A remote unauthenticated attacker can add arbitrary hosts to the
blacklist by attempting to login with a specially crafted username.
An attacker may use this to prevent legitimate users from accessing
a host remotely.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
An anonymous researcher found evidence of memory corruption in
the way Mozilla Firefox handles certain types of SVG comment DOM
nodes. Additionally, Frederik Reiss discovered a heap-based buffer
overflow in the conversion of a CSS cursor. Other issues with
memory corruption were also fixed. Mozilla Firefox also contains
less severe vulnerabilities involving JavaScript and Java.
An attacker could entice a user to view a specially crafted web
page that will trigger one of the vulnerabilities, possibly leading
to the execution of arbitrary code. It is also possible for an
attacker to perform cross-site scripting attacks, leading to the
exposure of sensitive information, like user credentials.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
Georgi Guninski and David Bienvenu discovered buffer overflows
in the processing of long "Content-Type:" and long non-ASCII MIME
headers. Additionally, Frederik Reiss discovered a heap-based
buffer overflow in the conversion of a CSS cursor. Different
vulnerabilities involving memory corruption in the browser engine
were also fixed. Mozilla Thunderbird also contains less severe
vulnerabilities involving JavaScript and Java.
An attacker could entice a user to view a specially crafted
email that will trigger one of these vulnerabilities, possibly
leading to the execution of arbitrary code. An attacker could also
perform cross-site scripting attacks, leading to the exposure of
sensitive information, like user credentials. Note that the
execution of JavaScript or Java applets is disabled by default and
enabling it is strongly discouraged.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
Package: OpenOffice_org
Announcement ID: SUSE-SA:2007:001
Date: Thu, 04 Jan 2007 15:00:00 +0000
Affected Products: Novell Linux Desktop 9 SLE SDK 10 SUSE LINUX
10.1 SUSE LINUX 10.0 SUSE LINUX 9.3 SuSE Linux Desktop 1.0 SUSE
SLED 10
Vulnerability Type: code execution
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: CVE-2006-5870
Content of This Advisory:
Security Vulnerability Resolved: buffer overflows in WMF and
Enhanced WMF handling Problem Description
Solution or Work-Around
Special Instructions and Notes
Package Location and Checksums
Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE
Security Summary Report.
Authenticity Verification and Additional Information
1) Problem Description and Brief Discussion
Security problems were fixed in the WMF and Enhanced WMF
handling in OpenOffice_org These could potentially be used to
execute code or crash OpenOffice when a user could be convinced to
open specially crafted document (for instance a document sent by
E-mail).
This issue is tracked by the Mitre CVE ID CVE-2006-5870.
openSUSE 10.2 is not affected by this problem, it already
contains the fixed OpenOffice_org 2.1 version.
Additionally the OpenOffice_org 2.0 version in SLED 10 was
fitted with hooks to add OfficeXML support with a later update.
Due to the very large size of this update and mirror lag it
might take some hours or days until the updates are available on
our mirrors.
2) Solution or Work-Around
There is no known workaround, please install the update
packages.
3) Special Instructions and Notes
Restart OpenOffice after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use
the YaST Online Update (YOU) tool. YOU detects which updates are
required and automatically performs the necessary steps to verify
and install them. Alternatively, download the update packages for
your distribution manually and verify their integrity by the
methods listed in Section 6 of this announcement. Then install the
packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the
filename of the downloaded RPM package.
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
Announcement authenticity verification:
SUSE security announcements are published via mailing lists and
on Web sites. The authenticity and integrity of a SUSE security
announcement is guaranteed by a cryptographic signature in each
announcement. All SUSE security announcements are published with a
valid signature.
To verify the signature of the announcement, save it as text
into a file and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg:
Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was
signed.
If the security team's key is not contained in your key ring,
you can import it from the first installation CD. To import the
key, use the command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
Package authenticity verification:
SUSE update packages are available on many mirror FTP servers
all over the world. While this service is considered valuable and
important to the free and open source software community, the
authenticity and integrity of a package needs to be verified to
ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to
verify the authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing
<file.rpm> with the filename of the RPM package downloaded.
The package is unmodified if it contains a valid signature from
build@suse.de with the key ID
9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and
included at the end of this announcement.
SUSE runs two security mailing lists to which any interested
party may subscribe:
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, the clear text signature should show proof of the
authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind
whatsoever with respect to the information contained in this
security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
Security Vulnerability Resolved: ASP.net source code disclosure
Problem Description
Solution or Work-Around
Special Instructions and Notes
Package Location and Checksums
Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE
Security Summary Report.
Authenticity Verification and Additional Information
1) Problem Description and Brief Discussion
A security problem was found and fixed in the Mono / C# web
server implementation.
By appending spaces to URLs attackers could download the source
code of ASP.net scripts that would normally get executed by the web
server.
This issue is tracked by the Mitre CVE ID CVE-2006-6104 and only
affects SUSE Linux 10.1, openSUSE 10.2 and SUSE Linux Enterprise
10.
Older products are not affected.
The updated packages for this problem were released on December
29th 2006.
2) Solution or Work-Around
There is no known workaround, please install the update
packages.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use
the YaST Online Update (YOU) tool. YOU detects which updates are
required and automatically performs the necessary steps to verify
and install them. Alternatively, download the update packages for
your distribution manually and verify their integrity by the
methods listed in Section 6 of this announcement. Then install the
packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the
filename of the downloaded RPM package.
