Date: 03 April 2009
References: ESB-2008.0073 AA-2008.0131 ESB-2009.0151 ESB-2009.0196 ESB-2009.0257 ESB-2009.0259 ESB-2009.0328 ESB-2009.0329 ESB-2009.0338 ESB-2009.0349
ESB-2009.0357 ESB-2009.0620
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0317 -- [UNIX/Linux]
Suse: Update for Multiple Packages
3 April 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: vim
gvim
apache2
opera
multipath tools
java-1_6_0-openjdk
imp
horde
lcms
moodle
ghostscript
Publisher: Suse
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Root Compromise
Increased Privileges
Access Privileged Data
Access Confidential Data
Modify Permissions
Denial of Service
Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0932 CVE-2009-0930 CVE-2009-0916
CVE-2009-0915 CVE-2009-0914 CVE-2009-0733
CVE-2009-0723 CVE-2009-0584 CVE-2009-0583
CVE-2009-0581 CVE-2009-0502 CVE-2009-0501
CVE-2009-0500 CVE-2009-0499 CVE-2009-0115
CVE-2008-6235 CVE-2008-5917 CVE-2008-4677
CVE-2008-3076 CVE-2008-3075 CVE-2008-3074
CVE-2008-2712 CVE-2008-2364 CVE-2007-6018
Ref: ESB-2008.0073
AA-2008.0131
ESB-2009.0151
ESB-2009.0196
ESB-2009.0257
ESB-2009.0259
Original Bulletin: http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Suse. It is recommended that administrators
running these products check for updated versions of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
______________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2009:007
Date: Tue, 24 Mar 2009 16:00:00 +0000
Cross-References: CVE-2007-6018, CVE-2008-2364, CVE-2008-2712
CVE-2008-3074, CVE-2008-3075, CVE-2008-3076
CVE-2008-4677, CVE-2008-5917, CVE-2008-6235
CVE-2009-0115, CVE-2009-0499, CVE-2009-0500
CVE-2009-0501, CVE-2009-0502, CVE-2009-0581
CVE-2009-0583, CVE-2009-0584, CVE-2009-0723
CVE-2009-0733, CVE-2009-0914, CVE-2009-0915
CVE-2009-0916, CVE-2009-0930, CVE-2009-0932
Content of this advisory:
1) Solved Security Vulnerabilities:
- - vim, gvim
- - apache2
- - opera
- - multipath tools
- - java-1_6_0-openjdk
- - imp
- - horde
- - lcms
- - moodle
- - ghostscript
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- - NetworkManager
3) Authenticity Verification and Additional Information
______________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- - vim, gvim
The VI Improved editor (vim) was prone to several security problems:
CVE-2008-4677: The netrw plugin sent credentials to all servers.
CVE-2008-2712: Arbitrary code execution in vim helper plugins
filetype, zip, xpm, gzip and netrw.
CVE-2008-3074: tarplugin code injection
CVE-2008-3075: zipplugin code injection
CVE-2008-3076: several netrw bugs, code injection
CVE-2008-6235: code injection in the netrw plugin
CVE-2008-4677: credential disclosure by netrw plugin
Affected Products: openSUSE 10.3-11.1, SLES9, SLES10
On openSUSE vim was upgraded to version 7.2.108 to fix those issues.
SLES9 and 10 were only affected by a subset, patches were backported
to fix the problems.
- - apache2
A DoS condition in apache2's mod_proxy has been fixed
(CVE-2008-2364).
Affected Products: openSUSE 10.3
- - opera
Opera 9.64 is a recommended security and stability upgrade,
incorporating the Opera Presto 2.1.1 user agent engine. Opera highly
recommends all users to upgrade to Opera 9.64 to take advantage of
these improvements (CVE-2009-0914, CVE-2009-0915, CVE-2009-0916).
A detailed changelog can be found at
[6]http://www.opera.com/docs/changelogs/linux/964/
- - multipath tools
/var/run/multipathd.sock was world-writable allowing local users to
issue commands to the multipath daemon (CVE-2009-0115).
Affected Products: openSUSE 10.3-11.0, SLES10
- - java-1_6_0-openjdk
Specially crafted image files could cause an integer overflow in the
lcms library contained in openjdk. Attackers could potentially
exploit that to crash applications using lcms or even execute
arbitrary code (CVE-2009-0723, CVE-2009-0581, CVE-2009-0733).
Previous update packages contained broken dependencies and couldn't
be installed. Therefore the update had to be re-released.
Affected Products: openSUSE 11.0 and 11.1
- - imp
Version update to IMP 4.1.6 fixes a problem with validating HTTP requests
that
allowed attackers to delete emails (CVE-2007-6018) and some
cross-site-scripting issues (CVE-2009-0930).
Affected Products: openSUSE 10.3-11.0
- - horde
Version update to horde 3.1.9 fixes a cross-site-scripting (XSS) issue
(CVE-2008-5917) and an include file problem (CVE-2009-0932).
Affected Products: openSUSE 10.3-11.0
- - lcms
Specially crafted image files could cause an integer overflow in
lcms. Attackers could potentially exploit that to crash applications
using lcms or even execute arbitrary code (CVE-2009-0723,
CVE-2009-0581, CVE-2009-0733).
Affected Products: openSUSE 10.3-11.1, SLES9, SLES10
- - moodle
moodle was prone to several cross-site-scripting (XSS) and
cross-site-request-forgery (CSRF) problems (CVE-2009-0499, CVE-2009-0500,
CVE-2009-0501, CVE-2009-0502).
Affected Products: openSUSE 10.3-11.0
- - ghostscript
Integer overflows and missing upper bounds checks in Ghostscript's
ICC library potentially allowed attackers to crash Ghostscript or
even cause execution of arbitrary code via specially crafted PS or
PDF files (CVE-2009-0583, CVE-2009-0584).
Affected Products: openSUSE 10.3-11.0, SLES9, SLES10
______________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
- - NetworkManager
The NetworkManager update caused WLAN to stop working on some
systems. Those systems most likely have a stale directory
/var/run/dbus/at_console/root. It's most likely a leftover from a
root session. Removing the directory and restarting networking
should fix the problems. Please avoid logging in as root in the future.
______________________________________________________________________
3) Authenticity Verification and Additional Information
- - Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@xxxxxxx>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- - Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and integrity of a
package needs to be verified to ensure that it has not been tampered with.
The internal RPM package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@xxxxxxx with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on RPMv4-based
distributions) and the gpg key ring of 'root' during installation. You can
also find it on the first installation CD and included at the end of this
announcement.
- - SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@xxxxxxxxxxxx
- - General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@xxxxxxxxxxxx>.
opensuse-security-announce@xxxxxxxxxxxx
- - SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@xxxxxxxxxxxx>.
=====================================================================
SUSE's security contact is <security@xxxxxxxx> or <security@xxxxxxx>.
The <security@xxxxxxx> public key is listed below.
=====================================================================
______________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@xxxxxxx>
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ1YqoNVH5XJJInbgRAgIYAJ9VXYrrivZVfqyLY6c2NwH1K44ADwCcDjIF
gP0bRKRYdYKMFdMP947In+E=
=A5EN
-----END PGP SIGNATURE-----
|