Fixlet Site - PatchesforSUSELinuxEnterprise Current Version: 200 Published: Thu, 12 Feb 2009 00:10:02 GMT New Fixlets: ============ *************************************************************** Title: PATCH-12343 - Security update for Tomcat - SLES9 Severity: Fixlet ID: 1234301 Fixlet Link: http://download.novell.com/Download?buildid=9FLcbykZVR8~ Fixlet Description: Two old but not yet fixed security issues in tomcat5 were spotted and are fixed by this update: CVE-2006-3835: Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index. jsp and /;help. do. Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat allowed remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". These issues were rated "low" by the Apache Tomcat team. Please install this update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9020401 - Security update for Tomcat 5 - SLES10 SP2 Severity: Fixlet ID: 902040101 Fixlet Link: http://download.novell.com/Download?buildid=vLagmnhoAR0~ Fixlet Description: Two old but not yet fixed security issues in tomcat5 were spotted and are fixed by this update: CVE-2006-3835: Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index. jsp and /;help. do. Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat allowed remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". These issues were rated "low" by the Apache Tomcat team. Please install this update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9020402 - Security update for xine - SLED10 SP2 Severity: Fixlet ID: 902040201 Fixlet Link: http://download.novell.com/Download?buildid=cMHhrx8QRlY~ Fixlet Description: This update of xine fixes multiple buffer overflows while parsing files: CVE-2008-3231 CVE-2008-5233 CVE-2008-5234 CVE-2008-5235 CVE-2008-5236 CVE-2008-5237 CVE-2008-5238 CVE-2008-5239 CVE-2008-5240 CVE-2008-5241 CVE-2008-5242 CVE-2008-5243 CVE-2008-5244 CVE-2008-5245 CVE-2008-5246 CVE-2008-5247 CVE-2008-5248 These bugs can lead to remote code execution. Everyone should update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9020501 - Security update for PHP5 - SLES10 SP2 Severity: Fixlet ID: 902050101 Fixlet Link: http://download.novell.com/Download?buildid=cYT73HL4HGE~ Fixlet Description: This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension (CVE-2008-5557). Everyone should update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9020502 - Security update for libvirt - SLES10 SP2 Severity: Fixlet ID: 902050201 Fixlet Link: http://download.novell.com/Download?buildid=YSjoVaf4D7o~ Fixlet Description: libvirt misses some read-only connection checks for certain methods. This flaw enables local unprivileged users for example to migrate virtual machines without authentication (CVE-2008-5086). Everyone should update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9020502 - Dependencies Needed - SLES10 SP2 Severity: Fixlet ID: 902050202 Fixlet Link: http://download.novell.com/Download?buildid=YSjoVaf4D7o~ Fixlet Description: Updated libvirt packages are now available for SuSE Linux Enterprise 10. However, these packages have a dependency that must be resolved. The following package must be installed at the specified version or greater: socat-1.7.0.0-1.3.i586.rpm *************************************************************** Title: PATCH-B9020502 - Security update for libvirt - SLED10 SP2 Severity: Fixlet ID: 902050203 Fixlet Link: http://download.novell.com/Download?buildid=8t5eqtTWxaA~ Fixlet Description: libvirt misses some read-only connection checks for certain methods. This flaw enables local unprivileged users for example to migrate virtual machines without authentication (CVE-2008-5086). Everyone should update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9020502 - Dependencies Needed - SLED10 SP2 Severity: Fixlet ID: 902050204 Fixlet Link: http://download.novell.com/Download?buildid=8t5eqtTWxaA~ Fixlet Description: Updated libvirt packages are now available for SuSE Linux Enterprise 10. However, these packages have a dependency that must be resolved. The following package must be installed at the specified version or greater: socat-1.7.0.0-1.3.i586.rpm *************************************************************** Title: PATCH-B9021001 - Security update for netatalk - SLED10 SP2 Severity: Fixlet ID: 902100101 Fixlet Link: http://download.novell.com/Download?buildid=9XC4cq6Yyag~ Fixlet Description: This update of netatalk adds a filter for characters of user-supplied data to papd. Prior to this update it was possible to execute arbitrary shell commands remotely. (CVE-2008-5718) Everyone should update. Please see patch page for more detailed information. *************************************************************** Title: PATCH-B9021001 - Security update for netatalk - SLES10 SP2 Severity: Fixlet ID: 902100103 Fixlet Link: http://download.novell.com/Download?buildid=t4Yf1Btns_M~ Fixlet Description: This update of netatalk adds a filter for characters of user-supplied data to papd. Prior to this update it was possible to execute arbitrary shell commands remotely. (CVE-2008-5718) Everyone should update. Please see patch page for more detailed information.