Articles / SuSE

All articles tagged with SuSE

March 15, 2010 10:01 SuSE: New kernel packages fix local privilege escalation

0

The openSUSE 11.0 kernel was updated to fix various security issues. A stack-based buffer overflow in the hfs subsystem allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem. The load_elf_binary function does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service. The wake_futex_pi function does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service. The do_pages_move function does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service. Updated packages are available from download.opensuse.org.

March 15, 2010 09:59 SuSE: New Mozilla Firefox packages fix remote code execution

0

Mozilla Firefox was upgraded to version 3.5.8, fixing various bugs and security issues. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Orlando Barrera II reported that Mozilla’s implementation of Web Workers contained an error in its handling of array data types when processing posted messages. Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an <embed> tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. Updated packages are available from download.opensuse.org.

March 15, 2010 09:49 SuSE: New kernel packages fix remote privilege escalation

0

The SUSE Linux Enterprise 11 and openSUSE 11.1 Kernel were updated to 2.6.27.45 fixing various bugs and security issues. Among other problems, the wake_futex_pi function does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service and possibly have unspecified other impact via vectors. The load_elf_binary function does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service. Users could send/allocate arbitrary amounts of NETLINK_CONNECTOR messages to the kernel, causing OOM condition, killing selected processes or halting the system. The do_pages_move function does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service. The netfilter framework does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering. The e1000 driver handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. Updated packages are available from download.opensuse.org.

February 20, 2010 18:33 SuSE: New kernel packages fix remote denial of service

0

This update fixes various security issues and some bugs in the SUSE Linux Enterprise 9 kernel. The HiSax subsystem allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. An array index error in the GDTH subsystem allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. Missing CAP_NET_ADMIN checks in the ebtables netfilter code might have allowed local attackers to modify bridge firewall settings. The e1000 driver handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. The megaraid_sas driver has world-writable permissions, which allows local users to change the behavior and logging level of the driver by modifying this file. The z90crypt driver does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage. A memory leak in the appletalk subsystem allows remote attackers to cause a denial of service via IP-DDP datagrams. The Linux kernel allows local users to cause a denial of service by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. The ATI Rage 128 driver does not properly verify Concurrent Command Engine state initialization, which allows local users to cause a denial of service or possibly gain privileges via unspecified ioctl calls. Updated packages are available from download.opensuse.org.

February 20, 2010 18:10 SuSE: New kernel packages fix remote denial of service

0

This kernel update for openSUSE 11.0 fixes some bugs and several security problems. Among other fixes, the e1000 driver handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. Missing CAP_NET_ADMIN checks in the ebtables netfilter code might have allowed local attackers to modify bridge firewall settings. The ext4 filesystem allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. The megaraid_sas driver has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file. The fuse subsystem might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. A race condition in the pipe(2) system call could be used by local attackers to hang the machine. A memory leak in the AppleTalk subsystem allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams. Updated packages are available from download.opensuse.org.

February 20, 2010 18:08 SuSE: New postfix packages fix remote denial of service

0

The value of SMTPD_LISTEN_REMOTE accidentally defaulted to ‘yes’. The postfix smtp daemon therefore was reachable over the network by default. This update resets the value to ‘no’ in /etc/sysconfig/mail. This update also fixes a problem where the relay database was not created and postfix refused to start. Updated packages are available from download.opensuse.org.

February 12, 2010 10:14 SuSE: New kernel packages fix remote denial of service

0

This update of the openSUSE 11.2 kernel brings the kernel to version 2.6.31.12 and contains a lot of bug and security fixes. The permission of the devtmpfs root directory was incorrectly 1777 (instead of 755). If it was used, local attackers could escalate privileges. A file for the megaraid_sas driver has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file. ebtables was lacking a CAP_NET_ADMIN check, making it possible for local unprivileged attackers to modify the network bridge management. An information leakage on fatal signals on x86_64 machines was fixed. A race condition in fasync handling could be used by local attackers to crash the machine or potentially execute code. The ipv6_hop_jumbo function allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram. The e1000 driver handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. The e1000e driver in does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets. Updated packages are available from download.opensuse.org.

February 05, 2010 15:16 SuSE: New kernel packages fix remote denial of service

0

The SUSE Linux Enterprise 10 SP 2 kernel was updated to fix various bugs and some security issues. Two sysfs files in the qla2xxx driver were world writable, so users could change SCSI attributes of the qla2xxx driver. The e1000 driver kernel handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. Updated packages are available from download.opensuse.org.

January 26, 2010 22:07 SuSE: New acroread packages fix remote code execution

0

Specially crafted PDF files could crash acroread. Attackers could potentially exploit that to execute arbitrary code. Acrobat reader was updated to version 9.3 to fix the security issues. Updated packages are available from download.opensuse.org.

January 26, 2010 21:39 SuSE: New krb5 packages fix remote code execution

0

Specially crafted AES and RC4 packets could allow unauthenticated remote attackers to trigger an integer underflow that leads to heap memory corruption. Remote attackers could potentially exploit that to execute arbitrary code. Specially crafted ticket requests could crash the kerberos server. Updated packages are available from download.opensuse.org.

January 26, 2010 21:30 SuSE: New kernel packages fix remote code execution

0

The SUSE Linux Enterprise 11 and openSUSE 11.1 Kernel was updated to 2.6.27.42 fixing various bugs and security issues. An underflow in the e1000/e1000e jumbo Ethernet frame handling could be use by link-local remote attackers to crash the machine, bypass firewalls or potentially execute code in kernel context. A vulnerability in the OHCI subsystem allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field. A vulnerability in the ext4 filesystem allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size. The hisax subsystem allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. A negative offset in a ioctl in the GDTH RAID driver was fixed. A stack-based buffer overflow in the hfs subsystem allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem. Updated packages are available from download.opensuse.org.

January 26, 2010 16:50 SuSE: New IBM Java 6 packages fix remote code execution

0

IBM Java 6 was updated to Service Refresh 7. A vulnerability in the Java Runtime Environment with decoding DER encoded data might allow a remote client to cause the JRE to crash, resulting in a denial of service condition. A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges. A buffer overflow vulnerability in the Java Runtime Environment with parsing image files might allow an untrusted applet or Java Web Start application to escalate privileges. A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid. A command execution vulnerability in the Java Runtime Environment Deployment Toolkit might be used to run arbitrary code. A security vulnerability in the Java Web Start Installer might be used to allow an untrusted Java Web Start application to run as a trusted application and run arbitrary code. A vulnerability with verifying HMAC-based XML digital signatures in the XML Digital Signature implementation included with the Java Runtime Environment (JRE) might allow authentication to be bypassed. Updated packages are available from download.opensuse.org.

January 26, 2010 16:48 SuSE: New IBM Java 1.4.2 packages fix remote code execution

0

IBM Java 1.4.2 was updated to 13 FP3. A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges. A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid. A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. Updated packages are available from download.opensuse.org.

January 26, 2010 16:45 SuSE: New IBM Java 5 packages fix remote code execution

0

IBM Java 5 was updated to Service Refresh 11. A vulnerability in the Java Runtime Environment with decoding DER encoded data might allow a remote client to cause the JRE to crash, resulting in a denial of service condition. A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges. A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid. A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. The Java Runtime Environment includes the Java Web Start technology that uses the Java Web Start ActiveX control to launch Java Web Start in Internet Explorer. A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio might allow the Java Web Start ActiveX control to be leveraged to run arbitrary code. Updated packages are available from download.opensuse.org.

January 26, 2010 13:32 SuSE: New kernel packages fix remote denial of service

0

The Linux kernel for openSUSE 11.2 was updated to 2.6.31.8 fixing lots of bugs and several security issues. Among other vulnerabilities, a file overwrite issue on the ext4 filesystem could be used by local attackers that have write access to a filesystem to change/overwrite files of other users, including root. A remote denial of service by sending overly long packets could be used by remote attackers to crash a machine. The mac80211 subsystem allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous “code shuffling patch.” The get_instantiation_keyring function in the KEYS subsystem does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID. The fuse subsystem in the Linux kernel might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. Updated packages are available from download.opensuse.org.

December 28, 2009 14:19 SuSE: New kernel packages fix remote denial of service

0

This update fixes a several security issues and various bugs in the SUSE Linux Enterprise 10 SP 2 kernel. A sysctl variable of the megaraid_sas driver was world writable, allowing local users to cause a denial of service or potential code execution. The Hisax subsystem allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. A negative offset in a ioctl in the GDTH RAID driver was fixed. The fuse subsystem might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. The megaraid_sas driver has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file. A memory leak in the AppleTalk subsystem allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams. AF_UNIX allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. The netlink subsystem does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. The ATI Rage 128 (aka r128) driver in the Linux kernel does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. The NFSv4 client allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. The swiotlb functionality in the r8169 driver in allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping. Updated packages are available from download.opensuse.org.

December 28, 2009 14:17 SuSE: New Mozilla Firefox packages fix remote code execution

0

The Mozilla Firefox browsers and XUL engines were updated to the current stable releases fixing lots of bugs and various security issues, including crashes with evidence of memory corruption, memory safety issues in the liboggplay media library, integer overflow, crash in libtheora video library, an NTLM reflection vulnerability, location bar spoofing vulnerabilities, and a privilege escalation via chrome window.opener. Updated packages are available from download.opensuse.org.

December 28, 2009 14:15 SuSE: New Flash Player packages fix remote code execution

0

A security update was released for the Adobe Flash Player 10. Specially crafted Flash (SWF) files can cause overflows in flash-player. Attackers could potentially exploit that to execute arbitrary code. Updated packages are available from download.opensuse.org.

December 21, 2009 08:39 SuSE: New kernel packages fix remote denial of service

0

This update fixes various security issues in the SUSE Linux Enterprise 10 SP 3 kernel. A sysctl variable of the megaraid_sas driver was world writable, allowing local users to cause a denial of service or potential code execution. The dbg_lvl file for the megaraid_sas driver has world-writable permissions, which allows local users to change the behavior and logging level of the driver by modifying this file. The ISDN subsystem allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. A negative offset in a ioctl in the GDTH RAID driver was fixed. The fuse subsystem might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. A memory leak in the AppleTalk subsystem allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams. A vulnerability in AF_UNIX allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. The netlink subsystem does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. The ATI Rage 128 (aka r128) driver does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. The NFSv4 client allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. Updated packages are available from download.opensuse.org.

December 06, 2009 14:10 SuSE: New kernel packages fix remote denial of service

0

The SUSE Linux Enterprise 11 and openSUSE 11.1 Kernel was updated to 2.6.27.39 fixing various bugs and security issues. A race condition during pipe open could be used by local attackers to cause a denial of service. On x86_64 systems a information leak of high register contents (upper 32bit) was fixed. A memory leak in the AppleTalk subsystem in the Linux kernel when the AppleTalk and ipddp modules are loaded but the ipddp”N” device is not found, allows remote attackers to cause a denial of service. The netlink subsystem does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory. The ATI Rage 128 (aka r128) driver does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service. The NFSv4 client allows remote NFS servers to cause a denial of service by sending a certain response containing incorrect file attributes. NFSv4 does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings. Updated packages are available from download.opensuse.org.

December 06, 2009 14:09 SuSE: New bind packages fix DNSSEC cache poisoning

0

The bind DNS server was updated to close a possible cache poisoning vulnerability which allowed to bypass DNSSEC. This problem can only happen after the other spoofing/poisoning mechanisms have been bypassed already (the port and transaction id randomization). Also this can only happen if the server is setup for DNSSEC. Due to this limitation we consider this a minor issue. Updated packages are available from download.opensuse.org.

November 22, 2009 21:20 SuSE: New Sun Java 6 packages fix remote code execution

0

The Sun Java 6 SDK/JRE was updated to u17 update fixing bugs and various security issues. Updated packages are available from download.opensuse.org.

November 22, 2009 21:17 SuSE: New openssl packages fix man-in-the-middle attack

0

The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache’s mod_ssl was vulnerable to this kind of attack because it uses openssl. Updated packages are available from download.opensuse.org.

November 22, 2009 21:08 SuSE: New kernel packages fix local privilege escalation

0

This update fixes various bugs and some security issues in the SUSE Linux Enterprise 10 SP 3 kernel. A race condition during pipe open could be used by local attackers to elevate privileges. The get_random_int function produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization. The agp subsystem does not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. An unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. On x86_64 systems a information leak of high register contents (upper 32bit) was fixed. Updated packages are available from updates.redhat.com.

November 22, 2009 21:00 SuSE: New kernel packages fix local privilege escalation

0

This update fixes a several security issues and various bugs in the SUSE Linux Enterprise 10 SP 2 kernel. A race condition during pipe open could be used by local attackers to elevate privileges. On x86_64 systems an information leak of high register contents (upper 32bit) was fixed. The randomness of the ASLR methods used in the kernel was increased. An information leak from the kernel due to uninitialized memory in AGP handling was fixed. A signed comparison in the ax25 sockopt handler was fixed which could be used to crash the kernel or potentially execute code. A vulnerability in the execve function allows local users to cause a denial of service (memory corruption) or possibly gain privileges. Various socket handler getname leaks have been fixed, which could disclose memory previously used by the kernel or other userland processes to the local attacker. Multiple buffer overflows in the cifs subsystem allow remote CIFS servers to cause a denial of service (memory corruption). Updated packages are available from download.opensuse.org.

November 22, 2009 20:17 SuSE: New IBM Java 6 packages fix remote code execution

0

The IBM Java 6 JRE/SDK was updated to Service Release 6, fixing various bugs and security issues. A security vulnerability in the JNLPAppletLauncher might write arbitrary files on the system of the user downloading and running the untrusted applet. A vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to access system properties. A vulnerability with verifying HMAC-based XML digital signatures in the XML Digital Signature implementation might allow authentication to be bypassed. A vulnerability in the Java Runtime Environment with the SOCKS proxy implementation might allow an untrusted applet or Java Web Start application to determine the user name of the user running the applet or application. A vulnerability in the Java Runtime Environment with the proxy mechanism implementation might allow an untrusted applet or Java Web Start application to make non-authorized socket or URL connections to hosts other than the origin host. An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted Java Web Start application to escalate privileges. An integer overflow vulnerability with unpacking applets and Java Web Start applications using the unpack200 JAR unpacking utility might allow an untrusted applet or application to escalate privileges. A vulnerability in the Java Runtime Environment (JRE) with parsing XML data might allow a remote client to create a denial-of-service condition on the system that the JRE runs on. Updated packages are available from download.opensuse.org.

November 22, 2009 20:12 SuSE: New Mozilla Firefox packages fix remote code execution

0

The Mozilla Firefox browser was updated to fix various bugs and security issues. A user’s form history, was vulnerable to theft. The file naming scheme used for downloading a file which already exists in the downloads folder is predictable. Recursive creation of JavaScript web-workers can be used to create a set of objects whose memory could be freed prior to their use, leading to a crash or arbitrary code execution. A flaw in the parsing of regular expressions used in Proxy Auto-configuration (PAC) files could be used by an attacker to crash a victim’s browser and run arbitrary code on their computer. A heap-based buffer overflow in Mozilla’s GIF image parser could potentially be used by an attacker to crash a victim’s browser and run arbitrary code on their computer. An XPCOM utility unwrapped doubly-wrapped objects before returning them to chrome callers which could potentially be used to execute malicious JavaScript code with chrome privileges. A heap-based buffer overflow in Mozilla’s string to floating point number conversion routines which could be leveraged to run arbitrary code on a victim’s computer. Text within a selection on a web page can be read by JavaScript in a different domain using the document.getSelection function, violating the same-origin policy. When downloading a file containing a right-to-left override character (RTL) in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body potentially causing a user to run an executable file when they expected to open a non-executable file. Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Updated packages are available from download.opensuse.org.

November 22, 2009 20:04 SuSE: New kernel packages fix potential local privilege e...

0

The SUSE Linux Enterprise 11 and openSUSE 11.1 kernel was updated to 2.6.27.37 fixing various bugs and security issues. An unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. Various socket handler getname leaks have been fixed, which could disclose memory previously used by the kernel or other userland processes to the local attacker. An information leakage with upper 32bit register values on x86_64 systems was fixed. Updated packages are available from download.opensuse.org.

November 22, 2009 19:18 SuSE: New Apache packages fix various security issues

0

The Apache web server was updated to fix various security issues. The option IncludesNOEXEC could be bypassed via .htaccess. mod_proxy could run into an infinite loop when used as reverse proxy. mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU. The ap_proxy_ftp_handler function allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. An access restriction bypass in mod_proxy_ftp module was fixed. Updated packages are available from download.opensuse.org.

November 22, 2009 19:16 SuSE: New acroread packages fix remote code execution

0

Adobe Reader has been updated to fix numerous security vulnerabilities. Some of the vulnerabilities allowed attackers to potentially execute arbitrary code on the victim’s system via specially crafted PDF files. Updated packages are available from download.opensuse.org.

Screenshot

Project Spotlight

milter manager

A flexible and low administrative cost anti-spam system.

Screenshot

Project Spotlight

PyQt

Python bindings for the Qt GUI toolkit