAN-2003-0987, CAN-2003-0020, CAN-2004-0174 and CAN-2003-0993). New packages are available on our ftp servers.

3) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • SUSE runs two security mailing lists to which any interested party may subscribe:

    suse-security@suse.com

  • general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com

  • SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to

    <suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively.


SUSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>