This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces). In addition, the HTTP Digest Access Authentication implementation does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value. The HTTP Digest Access Authentication implementation does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements.
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string.
Updated packages are available from download.opensuse.org.
The SUSE Linux Enterprise 11 SP1 kernel was updated to 2.6.32.54, fixing lots of bugs and security issues. A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image.
A overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted. Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed).
When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. When using X.25 communication a malicious sender could make the machine leak memory, causing crashes. A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed.
Updated packages are available from download.opensuse.org.
The SUSE Linux Enterprise 11 SP1 kernel has been updated to 2.6.32.54, fixing numerous bugs and security issues. A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. Fixed a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel.
Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. An overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted.
Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed). When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. When using X.25 communication a malicious sender could make the machine leak memory, causing crashes.
A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed.
Updated packages are available from download.opensuse.org.
A heap-based buffer overflow during decoding of entity references with overly long names has been fixed in libxml2. Updated packages are available from download.opensuse.org.
A heap-based buffer overflow during decoding of entity references with overly long names has been fixed in libxml2. Updated packages are available from download.opensuse.org.
A stack-based buffer overflow in the glyph handling of libqt4’s harfbuzz has been fixed. Updated packages are available from download.opensuse.org.
Various security vulnerabilities have been fixed in OpenSSL, including a DTLS plaintext recovery attack, a double-free issue in Policy Checks, an uninitialized SSL 3.0 padding, an assertion failutre related to malformed RFC 3779 data, and an SGC restart DoS attack. Updated packages are available from download.opensuse.org.
This update of krb5 fixes two security issues. A remote code execution in the kerberized telnet daemon was fixed. Unauthorized file access problems in the krb5 ftpd were fixed. Updated packages are available from download.opensuse.org.
This update of freetype2 fixes multiple security flaws that could allow attackers to cause a denial of service or to execute arbitrary code via specially crafted fonts Updated packages are available from download.opensuse.org.
This update improves the ClientHello handshake message parsing function in OpenSSL. Prior to this update is was possible that this function reads beyond the end of a message leading to invalid memory access and a crash. Under some circumstances it was possible that information from the OCSP extensions was disclosed. Updated packages are available from download.opensuse.org.
The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.49 and fixes various bugs and security issues. The TCP/IP initial sequence number generation effectively only used 24 bits of 32 to generate randomness, making a brute force man-in-the-middle attack on TCP/IP connections feasible. The generator was changed to use full 32bit randomness. Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel.
Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks. The Generic Receive Offload (GRO) implementation in the Linux kernel allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to a memory leak or memory corruption. A name overflow in the hfs filesystem was fixed, where mounting a corrupted hfs filesystem could lead to a stack overflow and code execution in the kernel. This requires a local attacker to be able to mount hfs filesystems.
A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. Updated packages are available from download.opensuse.org.
This update of freetype2 fixes multiple security flaws that could allow attackers to cause a denial of service or to execute arbitrary code via specially crafted fonts. Updated packages are available from download.opensuse.org.
A flaw in the custom DNS resolver of nginx could lead to a heap based buffer overflow which could potentially allow attackers to execute arbitrary code or to cause a Denial of Service. Updated packages are available from download.opensuse.org.
Specially crafted font files could cause a buffer overflow in applications that use libXfont to load such files. Updated packages are available from download.opensuse.org.
This update for bind fixes the issue that specially crafted DNS queries could crash the bind name server. Updated packages are available from download.opensuse.org.
acrobat reader was updated to version 9.4.6 to fix several security issues that could allow attackers to execute arbitrary code or to cause a denial of service via specially crafted PDF documents. Updated packages are available from download.opensuse.org.
flash-player was updated to version 11.1.102.55 to fix multiple security vulnerabilities that could be exploited by attackers to execute arbitrary code or to cause a denial of service via specially crafted flash content. Updated packages are available from download.opensuse.org.
This update fixes several security issues in the Apache2 webserver. The severe ByteRange remote denial of service attack was fixed, configuration options used by upstream were added. Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. Two fnmatch denial of service attacks were fixed that could exhaust the servers memory. Another memoryleak was fixed that could exhaust httpd server memory via unspecified methods. This update also includes fixes a fix for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives. Updated packages are available from download.opensuse.org.
This update fixes a remote denial of service bug (memory exhaustion) in the Apache 2 HTTP server, that could be triggered by remote attackers using multiple overlapping Request Ranges . It fixes also the minor security issue in the mod_cache modules in the Apache HTTP Server that allowed remote attackers to cause a denial of service (process crash) via a request that lacks a path. Updated packages are available from download.opensuse.org.
This update brings Apache to version 2.2.12. The main reason is the enablement of the Server Name Indication (SNI) that allows several SSL-enabled domains on one IP address. Updated packages are available from download.opensuse.org.
The pam_env module is vulnerable to a stack overflow and a DoS condition when parsing users .pam_environment files. Additionally a missing return value check inside pam_xauth has been fixed. Updated packages are available from download.opensuse.org.
Specially crafted RPM packages could have caused memory corruption in rpm when verifying signatures. Updated packages are available from download.opensuse.org.
The pam_env module is vulnerable to a stack overflow and a DoS condition when parsing users .pam_environment files. Updated packages are available from download.opensuse.org.
This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash. Always check the path in CIFS mounts to avoid interesting filesystem path interaction issues and potential crashes. A malicious CIFS server could cause a integer overflow on the local machine on directory index operations, in turn causing memory corruption. The is_gpt_valid function did not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allowed physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device. Updated packages are available from download.opensuse.org.
This update of Opera fixes a memory flaw in the code that processes SVG content which could be exploited by attackers to execute arbitrary code through specially crafted websites. Updated packages are available from download.opensuse.org.
A boundary error in ldns_rr_new_frm_str_internal() could lead to a heap-based buffer overfow when processing RR records. Updated packages are available from download.opensuse.org.
The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.46 and fixes various bugs and security issues. A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host. In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. The befs_follow_link function did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. Updated packages are available from download.opensuse.org.
The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.46 and fixes various bugs and security issues. A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host. In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. The befs_follow_link function in did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. Updated packages are available from download.opensuse.org.
Mozilla Firefox was updated to version 3.6.23, fixing various bugs and security issues. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported memory safety problems that affected Firefox 3.6 and Firefox 6. Josh Aas reported a potential crash in the plugin API that affected Firefox 3.6 only.
Mark Kaplan reported a potentially exploitable crash due to integer underflow when using a large JavaScript RegExp expression. Mozilla developer Boris Zbarsky reported that a frame named “location” could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. Because some plugins use the value of window.location to determine the page origin this could fool the plugin into granting the plugin content access to another site or the local file system in violation of the Same Origin Policy. Ian Graham of Citrix Online reported that when multiple Location headers were present in a redirect response Mozilla behavior differed from other browsers: Mozilla would use the second Location header while Chrome and Internet Explorer would use the first. Two copies of this header with different values could be a symptom of a CRLF injection attack against a vulnerable server.
Mariusz Mlynski reported that if you could convince a user to hold down the Enter key–as part of a game or test, perhaps–a malicious page could pop up a download dialog where the held key would then activate the default Open action. For some file types this would be merely annoying (the equivalent of a pop-up) but other file types have powerful scripting capabilities. And this would provide an avenue for an attacker to exploit a vulnerability in applications not normally exposed to potentially hostile internet content.
Updated packages are available from download.opensuse.org.
Mozilla Thunderbird was updated to version 3.1.14, fixing various bugs and security issues. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported memory safety problems that affected Firefox 3.6 and Firefox 6. Security researchers reported memory safety problems that affected Firefox 6, fixed in Firefox 7.
Mozilla developer Boris Zbarsky reported that a frame named “location” could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. Because some plugins use the value of window.location to determine the page origin this could fool the plugin into granting the plugin content access to another site or the local file system in violation of the Same Origin Policy. Ian Graham of Citrix Online reported that when multiple Location headers were present in a redirect response Mozilla behavior differed from other browsers: Mozilla would use the second Location header while Chrome and Internet Explorer would use the first. Two copies of this header with different values could be a symptom of a CRLF injection attack against a vulnerable server. Most commonly it is the Location header itself that is vulnerable to the response splitting and therefore the copy preferred by Mozilla is more likely to be the malicious one. The Mozilla browser engine has been changed to treat two copies of this header with different values as an error condition. The same has been done with the headers Content-Length and Content-Disposition.
Mariusz Mlynski reported that if you could convince a user to hold down the Enter key–as part of a game or test, perhaps–a malicious page could pop up a download dialog where the held key would then activate the default Open action. For some file types this would be merely annoying (the equivalent of a pop-up) but other file types have powerful scripting capabilities. And this would provide an avenue for an attacker to exploit a vulnerability in applications not normally exposed to potentially hostile internet content. Security researcher Aki Helin reported a potentially exploitable crash in the YARR regular expression library used by JavaScript.
sczimmer reported that Firefox crashed when loading a particular .ogg file. This was due to a use-after-free condition and could potentially be exploited to install malware. Updated packages are available from download.opensuse.org.
