Fixlet Site - PatchesforSUSELinuxEnterprise
Current Version: 167	Published: Wed, 17 Sep 2008 18:14:01  GMT

New Fixlets:
============

***************************************************************
Title: PATCH-B8091102 - Security update for pidgin, gaim and finch - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 809110201
Fixlet Link: http://download.novell.com/Download?buildid=0K9pEvIQapM~

Fixlet Description: A number of security issues have been found and fixed in pidgin and related programs:  Specially crafted MSN SLP messages could cause an integer overflow in pidgin. Attackers could potentially exploit that to execute  arbitrary code (CVE-2008-2927). Overly long file names in MSN file transfers could crash pidgin (CVE-2008-2955). SSL certifcates were not verfied. Therefore pidgin didn't notice  faked certificates (CVE-2008-3532).   Additionally, a problem was fixed that prevented gaim clients from connecting to the ICQ network after a server change on July 1st  2008. Everyone using pidgin, gaim or finch should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B8091102 - Security update for pidgin, gaim and finch - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 809110203
Fixlet Link: http://download.novell.com/Download?buildid=YSj7w--spWc~

Fixlet Description: A number of security issues have been found and fixed in pidgin and related programs:  Specially crafted MSN SLP messages could cause an integer overflow in pidgin. Attackers could potentially exploit that to execute arbitrary code (CVE-2008-2927). Overly long file names in MSN file transfers could crash pidgin (CVE-2008-2955). SSL certifcates were not verfied. Therefore pidgin didn't notice faked certificates (CVE-2008-3532). Additionally, a problem was fixed that prevented gaim clients from connecting to the ICQ network after a server change on July 1st 2008. Everyone using pidgin, gaim or finch should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B8091102 - Dependencies Needed - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 809110204
Fixlet Link: http://download.novell.com/Download?buildid=YSj7w--spWc~

Fixlet Description: An updated pidgin-debuginfo package that fixes various security issues is now available. However, this package has one dependency that must be resolved. The following package must be installed at the specified version:  pidgin-2.3.1-10.9.i586.rpm

***************************************************************
Title: PATCH-B8091103 - Security update for imlib2 - SLED10 SP1
Severity: <Unspecified>
Fixlet ID: 809110303

Fixlet Description: This update fixes two security problems in imlib2: Specially crafted xpm files could trigger a stack based buffer overflow in imlib2 which could potentially be exploited to execute arbitrary code (CVE-2008-2426). A crash in PNM handling due to a NULL pointer dereference was fixed. Install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B8091201 - Security update for IBM Java 1.5 - SLED10 SP1
Severity: <Unspecified>
Fixlet ID: 809120103

Fixlet Description: IBM Java 5 was updated to SR8 to fix various security issues: Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A vulnerability in the XML processing API was found. A remote attacker who caused malicious XML to be processed by an untrusted applet or application was able to elevate permissions to access URLs on a remote host. (CVE-2008-3106) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) Several buffer overflow vulnerabilities in Java Web Start were reported.  These vulnerabilities allowed an untrusted Java Web Start application to elevate its privileges, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111)  Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113)  A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114)  This release also reinstates previous Crypto Export policy jars lost between SR3 and SR8. Everyone using IBM Java 1.5 should install this update. Please see patch page for more detailed information.