[SUSE-Announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Patches for SUSE Linux Enterprise'

Notification of New SUSE Fixlet Messages suse-announcements at bigmail.bigfix.com
Thu Apr 8 03:10:52 PDT 2010 

Fixlet Site - 'Patches for SUSE Linux Enterprise'
Current Version: 315	Published: Thu, 08 Apr 2010 01:08:05  GMT

New Fixlets:
============

***************************************************************
Title: PATCH-12585 - Security update for Tomcat - SLES9
Severity: <Unspecified>
Fixlet ID: 1258501
Fixlet Link: http://download.novell.com/Download?buildid=LDht2PyCPxY~

Fixlet Description: This update of tomcat5/6 fixes:   CVE-2009-2693: CVSS v2 Base Score: 5.8 CVE-2009-2902: CVSS v2 Base Score: 4.3 Directory traversal vulnerability allowed remote attackers to create or overwrite arbitrary files/dirs with a specially crafted WAR file. CVE-2009-2901: CVSS v2 Base Score: 4.3 When autoDeploy is enabled the autodeployment process deployed appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. CVE-2008-5515: CVSS v2 Base Score: 5.0 When using the RequestDispatcher method, i was possible for remote attackers to bypass intended access restrictions and conduct directory traversal attacks. Please update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-12595 - Security update for Samba - SLES9
Severity: <Unspecified>
Fixlet ID: 1259501
Fixlet Link: http://download.novell.com/Download?buildid=FuiIHJkIDGs~

Fixlet Description: With enabled "wide links" samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have "wide links" disabled by default. The new default only works if "wide links" is not set explicitly in smb. conf. Due to a race condition in mount. cifs a local attacker could corrupt /etc/mtab if mount. cifs is installed setuid root. mount. cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-12595 - Dependencies Needed - SLES9
Severity: <Unspecified>
Fixlet ID: 1259502
Fixlet Link: http://download.novell.com/Download?buildid=FuiIHJkIDGs~

Fixlet Description: Updated Linux kernel packages are now available for SuSE Linux Enterprise 9. However, some of these packages have a dependency that must be resolved. The following packages must be installed at the specified version or greater:  file-4.21-47.1.i586.rpm heimdal-devel-0.6.1rc3-55.3.i586.rpm

***************************************************************
Title: PATCH-B10040601 - Security update for Tomcat 5 - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 1004060101
Fixlet Link: http://download.novell.com/Download?buildid=EzTkRmJvLjs~

Fixlet Description: This update of tomcat5/6 fixes:     CVE-2009-2693: CVSS v2 Base Score: 5.8 CVE-2009-2902: CVSS v2 Base Score: 4.3 Directory traversal vulnerability allowed remote attackers   to create or overwrite arbitrary files/dirs with a specially crafted   WAR file.  CVE-2009-2901: CVSS v2 Base Score: 4.3   When autoDeploy is enabled the autodeployment process deployed   appBase files that remain from a failed undeploy, which might allow   remote attackers to bypass intended authentication requirements   via HTTP requests. Please update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10040602 - Security update for Samba - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 1004060201
Fixlet Link: http://download.novell.com/Download?buildid=zsNFTdk6fxw~

Fixlet Description: With enabled "wide links" samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have "wide links" disabled by default. The new default only works if "wide links" is not set explicitly in smb. conf. Due to a race condition in mount. cifs a local attacker could corrupt /etc/mtab if mount. cifs is installed setuid root. mount. cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10040602 - Security update for Samba - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 1004060203
Fixlet Link: http://download.novell.com/Download?buildid=eZWRKwnN4_A~

Fixlet Description: With enabled "wide links" samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have "wide links" disabled by default. The new default only works if "wide links" is not set explicitly in smb. conf. Due to a race condition in mount. cifs a local attacker could corrupt /etc/mtab if mount. cifs is installed setuid root. mount. cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10040603 - Security update for Samba - SLED10 SP3
Severity: <Unspecified>
Fixlet ID: 1004060301
Fixlet Link: http://download.novell.com/Download?buildid=A_PcqM_y9nY~

Fixlet Description: With enabled "wide links" samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have "wide links" disabled by default. The new default only works if "wide links" is not set explicitly in smb. conf. Due to a race condition in mount. cifs a local attacker could corrupt /etc/mtab if mount. cifs is installed setuid root. mount. cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10040603 - Security update for Samba - SLES10 SP3
Severity: <Unspecified>
Fixlet ID: 1004060303
Fixlet Link: http://download.novell.com/Download?buildid=WLSQ94SslO0~

Fixlet Description: With enabled "wide links" samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have "wide links" disabled by default. The new default only works if "wide links" is not set explicitly in smb. conf. Due to a race condition in mount. cifs a local attacker could corrupt /etc/mtab if mount. cifs is installed setuid root. mount. cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10040604 - Security update for Tomcat 5 - SLES10 SP3
Severity: <Unspecified>
Fixlet ID: 1004060401
Fixlet Link: http://download.novell.com/Download?buildid=HgS6cl1xsEg~

Fixlet Description: This update of tomcat5/6 fixes:     CVE-2009-2693: CVSS v2 Base Score: 5.8 CVE-2009-2902: CVSS v2 Base Score: 4.3 Directory traversal vulnerability allowed remote attackers   to create or overwrite arbitrary files/dirs with a specially crafted   WAR file.  CVE-2009-2901: CVSS v2 Base Score: 4.3 When autoDeploy is enabled the autodeployment process deployed   appBase files that remain from a failed undeploy, which might allow   remote attackers to bypass intended authentication requirements   via HTTP requests. Please update. Please see patch page for more detailed information.

More information about the SUSE-Announcements mailing list