MESSAGE
DATE | 2007-02-15 |
FROM | rc
|
SUBJECT | Re: [NYLXS - HANGOUT] [meissner@suse.de: [suse-security-announce]
|
YOU still using MSuSE?
Ruben Safir wrote: > Speaking of Package Maangmeent > > > ----- Forwarded message from Marcus Meissner ----- > > Mailing-List: contact suse-security-announce-help-at-suse.com; run by ezmlm > Precedence: bulk > List-Post: > List-Help: > List-Unsubscribe: > List-Subscribe: > X-Mailinglist: suse-security-announce > Delivered-To: mailing list suse-security-announce-at-suse.com > Delivered-To: moderator for suse-security-announce-at-suse.com > Date: Thu, 15 Feb 2007 16:03:13 +0100 > From: Marcus Meissner > To: suse-security-announce-at-suse.com > User-Agent: Heirloom mailx 12.1 6/15/06 > Subject: [suse-security-announce] SUSE Security Announcement: samba remote denial of service > (SUSE-SA:2007:016) > X-Keywords: > X-UID: 30638 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ______________________________________________________________________________ > > SUSE Security Announcement > > Package: samba > Announcement ID: SUSE-SA:2007:016 > Date: Thu, 15 Feb 2007 15:00:00 +0000 > Affected Products: SUSE LINUX 9.3 > SUSE LINUX 10.0 > SUSE LINUX 10.1 > openSUSE 10.2 > SUSE SLES 9 > Novell Linux Desktop 9 > Open Enterprise Server > Novell Linux POS 9 > SUSE SLED 10 > SUSE SLES 10 > Vulnerability Type: remote denial of service > Severity (1-10): 5 > SUSE Default Package: yes > Cross-References: CVE-2007-0452 CVE-2007-0453 CVE-2007-0454 > > Content of This Advisory: > 1) Security Vulnerability Resolved: > samba remote denial of service > Problem Description > 2) Solution or Work-Around > 3) Special Instructions and Notes > 4) Package Location and Checksums > 5) Pending Vulnerabilities, Solutions, and Work-Arounds: > See SUSE Security Summary Report. > 6) Authenticity Verification and Additional Information > > ______________________________________________________________________________ > > 1) Problem Description and Brief Discussion > > The Samba daemon was affected by a security problem, where a > logic error in the deferred open code can lead to an infinite loop > (CVE-2007-0452). > > This problem could be used by remote authenticated attackers that > have access to the samba daemon. > > Two other problems fixed in the upstream samba security release > that do not affect the SUSE Samba version: > > - CVE-2007-0454: A format string problem in AFS ACL handling. > None of our shipping Samba versions have this option compiled in. > > - CVE-2007-0453: A buffer overflow in nss_winbind on Solaris. > Linux is generally not affected by this problem. > > 2) Solution or Work-Around > > There is no known workaround, please install the update packages. > > 3) Special Instructions and Notes > > None. > > 4) Package Location and Checksums > > The preferred method for installing security updates is to use the YaST > Online Update (YOU) tool. YOU detects which updates are required and > automatically performs the necessary steps to verify and install them. > Alternatively, download the update packages for your distribution manually > and verify their integrity by the methods listed in Section 6 of this > announcement. Then install the packages using the command > > rpm -Fhv > > to apply the update, replacing with the filename of the > downloaded RPM package. > > > x86 Platform: > > openSUSE 10.2: > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/samba-3.0.23d-19.2.i586.rpm > 6b4cb2859d1321648fd46c30a6cfd343 > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/samba-client-3.0.23d-19.2.i586.rpm > b168ff8f07a792bf6fb66a91c893ae33 > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/samba-winbind-3.0.23d-19.2.i586.rpm > 23e180e09af077fd64b35d8154d414c6 > > SUSE LINUX 10.1: > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/samba-3.0.22-13.27.i586.rpm > 898c1eb0d0d4f1c806ce7fb8907753d7 > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/samba-client-3.0.22-13.27.i586.rpm > d4f4efa7488aa12edd8f9ac2074fbbc3 > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/samba-winbind-3.0.22-13.27.i586.rpm > f2d11fdea4fa460cfb5bda4e20fc5e86 > > SUSE LINUX 10.0: > ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/samba-3.0.20b-3.8.i586.rpm > ce7bcec67ee32a5415d4cb5907ec0372 > > SUSE LINUX 9.3: > ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/samba-3.0.13-1.6.i586.rpm > 7cc438d1cc0e8d4f479844bfccc8f698 > > Power PC Platform: > > openSUSE 10.2: > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/samba-3.0.23d-19.2.ppc.rpm > d3b20aff8d493b48741b160c223bd268 > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/samba-client-3.0.23d-19.2.ppc.rpm > 790670189510dce128dca2f3f32f2b9c > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/samba-winbind-3.0.23d-19.2.ppc.rpm > 43815e4efd08eae9e26242be281ba2fe > > SUSE LINUX 10.1: > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/samba-3.0.22-13.27.ppc.rpm > a2d2ce421081a74258c5328a5a432629 > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/samba-client-3.0.22-13.27.ppc.rpm > f86d3c623aadc34f1f64f173108f9c4b > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/samba-winbind-3.0.22-13.27.ppc.rpm > b95e5643763b4f172adec030fa9033be > > SUSE LINUX 10.0: > ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/samba-3.0.20b-3.8.ppc.rpm > 8badc1520efe79ac17b053be83648e46 > > x86-64 Platform: > > openSUSE 10.2: > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/samba-3.0.23d-19.2.x86_64.rpm > a23ee65e112c499b91af6c00ab068efa > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/samba-32bit-3.0.23d-19.2.x86_64.rpm > 09785d54c57f6da705acfa0f911b0b8d > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/samba-client-3.0.23d-19.2.x86_64.rpm > c4b7be8c144842fd6947bfa7bf56891a > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/samba-client-32bit-3.0.23d-19.2.x86_64.rpm > 5a474e36e2f20b086138fb1d7a225942 > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/samba-winbind-3.0.23d-19.2.x86_64.rpm > c3ebad542ec53b71d3641310f796b430 > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/samba-winbind-32bit-3.0.23d-19.2.x86_64.rpm > 1d0480ab089c3be84de54bc6bad71910 > > SUSE LINUX 10.1: > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/samba-3.0.22-13.27.x86_64.rpm > be6125ae205f2274150a29a4c251e8c0 > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/samba-32bit-3.0.22-13.27.x86_64.rpm > 6bd817cbdf52fd2e4ff8257442ba1d60 > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/samba-client-3.0.22-13.27.x86_64.rpm > 5cd72ad1de6b29173a9e3d23a1012b2c > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/samba-client-32bit-3.0.22-13.27.x86_64.rpm > a6509bd2aa7b9c7421e4d1777ce2bba3 > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/samba-winbind-3.0.22-13.27.x86_64.rpm > 0d3cb4f0c3bcef1a5569dd5d72b3c73b > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/samba-winbind-32bit-3.0.22-13.27.x86_64.rpm > e9dbf740b218735e385a348524d31108 > > SUSE LINUX 10.0: > ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/samba-3.0.20b-3.8.x86_64.rpm > f0ad5468ce42ff2631e9a6b3231010c1 > > SUSE LINUX 9.3: > ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/samba-3.0.13-1.6.x86_64.rpm > fbd0c2a208fd91da991e53b54fb1a57d > > Sources: > > openSUSE 10.2: > ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/samba-3.0.23d-19.2.src.rpm > 54d62f5dad95981f0ae894619d0f06ea > > SUSE LINUX 10.1: > ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/samba-3.0.22-13.27.src.rpm > 8b2e1c4b662fc43fa03fe1ba60342c00 > > SUSE LINUX 10.0: > ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/samba-3.0.20b-3.8.src.rpm > 9217074c11c43c30860be28b33f034dd > > SUSE LINUX 9.3: > ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/samba-3.0.13-1.6.src.rpm > 117006e9e50e888e4848aa320e88b18d > > Our maintenance customers are notified individually. The packages are > offered for installation from the maintenance web: > > SUSE SLES 10 > http://support.novell.com/techcenter/psdb/1324cf66bf45968bebbd721ece5f92c7.html > > SUSE SLED 10 > http://support.novell.com/techcenter/psdb/1324cf66bf45968bebbd721ece5f92c7.html > > Open Enterprise Server > http://support.novell.com/techcenter/psdb/75665d46b2b2dc409e252b880a1ad2f4.html > > Novell Linux POS 9 > http://support.novell.com/techcenter/psdb/75665d46b2b2dc409e252b880a1ad2f4.html > > Novell Linux Desktop 9 > http://support.novell.com/techcenter/psdb/75665d46b2b2dc409e252b880a1ad2f4.html > > SUSE SLES 9 > http://support.novell.com/techcenter/psdb/75665d46b2b2dc409e252b880a1ad2f4.html > > ______________________________________________________________________________ > > 5) Pending Vulnerabilities, Solutions, and Work-Arounds: > > See SUSE Security Summary Report. > ______________________________________________________________________________ > > 6) Authenticity Verification and Additional Information > > - Announcement authenticity verification: > > SUSE security announcements are published via mailing lists and on Web > sites. The authenticity and integrity of a SUSE security announcement is > guaranteed by a cryptographic signature in each announcement. All SUSE > security announcements are published with a valid signature. > > To verify the signature of the announcement, save it as text into a file > and run the command > > gpg --verify > > replacing with the name of the file where you saved the > announcement. The output for a valid signature looks like: > > gpg: Signature made using RSA key ID 3D25D3D9 > gpg: Good signature from "SuSE Security Team " > > where is replaced by the date the document was signed. > > If the security team's key is not contained in your key ring, you can > import it from the first installation CD. To import the key, use the > command > > gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc > > - Package authenticity verification: > > SUSE update packages are available on many mirror FTP servers all over the > world. While this service is considered valuable and important to the free > and open source software community, the authenticity and the integrity of > a package needs to be verified to ensure that it has not been tampered > with. > > There are two verification methods that can be used independently from > each other to prove the authenticity of a downloaded file or RPM package: > > 1) Using the internal gpg signatures of the rpm package > 2) MD5 checksums as provided in this announcement > > 1) The internal rpm package signatures provide an easy way to verify the > authenticity of an RPM package. Use the command > > rpm -v --checksig > > to verify the signature of the package, replacing with the > filename of the RPM package downloaded. The package is unmodified if it > contains a valid signature from build-at-suse.de with the key ID 9C800ACA. > > This key is automatically imported into the RPM database (on > RPMv4-based distributions) and the gpg key ring of 'root' during > installation. You can also find it on the first installation CD and at > the end of this announcement. > > 2) If you need an alternative means of verification, use the md5sum > command to verify the authenticity of the packages. Execute the command > > md5sum > > after you downloaded the file from a SUSE FTP server or its mirrors. > Then compare the resulting md5sum with the one that is listed in the > SUSE security announcement. Because the announcement containing the > checksums is cryptographically signed (by security-at-suse.de), the > checksums show proof of the authenticity of the package if the > signature of the announcement is valid. Note that the md5 sums > published in the SUSE Security Announcements are valid for the > respective packages only. Newer versions of these packages cannot be > verified. > > - SUSE runs two security mailing lists to which any interested party may > subscribe: > > opensuse-security-at-opensuse.org > - General Linux and SUSE security discussion. > All SUSE security announcements are sent to this list. > To subscribe, send an e-mail to > . > > suse-security-announce-at-suse.com > - SUSE's announce-only mailing list. > Only SUSE's security announcements are sent to this list. > To subscribe, send an e-mail to > . > > ===================================================================== > SUSE's security contact is or . > The public key is listed below. > ===================================================================== > ______________________________________________________________________________ > > The information in this advisory may be distributed or reproduced, > provided that the advisory is not modified in any way. In particular, the > clear text signature should show proof of the authenticity of the text. > > SUSE Linux Products GmbH provides no warranties of any kind whatsoever > with respect to the information contained in this security advisory. > > Type Bits/KeyID Date User ID > pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team > pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key > > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.4.2 (GNU/Linux) > > mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA > BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz > JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh > 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U > P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ > cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg > VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b > yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 > tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ > xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 > Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo > choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI > BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u > v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ > x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 > Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq > MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 > saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o > L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU > F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS > FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW > tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It > Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF > AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ > 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk > YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP > +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR > 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U > 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S > cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh > ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB > UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo > AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n > KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi > BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro > nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg > KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx > yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn > B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV > wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh > UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF > 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 > D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu > zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd > 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi > a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 > CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp > 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE > t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG > B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw > rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt > IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL > rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H > RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa > g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA > CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO > =ypVs > - -----END PGP PUBLIC KEY BLOCK----- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > > iQEVAwUBRdR2Fney5gA9JdPZAQLeawf/Uo/2+4TN671UTrhta64JVfjQBnVVJHiN > ENzfVaWsXa/bz5ap6gTBgBq5JXXnP1iWa45X9ExDAENa6f6X3Q5FYk8OCXELoA8p > Gfxply/IhHNEDpeBtyaGD5spElVf6rPrqemxfmd8CZYS3pAlrVdItWuTI3c0JaNX > n1o3JwEBg+sit43moI55kkShvUgkpg4ZYPXtBV+sENSS5bzB8i6ZHgSpI3Xn++Gx > lH01aDeei31TBEgb8PQ6dAWLdXmxlqVS7a3MQqWBlbog/Kthi7/dNqbypPHY1UxV > 2FXBpFigSkRIYXHty5kCEhSyVTL8YKiFwTrgtavS9fJxp/2iuTAdzg== > =MPha > -----END PGP SIGNATURE----- >
|
|