---

Advisories, September 26, 2006

Debian GNU/Linux


Debian Security Advisory DSA 1184-2 security@debian.org
http://www.debian.org/security/
Dann Frazier
September 26th, 2006 http://www.debian.org/security/faq


Package : kernel-source-2.6.8
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2004-2660 CVE-2005-4798 CVE-2006-1052 CVE-2006-1343
CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-2444
CVE-2006-2446 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468
CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4535
CERT advisory : VU#681569
BugTraq IDs : 17203 17830 18081 18099 18101 18105 18847 19033 19396
19562 19615 19666 20087

This advisory covers the S/390 components of the recent security
update for the Linux 2.6.8 kernel that was missing due to technical
problems. For reference below please see the original advisory
text.

Several security related problems have been discovered in the
Linux kernel which may lead to a denial of service or even the
execution of arbitrary code. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2004-2660

Toshihiro Iwamoto discovered a memory leak in the handling of
direct I/O writes that allows local users to cause a denial of
service.

CVE-2005-4798

A buffer overflow in NFS readlink handling allows a malicious
remote server to cause a denial of service.

CVE-2006-1052

Stephen Smalley discovered a bug in the SELinux ptrace handling
that allows local users with ptrace permissions to change the
tracer SID to the SID of another process.

CVE-2006-1343

Pavel Kankovsky discovered an information leak in the getsockopt
system call which can be exploited by a local program to leak
potentially sensitive memory to userspace.

CVE-2006-1528

Douglas Gilbert reported a bug in the sg driver that allows
local users to cause a denial of service by performing direct I/O
transfers from the sg driver to memory mapped I/O space.

CVE-2006-1855

Mattia Belletti noticed that certain debugging code left in the
process management code could be exploited by a local attacker to
cause a denial of service.

CVE-2006-1856

Kostik Belousov discovered a missing LSM file_permission check
in the readv and writev functions which might allow attackers to
bypass intended access restrictions.

CVE-2006-2444

Patrick McHardy discovered a bug in the SNMP NAT helper that
allows remote attackers to cause a denial of service.

CVE-2006-2446

A race condition in the socket buffer handling allows remote
attackers to cause a denial of service.

CVE-2006-2935

Diego Calleja Garcia discovered a buffer overflow in the DVD
handling code that could be exploited by a specially crafted DVD or
USB storage device to execute arbitrary code.

CVE-2006-2936

A bug in the serial USB driver has been discovered that could be
exploited by a custom made USB serial adapter to consume arbitrary
amounts of memory.

CVE-2006-3468

James McKenzie discovered a denial of service vulnerability in
the NFS driver. When exporting an ext3 file system over NFS, a
remote attacker could exploit this to trigger a file system panic
by sending a specially crafted UDP packet.

CVE-2006-3745

Wei Wang discovered a bug in the SCTP implementation that allows
local users to cause a denial of service and possibly gain root
privileges.

CVE-2006-4093

Olof Johansson discovered that the kernel did not disable the
HID0 bit on PowerPC 970 processors which could be exploited by a
local attacker to cause a denial of service.

CVE-2006-4145

A bug in the Universal Disk Format (UDF) filesystem driver could
be exploited by a local user to cause a denial of service.

CVE-2006-4535

David Miller reported a problem with the fix for CVE-2006-3745
that allows local users to crash the system using via an SCTP
socket with a certain SO_LINGER value.

The following matrix explains which kernel version for which
architecture fixes the problem mentioned above:

  stable (sarge)
Source 2.6.8-16sarge5
Alpha architecture 2.6.8-16sarge5
AMD64 architecture 2.6.8-16sarge5
HP Precision architecture 2.6.8-6sarge5
Intel IA-32 architecture 2.6.8-16sarge5
Intel IA-64 architecture 2.6.8-14sarge5
Motorola 680×0 architecture 2.6.8-4sarge5
PowerPC architecture 2.6.8-12sarge5
IBM S/390 2.6.8-5sarge5
Sun Sparc architecture 2.6.8-15sarge5
FAI 1.9.1sarge4

Due to some internal problems kernel packages for the S/390 are
missing and will be provided later.

For the unstable distribution (sid) these problems have been
fixed in version 2.6.18-1.

We recommend that you upgrade your kernel package and reboot the
machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these
fixes.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-s390_2.6.8-5sarge5.dsc

      Size/MD5 checksum: 846
1bcc93834f3d4ae2a83731ba2dab444c
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-s390_2.6.8-5sarge5.tar.gz

      Size/MD5 checksum: 13994
feb0f938746f52cf80597ef8ff5691fc

Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-patch-2.6.8-s390_2.6.8-5sarge5_all.deb

      Size/MD5 checksum: 12084
ab2e51bb8bbbbfcc392b725f955f96c0

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-headers-2.6.8-3_2.6.8-5sarge5_s390.deb

      Size/MD5 checksum: 5087410
92c4b60e889e92f05f30214020b50955
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390_2.6.8-5sarge5_s390.deb

      Size/MD5 checksum: 2981914
f71d20cba548768ee4e44ffe28be947d
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390-tape_2.6.8-5sarge5_s390.deb

      Size/MD5 checksum: 1144574
7e3ae52a9d115cdca1c79d3946cd4e6c
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390x_2.6.8-5sarge5_s390.deb

      Size/MD5 checksum: 3189746
f1bd52a536ae5a13427c8b935bd81434

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200609-14


http://security.gentoo.org/


Severity: Normal
Title: ImageMagick: Multiple Vulnerabilities
Date: September 26, 2006
Bugs: #144091, #143533
ID: 200609-14


Synopsis

Multiple buffer overflows have been discovered in ImageMagick,
which could potentially result in the execution of arbitrary
code.

Background

ImageMagick is a free software suite to manipulate, convert, and
create many image formats.

Affected packages


     Package                /  Vulnerable  /                Unaffected

  1  media-gfx/imagemagick      < 6.2.9.5                   >= 6.2.9.5

Description

Tavis Ormandy of the Google Security Team discovered a stack and
heap buffer overflow in the GIMP XCF Image decoder and multiple
heap and integer overflows in the SUN bitmap decoder. Damian Put
discovered a heap overflow in the SGI image decoder.

Impact

An attacker may be able to create a specially crafted image
that, when processed with ImageMagick, executes arbitrary code with
the privileges of the executing user.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.9.5"

References

[ 1 ] CVE-2006-3743

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3743

[ 2 ] CVE-2006-3744

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3744

[ 3 ] CVE-2006-4144

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4144

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-14.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-15


http://security.gentoo.org/


Severity: Normal
Title: GnuTLS: RSA Signature Forgery
Date: September 26, 2006
Bugs: #147682
ID: 200609-15


Synopsis

GnuTLS fails to handle excess data which could allow an attacker
to forge a PKCS #1 v1.5 signature.

Background

GnuTLS is an implementation of SSL 3.0 and TLS 1.0.

Affected packages


     Package          /  Vulnerable  /                      Unaffected

  1  net-libs/gnutls       < 1.4.4                            >= 1.4.4

Description

verify.c fails to properly handle excess data in
digestAlgorithm.parameters field while generating a hash when using
an RSA key with exponent 3. RSA keys that use exponent 3 are
commonplace.

Impact

Remote attackers could forge PKCS #1 v1.5 signatures that are
signed with an RSA key, preventing GnuTLS from correctly verifying
X.509 and other certificates that use PKCS.

Workaround

There is no known workaround at this time.

Resolution

All GnuTLS users should update both packages:

    # emerge --sync
    # emerge --update --ask --verbose ">=net-libs/gnutls-1.4.4"

References

[ 1 ] CVE-2006-4790

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4790

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-15.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-16


http://security.gentoo.org/


Severity: High
Title: Tikiwiki: Arbitrary command execution
Date: September 26, 2006
Bugs: #145714
ID: 200609-16


Synopsis

Tikiwiki contains a cross-site scripting (XSS) vulnerability as
well as a second vulnerability which may allow remote execution of
arbitrary code.

Background

Tikiwiki is a web-based groupware and content management system,
developed with PHP, ADOdb and Smarty.

Affected packages


     Package            /  Vulnerable  /                    Unaffected

  1  www-apps/tikiwiki       < 1.9.5                          >= 1.9.5

Description

A vulnerability in jhot.php allows for an unrestricted file
upload to the img/wiki/ directory. Additionally, an XSS exists in
the highlight parameter of tiki-searchindex.php.

Impact

An attacker could execute arbitrary code with the rights of the
user running the web server by uploading a file and executing it
via a filepath parameter. The XSS could be exploited to inject and
execute malicious script code or to steal cookie-based
authentication credentials, potentially compromising the victim’s
browser.

Workaround

There is no known workaround at this time.

Resolution

All Tikiwiki users should upgrade to the latest version:

    # emerge --sync
    # emerge --oneshot --verbose --ask ">=www-apps/tikiwiki-1.9.5"

References

[ 1 ] CVE-2006-4299

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4299

[ 2 ] CVE-2006-4602

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4602

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-16.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Red Hat Linux


Red Hat Security Advisory

Synopsis: Moderate: squirrelmail security update
Advisory ID: RHSA-2006:0668-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0668.html

Issue date: 2006-09-26
Updated on: 2006-09-26
Product: Red Hat Enterprise Linux
CVE Names: CVE-2006-4019


1. Summary:

A new squirrelmail package that fixes a security issue as well
as several bugs is now available for Red Hat Enterprise Linux 3 and
4.

This update has been rated as having moderate security impact by
the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 – noarch
Red Hat Desktop version 3 – noarch
Red Hat Enterprise Linux ES version 3 – noarch
Red Hat Enterprise Linux WS version 3 – noarch
Red Hat Enterprise Linux AS version 4 – noarch
Red Hat Enterprise Linux Desktop version 4 – noarch
Red Hat Enterprise Linux ES version 4 – noarch
Red Hat Enterprise Linux WS version 4 – noarch

3. Problem description:

SquirrelMail is a standards-based webmail package written in
PHP.

A dynamic variable evaluation flaw was found in SquirrelMail.
Users who have an account on a SquirrelMail server and are logged
in could use this flaw to overwrite variables which may allow them
to read or write other users’ preferences or attachments.
(CVE-2006-4019)

Users of SquirrelMail should upgrade to this erratum package,
which contains SquirrelMail 1.4.8 to correct this issue. This
package also contains a number of additional patches to correct
various bugs.

Note: After installing this update, users are advised to restart
their httpd service to ensure that the new version functions
correctly.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat
Network, launch the Red Hat Update Agent with the following
command:

up2date

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

192236 – [Squirrelmail] sqspell_config.php not listed as a
config file
194457 – squirrelmail cannot handle handle multibyte characters in
attachment.
194598 – “Message Highlighting” help not translated in ja_JP
194599 – ja_JP help pages are garbled
195452 – squirrelmail view_text.php cannot handle handle multibyte
characters in attachment.
195639 – Squirrelmail file download issue on JP MS Windows XP.
196017 – squirrelmail cannot convert Subject to zen-kaku
kata-kana.
196117 – Wrong ja_JP translation for “refresh folder list”
202195 – CVE-2006-4019 Squirrelmail authenticated user variable
overwriting

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm

ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Desktop version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm

ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm

ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:

ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm

ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm

de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm

de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm

de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm

de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019

http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More
contact details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.

rPath Linux

rPath Security Advisory: 2006-0173-1
Published: 2006-09-26
Products: rPath Linux 1
Rating: Major
Exposure Level Classification: Indirect User Deterministic
Unauthorized Access
Updated Versions:
openoffice.org=/conary.rpath.com@rpl:devel//1/2.0.3-1.6-1

References:

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2198

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3117

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2199

    https://issues.rpath.com/browse/RPL-475

Description:

Previous versions of the openoffice.org packages are susceptible
to several vulnerabilities, including a denial of service
(application crash) and a user-complicit unauthorized access attack
that enables an attacker to cause arbitrary code to be run. These
versions are not susceptible to CVE-2006-2199 because Java is not
enabled in those builds.

Because Java support could not be disabled in the initial
release of OpenOffice.org 2.0.3, and because Java support is not
included within rPath Linux 1, this update was delayed until
non-Java builds were re-enabled in OpenOffice.org.

SUSE Linux


SUSE Security Announcement

Package: gzip
Announcement ID: SUSE-SA:2006:056
Date: Tue, 26 Sep 2006 15:32:33 +0000
Affected Products: SLE SDK 10 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE
LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux
Enterprise Server 8 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0
Vulnerability Type: remote system compromise
Severity (1-10): 6
SUSE Default Package: yes
Cross-References: CVE-2006-4334,CVE-2006-4335,CVE-2006-4336,
CVE-2006-4337,CVE-2006-4338

Content of This Advisory:

  1. Security Vulnerability Resolved: buffer overflows, infinite
    loops Problem Description
  2. Solution or Work-Around
  3. Special Instructions and Notes
  4. Package Location and Checksums
  5. Pending Vulnerabilities, Solutions, and Work-Arounds: none
  6. Authenticity Verification and Additional Information

1) Problem Description and Brief Discussion

The gzip tool does not handle some specific values correctly
when unpacking archives. This leads to vulnerabilities like buffer
overflows or infinite loops.

Various different programs like mail clients, file explorer,
etc. use gzip and if a user can be deveived to unpack the archive
of an attacker these bugs can lead to remote system compromise.

Thanks to Tavis Ormandy, Google Security Team for informing us
about this issue.

2) Solution or Work-Around

The is no work-around known.

3) Special Instructions and Notes

none

4) Package Location and Checksums

The preferred method for installing security updates is to use
the YaST Online Update (YOU) tool. YOU detects which updates are
required and automatically performs the necessary steps to verify
and install them. Alternatively, download the update packages for
your distribution manually and verify their integrity by the
methods listed in Section 6 of this announcement. Then install the
packages using the command

rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the
filename of the downloaded RPM package.

x86 Platform:

SUSE LINUX 10.1:

ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/gzip-1.3.5-159.5.i586.rpm

dc3d0d1fa04f309155188d456339e320

SUSE LINUX 10.0:

ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gzip-1.3.5-144.2.i586.rpm

fa214e77cac58482b03a39aa3637402f

SUSE LINUX 9.3:

ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gzip-1.3.5-140.2.i586.rpm

93c268c56d6f2bfb97fb1362440619ff

SUSE LINUX 9.2:

ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gzip-1.3.5-139.2.i586.rpm

9ce8e3d5dda60f5c0226e1003555e7e3

Power PC Platform:

SUSE LINUX 10.1:

ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/gzip-1.3.5-159.5.ppc.rpm

e5216ebf301cc076117d24b1d641d666

SUSE LINUX 10.0:

ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gzip-1.3.5-144.2.ppc.rpm

70fad9dec1124d6e2a18cddb56542e21

x86-64 Platform:

SUSE LINUX 10.1:

ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/gzip-1.3.5-159.5.x86_64.rpm

bc88120404ee14a4f85869bf7b664c23

SUSE LINUX 10.0:

ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gzip-1.3.5-144.2.x86_64.rpm

9bac8a94f263b70fcb0188b8fe61b51a

SUSE LINUX 9.3:

ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gzip-1.3.5-140.2.x86_64.rpm

e99894cc66b479b026a8d6ab8f3d4bee

SUSE LINUX 9.2:

ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/gzip-1.3.5-139.2.x86_64.rpm

7f58b2c8124e895b5bbbf24e92f5701a

Sources:

SUSE LINUX 10.1:

ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/gzip-1.3.5-159.5.src.rpm

ccc806bead84a51395e24d03e1b08132

SUSE LINUX 10.0:

ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gzip-1.3.5-144.2.src.rpm

8d38b0719a591ac7c41aa35062ca8f2e

SUSE LINUX 9.3:

ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gzip-1.3.5-140.2.src.rpm

1c7511c702371171e4a940e6c6740c35

SUSE LINUX 9.2:

ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/gzip-1.3.5-139.2.src.rpm

81243003d7d3b397d7043a74059c5d7f

Our maintenance customers are notified individually. The
packages are offered for installation from the maintenance web:


http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c9a04465aadc28a00f8e67df4a55f059.html


5) Pending Vulnerabilities, Solutions, and Work-Arounds:

none


6) Authenticity Verification and Additional Information

  • Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and
    on Web sites. The authenticity and integrity of a SUSE security
    announcement is guaranteed by a cryptographic signature in each
    announcement. All SUSE security announcements are published with a
    valid signature.

    To verify the signature of the announcement, save it as text
    into a file and run the command

    gpg –verify <file>

    replacing <file> with the name of the file where you saved
    the announcement. The output for a valid signature looks like:

    gpg: Signature made <DATE> using RSA key ID 3D25D3D9
    gpg: Good signature from “SuSE Security Team <security@suse.de>”

    where <DATE> is replaced by the date the document was
    signed.

    If the security team’s key is not contained in your key ring,
    you can import it from the first installation CD. To import the
    key, use the command

    gpg –import gpg-pubkey-3d25d3d9-36e12d04.asc

  • Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers
    all over the world. While this service is considered valuable and
    important to the free and open source software community, the
    authenticity and the integrity of a package needs to be verified to
    ensure that it has not been tampered with.

    There are two verification methods that can be used
    independently from each other to prove the authenticity of a
    downloaded file or RPM package:

    1. Using the internal gpg signatures of the rpm package
    2. MD5 checksums as provided in this announcement
    1. The internal rpm package signatures provide an easy way to
      verify the authenticity of an RPM package. Use the command

      rpm -v –checksig <file.rpm>

      to verify the signature of the package, replacing
      <file.rpm> with the filename of the RPM package downloaded.
      The package is unmodified if it contains a valid signature from
      build@suse.de with the key ID
      9C800ACA. This key is automatically imported into the RPM database
      (on RPMv4-based distributions) and the gpg key ring of ‘root’
      during installation. You can also find it on the first installation
      CD and at the end of this announcement.

    2. If you need an alternative means of verification, use the
      md5sum command to verify the authenticity of the packages. Execute
      the command

      md5sum <filename.rpm>

      after you downloaded the file from a SUSE FTP server or its
      mirrors. Then compare the resulting md5sum with the one that is
      listed in the SUSE security announcement. Because the announcement
      containing the checksums is cryptographically signed (by security@suse.de), the checksums show
      proof of the authenticity of the package if the signature of the
      announcement is valid. Note that the md5 sums published in the SUSE
      Security Announcements are valid for the respective packages only.
      Newer versions of these packages cannot be verified.

  • SUSE runs two security mailing lists to which any interested
    party may subscribe:

        suse-security@suse.com

For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info@suse.com>
or <suse-security-faq@suse.com>.


SUSE’s security contact is <security@suse.com> or
<security@suse.de>. The
<security@suse.de>
public key is listed below.


The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, the clear text signature should show proof of the
authenticity of the text.

SUSE Linux Products GmbH provides no warranties of any kind
whatsoever with respect to the information contained in this
security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis