[SUSE-Announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: PatchesforSUSELinuxEnterprise
Notification of New SUSE Fixlet Messages
suse-announcements at bigmail.bigfix.com
Sat Oct 24 03:10:10 PDT 2009
Fixlet Site - PatchesforSUSELinuxEnterprise
Current Version: 262 Published: Sat, 24 Oct 2009 01:45:41 GMT
New Fixlets:
============
***************************************************************
Title: PATCH-12518 - Security update for Samba - SLES9
Severity: <Unspecified>
Fixlet ID: 1251801
Fixlet Link: http://download.novell.com/Download?buildid=X3D2Bi7749M~
Fixlet Description: samba's make_connection_snum() handles certain input incorrectly, which may lead to disclosure of the root directory. CVE-2009-2813 has been assigned to this issue. Additionally an information disclosure vulnerability in mount. cifs has been fixed (CVE-2009-2948) as well as a DoS condition (CVE-2009-2906). Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-12518 - Dependencies Needed - SLES9
Severity: <Unspecified>
Fixlet ID: 1251802
Fixlet Link: http://download.novell.com/Download?buildid=X3D2Bi7749M~
Fixlet Description: Updated Linux kernel packages are now available for SuSE Linux Enterprise 9. However, some of these packages have a dependency that must be resolved. The following packages must be installed at the specified version or greater: file-4.21-47.1.i586.rpm heimdal-devel-0.6.1rc3-55.3.i586.rpm
***************************************************************
Title: PATCH-B8060103 - Security update for Mozilla Firefox - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 806010302
Fixlet Link: http://download.novell.com/Download?buildid=dr_iP_mRk3Q~
Fixlet Description: A security update for Mozilla Firefox is now available. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B8060103- Dependencies Needed - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 806010306
Fixlet Link: http://download.novell.com/Download?buildid=dr_iP_mRk3Q~
Fixlet Description: Updated Mozilla Firefox packages are now available for SuSE Linux Enterprise 10. However, these packages have dependencies that must be resolved. The following packages must be installed at the specified version or greater : firefox3-atk-1.12.3-0.4.2.i586.rpm firefox3-cairo-1.2.4-0.4.2.i586.rpm firefox3-glib2-2.12.4-0.4.2.i586.rpm firefox3-gtk2-2.10.6-0.4.2.i586.rpm firefox3-pango-1.14.5-0.4.2.i586.rpm mozilla-nspr-4.8-1.4.2.i586.rpm mozilla-nss-3.12.3.1-1.4.2.i586.rpm
***************************************************************
Title: PATCH-B9101901 - Security update for Mozilla NSS - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 910190101
Fixlet Link: http://download.novell.com/Download?buildid=r7C2rvJwERE~
Fixlet Description: The Mozilla NSS security framework was updated to version 3.12.3.1. CVE-2009-2404 / MFSA 2009-43 : Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function. MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Install this update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9101901 - Security update for Mozilla NSS - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 910190103
Fixlet Link: http://download.novell.com/Download?buildid=X0lf_cbEeE0~
Fixlet Description: The Mozilla NSS security framework was updated to version 3.12.3.1. CVE-2009-2404 / MFSA 2009-43 : Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function. MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Install this update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102002 - Security update for Mozilla Firefox - SLED10 SP3
Severity: <Unspecified>
Fixlet ID: 910200201
Fixlet Link: http://download.novell.com/Download?buildid=DXrWgEcawQ8~
Fixlet Description: This update brings the Mozilla Firefox 3.5 webbrowser to version 3.5.3, the Mozilla XULRunner 1.9.0 engine to the 1.9.0.14 stable release, and the Mozilla XULRunner 1.9.1 engine to the 1.9.1.3 stable release. It also fixes various security issues: MFSA 2009-47 / CVE-2009-3069 / CVE-2009-3070 / CVE-2009-3071 / CVE-2009-3072 / CVE-2009-3073 / CVE-2009-30 / CVE-2009-3075: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-48 / CVE-2009-3076: Mozilla security researcher Jesse Rudermanreported that when security modules were added or removed via pkcs11. addmodule or pkcs11. deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 module and affect the cryptographic integrity of the victim's browser. Security researcher Dan Kaminsky reported that this issue had not been fixed in Firefox 3.0 and that under certain circumstances pkcs11 modules could be installed from a remote location. Firefox 3.5 releases are not affected. MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer. MFSA 2009-50 / CVE-2009-3078: Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. Corrie Sloot also independently reported this issue to Mozilla. MFSA 2009-51 / CVE-2009-3079: Mozilla security researcher moz_bug_r_a4 reported that the BrowserFeedWriter could be leveraged to run JavaScript code from web content with elevated privileges. Using this vulnerability, an attacker could construct an object containing malicious JavaScript and cause the FeedWriter to process the object, running the malicious code with chrome privileges. Thunderbird does not support the BrowserFeedWriter object and is not vulnerable in its default configuration. Thunderbird might be vulnerable if the user has installed any add-on which adds a similarly implemented feature and then enables JavaScript in mail messages. This is not the default setting and we strongly discourage users from running JavaScript in mail. Install this update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102002 - Security update for Mozilla Firefox - SLES10 SP3
Severity: <Unspecified>
Fixlet ID: 910200203
Fixlet Link: http://download.novell.com/Download?buildid=3vrCNQCJkwg~
Fixlet Description: This update brings the Mozilla Firefox 3.5 webbrowser to version 3.5.3, the Mozilla XULRunner 1.9.0 engine to the 1.9.0.14 stable release, and the Mozilla XULRunner 1.9.1 engine to the 1.9.1.3 stable release. It also fixes various security issues: MFSA 2009-47 / CVE-2009-3069 / CVE-2009-3070 / CVE-2009-3071 / CVE-2009-3072 / CVE-2009-3073 / CVE-2009-30 / CVE-2009-3075: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-48 / CVE-2009-3076: Mozilla security researcher Jesse Rudermanreported that when security modules were added or removed via pkcs11. addmodule or pkcs11. deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 module and affect the cryptographic integrity of the victim's browser. Security researcher Dan Kaminsky reported that this issue had not been fixed in Firefox 3.0 and that under certain circumstances pkcs11 modules could be installed from a remote location. Firefox 3.5 releases are not affected. MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer. MFSA 2009-50 / CVE-2009-3078: Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. Corrie Sloot also independently reported this issue to Mozilla. MFSA 2009-51 / CVE-2009-3079: Mozilla security researcher moz_bug_r_a4 reported that the BrowserFeedWriter could be leveraged to run JavaScript code from web content with elevated privileges. Using this vulnerability, an attacker could construct an object containing malicious JavaScript and cause the FeedWriter to process the object, running the malicious code with chrome privileges. Thunderbird does not support the BrowserFeedWriter object and is not vulnerable in its default configuration. Thunderbird might be vulnerable if the user has installed any add-on which adds a similarly implemented feature and then enables JavaScript in mail messages. This is not the default setting and we strongly discourage users from running JavaScript in mail. Install this update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102003 - Security update for IBM Java 1.4.2 - SLES10 SP3
Severity: <Unspecified>
Fixlet ID: 910200301
Fixlet Link: http://download.novell.com/Download?buildid=8uc5_5GUKbA~
Fixlet Description: IBM Java 1.4.2 was updated to SR13 FP1. It fixes following two security issues: CVE-2009-2625: A vulnerability in the Java Runtime Environment (JRE) with parsing XML data might allow a remote client to create a denial-of-service condition on the system that the JRE runs on. CVE-2008-5349: A vulnerability in how the Java Runtime Environment (JRE) handles certain RSA public keys might cause the JRE to consume an excessive amount of CPU resources. This might lead to a Denial of Service (DoS) condition on affected systems. Such keys could be provided by a remote client of an application. This issue affects the following security providers: IBMJCE, IBMPKCS11Impl and IBMJCEFIPS. Install this update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102101 - Security update for PostgreSQL - SLES10 SP3
Severity: <Unspecified>
Fixlet ID: 910210101
Fixlet Link: http://download.novell.com/Download?buildid=vArvrMpyfIg~
Fixlet Description: Multiple security vulnerabilities have been fixed in PostgrSQL CVE-2009-3229: allows remote authenticated users to cause a denial of service CVE-2009-3230: allows remote authenticated users to gain higher privileges CVE-2009-3231: when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102101 - Security update for PostgreSQL - SLED10 SP3
Severity: <Unspecified>
Fixlet ID: 910210103
Fixlet Link: http://download.novell.com/Download?buildid=e63Lah5lSF8~
Fixlet Description: Multiple security vulnerabilities have been fixed in PostgrSQL CVE-2009-3229: allows remote authenticated users to cause a denial of service CVE-2009-3230: allows remote authenticated users to gain higher privileges CVE-2009-3231: when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102201 - Security update for Samba - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 910220101
Fixlet Link: http://download.novell.com/Download?buildid=I1K1e-fVh54~
Fixlet Description: samba's make_connection_snum() handles certain input incorrectly, which may lead to disclosure of the root directory. CVE-2009-2813 has been assigned to this issue. Additionally an information disclosure vulnerability in mount. cifs has been fixed (CVE-2009-2948) as well as a DoS condition (CVE-2009-2906). Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102201 - Security update for Samba - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 910220103
Fixlet Link: http://download.novell.com/Download?buildid=jp02XaI6Xws~
Fixlet Description: samba's make_connection_snum() handles certain input incorrectly, which may lead to disclosure of the root directory. CVE-2009-2813 has been assigned to this issue. Additionally an information disclosure vulnerability in mount. cifs has been fixed (CVE-2009-2948) as well as a DoS condition (CVE-2009-2906). Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102202 - Security update for libapr - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 910220201
Fixlet Link: http://download.novell.com/Download?buildid=foe0PcYE9sM~
Fixlet Description: This update of libapr-util1 and libapr1 fixes multiple integer overflows that could probably be used to execute arbitrary code remotely. (CVE-2009-2412) Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102202 - Security update for libapr - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 910220203
Fixlet Link: http://download.novell.com/Download?buildid=sY1Y8e1O598~
Fixlet Description: This update of libapr-util1 and libapr1 fixes multiple integer overflows that could probably be used to execute arbitrary code remotely. (CVE-2009-2412) Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102204 - Security update for libapr1 - SLED10 SP3
Severity: <Unspecified>
Fixlet ID: 910220401
Fixlet Link: http://download.novell.com/Download?buildid=WfkxuwPsKSw~
Fixlet Description: This update of libapr-util1 and libapr1 fixes multiple integer overflows that could probably be used to execute arbitrary code remotely. (CVE-2009-2412) Everyone should update. Please see patch page for more detailed information.
***************************************************************
Title: PATCH-B9102204 - Security update for libapr1 - SLES10 SP3
Severity: <Unspecified>
Fixlet ID: 910220403
Fixlet Link: http://download.novell.com/Download?buildid=FE1FnBxxB0A~
Fixlet Description: This update of libapr-util1 and libapr1 fixes multiple integer overflows that could probably be used to execute arbitrary code remotely. (CVE-2009-2412) Everyone should update. Please see patch page for more detailed information.
More information about the SUSE-Announcements
mailing list