Fixlet Site - PatchesforSUSELinuxEnterprise
Current Version: 195	Published: Thu, 15 Jan 2009 23:20:54  GMT

New Fixlets:
============

***************************************************************
Title: PATCH-12317 - Security update for Cups - SLES9
Severity: <Unspecified>
Fixlet ID: 1231701
Fixlet Link: http://download.novell.com/Download?buildid=MTdi-k4h8NE~

Fixlet Description: Previous updates for the PNG and HPGL filters were incomplete and are corrected now (CVE-2008-3641, CVE-2008-5286). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-12326 - Security update for Epiphany - SLES9
Severity: <Unspecified>
Fixlet ID: 1232601
Fixlet Link: http://download.novell.com/Download?buildid=Xfv5uccfitg~

Fixlet Description: The Mozilla Browser received backports for security problems in 1.8.1.14. The following security issues were fixed:   MFSA 2008-68 / CVE-2008-5512 / CVE-2008-5511: Mozilla security researcher moz_bug_r_a4 reported that an XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website. moz_bug_r_a4 also reported two vulnerabilities by which page content can pollute XPCNativeWrappers and run arbitary JavaScript with chrome priviliges. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Workaround Disable JavaScript until a version containing these fixes can be installed. MFSA 2008-67 / CVE-2008-5510: Kojima Hajime reported that unlike literal null characters which were handled correctly, the escaped form '\0' was ignored by the CSS parser and treated as if it was not present in the CSS input string. This issue could potentially be used to bypass script sanitization routines in web applications. The severity of this issue was determined to be low. MFSA 2008-66 / CVE-2008-5508: Perl developer Chip Salzenberg reported that certain control characters, when placed at the beginning of a URL, would lead to incorrect parsing resulting in a malformed URL being output by the parser. IBM researchers Justin Schuh, Tom Cross, and Peter William also reported a related symptom as part of their research that resulted in MFSA 2008-37. There was no direct security impact from this issue and its effect was limited to the improper rendering of hyperlinks containing specific characters. The severity of this issue was determined to be low. MFSA 2008-65 / CVE-2008-5507: Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the data as JavaScript a syntax error is generated that can reveal some of the file context via the window. onerror DOM API. This issue could be used by a malicious website to steal private data from users who are authenticated on the redirected website. How much data could be at risk would depend on the format of the data and how the JavaScript parser attempts to interpret it. For most files the amount of data that can be recovered would be limited to the first word or two. Some data files might allow deeper probing with repeated loads. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Workaround Disable JavaScript until a version containing these fixes can be installed. MFSA 2008-64 / CVE-2008-5506: Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Workaround Disable JavaScript until a version containing these fixes can be installed. MFSA 2008-61 / CVE-2008-5503: Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:  The target document requires a bindingsi element in the XBL namespace in order to be read. The reader of the data needs to know the id attribute of the binding being read in advance. It is unlikely that web services will expose private data in the manner described above. Firefox 3 is not affected by this issue. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Workaround Products built from the Mozilla 1.9.0 branch and later, Firefox 3 for example, are not affected by this issue. Upgrading to one of these products is a reliable workaround for this particular issue and it is also Mozilla's recommendation that the most current version of any Mozilla product be used. Alternatively, you can disable JavaScript until a version containing these fixes can be installed. MFSA 2008-60 / CVE-2008-5500: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. Workaround Disable JavaScript until a version containing these fixes can be installed. Install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B9011201 - Security update for imlib2 - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 901120101
Fixlet Link: http://download.novell.com/Download?buildid=SEG-wGovcZg~

Fixlet Description: A security problem was fixed in imlib2 where loading a specific XPM file could corrupt memory. (CVE-2008-5187) Install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B9011301 - Security update for xterm - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 901130101
Fixlet Link: http://download.novell.com/Download?buildid=id05VePg-Zk~

Fixlet Description: XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm. ) Install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B9011301 - Security update for xterm - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 901130103
Fixlet Link: http://download.novell.com/Download?buildid=ROxj9Obn_xY~

Fixlet Description: XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm. ) Install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B9011302 - Security update for valgrind - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 901130203
Fixlet Link: http://download.novell.com/Download?buildid=fhZoBJ1ha6E~

Fixlet Description: valgrind reads a file. valgrindrc in the current directory. Therefore local users could place such a file a world writable directory such as /tmp and influence other users' valgrind when it's executed there (CVE-2008-4865). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B9011401 - Security update for Cups - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 901140101
Fixlet Link: http://download.novell.com/Download?buildid=tV2wxs9Ruys~

Fixlet Description: Previous updates for the PNG and HPGL filters were incomplete and are corrected now (CVE-2008-3641, CVE-2008-5286). Everyone should update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B9011401 - Security update for Cups - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 901140103
Fixlet Link: http://download.novell.com/Download?buildid=WCq_lD9j6hs~

Fixlet Description: Previous updates for the PNG and HPGL filters were incomplete and are corrected now (CVE-2008-3641, CVE-2008-5286). Everyone should update. Please see patch page for more detailed information.