SUSE Security Summary Report
ID: | SUSE-SR:2007:013 |
Distribution: | SUSE |
Plattformen: | Keine Angabe |
Datum: | Sa, 23. Juni 2007, 09:34 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1262 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2524 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 |
Applikationen: | SUSE |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Summary Report Announcement ID: SUSE-SR:2007:013 Date: Fri, 22 Jun 2007 16:00:00 +0000 Cross-References: CVE-2005-2177, CVE-2007-1262, CVE-2007-1804 CVE-2007-2052, CVE-2007-2445, CVE-2007-2500 CVE-2007-2524, CVE-2007-2589, CVE-2007-2756 Content of this advisory: 1) Solved Security Vulnerabilities: - squirrelmail cross site scripting problems - OpenOffice_org macro virus "BadBunny" - Blackdown JDK/JRE - gnash denial of service - libpng denial of service - python memory disclosure - pulseaudio denial of service - gd denial of service - otrs cross site scripting problem - net-snmp denial of service 2) Pending Vulnerabilities, Solutions, and Work-Arounds: - Mozilla Firefox 2.0.0.4 update - file security problems - freetype2 problems 3) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Solved Security Vulnerabilities To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. Fixed packages for the following incidents are already available on our FTP server and via the YaST Online Update. - squirrelmail cross site scripting problems squirrelmail was updated to fix two cross-site-scripting vulnerabilities that can be used by an attacker to read opened emails (CVE-2007-1262) and to send email on behalf of the user (CVE-2007-2589). This problem was fixed for SUSE Linux 10.0, 10.1 and openSUSE 10.2. - OpenOffice_org macro virus "BadBunny" Since May this year a macro virus for OpenOffice_org is going around. The code is mostly harmless and can be classified as a proof-of-concept virus. OpenOffice_org does not execute macros in a document per default, the user is asked to enable macros when the document is opened. We encourage users not to enable macros from untrusted sources. When you receive a document from a known person via email, ask this person first before you open the document. More information: http://secunia.com/virus_information/38489/sbbadbunny-a/ - Blackdown JDK/JRE The Blackdown JDK/JRE suffers from the same problems as Sun JDK/JRE, like for instance the current image decoding problems. In the case of the Blackdown Java implementation there is no update package or source-code available, therefore we can not provide security updates. If possible switch to Sun's Java package. Only SUSE Linux Enterprise Desktop 1.0 contains the Blackdown JDK. - gnash denial of service A denial of service problem was fixed in the free flash player gnash. (CVE-2007-2500) gnash is shipped only on openSUSE 10.2 and was fixed there. - libpng denial of service Applications using libpng can crash if libpng is ask to process a grayscale image with a malformed (bad CRC) tRNS chunk. (CVE-2007-2445) This problem was fixed for all SUSE Linux based distributions. - python memory disclosure A off-by-one error in the PyLocale_strxfrm() function in python was fixed which can lead to a memory information leak. (CVE-2007-2052) This has been fixed for all SUSE Linux based products. - pulseaudio denial of service pulseaudio was updated to fix a denial-of-service bug that can be triggered remotely. (CVE-2007-1804) Only openSUSE 10.2 contains pulseaudio and is affected by this bug. - gd denial of service A denial-of-service bug in libgd that can occur while processing crafted images was fixed. (CVE-2007-2756) This problem has been fixed for all SUSE Linux based distributions. - OTRS cross site scripting problem A cross site scripting (XSS) vulnerability in OTRS was fixed. (CVE-2007-2524). - net-snmp denial of service This update fixes a denial of service problem which could be triggered by a packet containing a single byte. (CVE-2005-2177) This problem only affected SUSE Linux 9.3 and 10.0 and was fixed for these distributions. ______________________________________________________________________________ 2) Pending Vulnerabilities, Solutions, and Work-Arounds - Mozilla Firefox 2.0.0.4 update The Mozilla Firefox 1.5.0.12 / 2.0.0.4 release fixes various security issues. We have released updates for all packages, except for SLE10. Once this update is out, a full advisory will be released. - file security problems Additional file security problems were found. Updates have been released for all distributions for all but SUSE Linux 10.1 and SLE 10. Once updates for these distributions are released, a full advisory will follow. - freetype2 problems TTF related security problems were fixed in the freetype2 packages. Packages for all distributions but SUSE Linux 10.1 and SLE 10 have been released already. Once the latter are released, a full advisory will follow. ______________________________________________________________________________ 3) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify |