From meissner@suse.de Thu Mar 24 11:38:39 2005 From: Marcus Meissner To: full-disclosure@lists.grok.org.uk Date: Thu, 24 Mar 2005 17:33:31 +0100 Subject: [Full-disclosure] SUSE Security Announcement: several kernel security problems (SUSE-SA:2005:018) -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement-ID: SUSE-SA:2005:018 Date: Thu, 24 Mar 2005 15:00:00 +0000 Affected products: 8.2, 9.0, 9.1, 9.2 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 9 Vulnerability Type: remote denial of service Severity (1-10): 9 SUSE default package: yes Cross References: CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2004-0814 CAN-2004-1333 CAN-2005-0003 Content of this advisory: 1) security vulnerability resolved: several kernel security problems problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report (next one due after Easter). 6) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion The Linux kernel is the core component of the Linux system. Several vulnerabilities were reported in the last few weeks which are fixed by this update. Not all kernels are affected by all the problems, each of the problems has an affected note attached to it. The CAN-XXXX-XXX IDs are Mitre CVE Candidate IDs, please see http://www.mitre.org for more information. Following security vulnerabilities are fixed: - CAN-2005-0449: The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function. A remote attacker could crash a SUSE Linux system when this system is used as a router/firewall. Only SUSE Linux versions using the 2.6 kernels are affected. - CAN-2005-0209: When forwarding fragmented packets, we can only use hardware assisted checksum once. This could lead to a denial of service attack / crash potentially trigger able by remote users. Only SUSE Linux versions using the 2.6 kernels are affected. - CAN-2005-0529: Linux kernels before 2.6.11 use different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context. Only SUSE Linux versions using the 2.6 kernels are affected. - CAN-2005-0530: Signedness error in the copy_from_read_buf function in n_tty.c before Linux kernel 2.6.11 allows local users to read kernel memory via a negative argument. Only SUSE Linux versions using the 2.6 kernels are affected. - Missing checking in the epoll system calls allowed overwriting of a small range of kernel memory. This allows a local attacker to gain root privileges. All SUSE Linux versions except SUSE Linux 8.2 are affected. - A integer overflow was possible when writing to a sysfs file, allowing an attacker to overwrite kernel memory. Only SUSE Linux versions using the 2.6 kernels are affected. - CAN-2005-0532: The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c before Linux kernel 2.6.11, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types. This allows a remote attacker to overwrite kernel memory, crash the machine or potential get root access. Only SUSE Linux versions using the 2.6 kernels running on 64 bit machines are affected. - CAN-2005-0384: Fixed a local denial of service attack in the kernel PPP code. This allows a local attacker to hang the system. All SUSE Linux versions are affected. - CAN-2005-0210: A dst leak problem in the ip_conntrack module of the iptables firewall was fixed. Only SUSE Linux versions using the 2.6 kernels are affected. - CAN-2005-0504: Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x allows local users to execute arbitrary code via a certain modified length value. Only SUSE Linux versions using the 2.6 kernels are fixed, this was considered too minor for our 2.4 line. - Only root should be able to set the N_MOUSE line discipline, this is a partial fix for CAN-2004-0814. - Due to an xattr sharing bug in the ext2 and ext3 file systems, default ACLs could disappear. Only SUSE Linux versions using the 2.6 kernels are affected. - CAN-2005-0003: Fixed a potential problem with overlapping VMAs also on 2.4 kernels. Only SUSE Linux versions using the 2.4 kernels are affected. - CAN-2004-1333: Fixed a local denial of service problem with the VC_RESIZE ioctl. A local user logged in to a text console can crash the machine. Only SUSE Linux versions using the 2.4 kernels are affected. Additional kernel module had bugs fixed: - antivir / dazuko.ko: The capability handling of this module was broken and was fixed by a version upgrade. - drbd: A slow memory leak in drbd was fixed. - Bugs fixed after the SUSE Linux Enterprise Server 8 SP4 release (for the SLES 8 and United Linux 1 updates). - Bugs fixed after the SUSE Linux Enterprise Server 9 SP1 release (for the SLES 9 and NLD 9 updates). 2) solution/workaround None. Please install the updated packages. 3) special instructions and notes SPECIAL INSTALL INSTRUCTIONS: ============================== The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, please make sure to read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before it to complete successfully. **** Step 1: Determine the needed kernel type Please use the following command to find the kernel type that is installed on your system: rpm -qf /boot/vmlinuz Following are the possible kernel types (disregard the version and build number following the name separated by the "-" character) k_deflt # default kernel, good for most systems. k_i386 # kernel for older processors and chip sets k_athlon # kernel made specifically for AMD Athlon(tm) family processors k_psmp # kernel for Pentium-I dual processor systems k_smp # kernel for SMP systems (Pentium-II and above) k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM kernel-64k-pagesize kernel-bigsmp kernel-default kernel-smp **** Step 2: Download the package for your system Please download the kernel RPM package for your distribution with the name as indicated by Step 1. The list of all kernel rpm packages is appended below. Note: The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that the binary kernel rpm packages are created from. It can be used by administrators who have decided to build their own kernel. Since the kernel-source.rpm is an installable (compiled) package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. The kernel RPM binary packages for the distributions can be found at the locations below ftp://ftp.suse.com/pub/suse/i386/update/. 8.2/rpm/i586 9.0/rpm/i586 9.1/rpm/i586 9.2/rpm/i586 After downloading the kernel RPM package for your system, you should verify the authenticity of the kernel rpm package using the methods as listed in section 3) of each SUSE Security Announcement. **** Step 3: Installing your kernel rpm package Install the rpm package that you have downloaded in Steps 3 or 4 with the command rpm -Uhv --nodeps --force where is the name of the rpm package that you downloaded. Warning: After performing this step, your system will likely not be able to boot if the following steps have not been fully followed. **** Step 4: configuring and creating the initrd The initrd is a ramdisk that is loaded into the memory of your system together with the kernel boot image by the bootloader. The kernel uses the content of this ramdisk to execute commands that must be run before the kernel can mount its actual root filesystem. It is usually used to initialize SCSI drivers or NIC drivers for diskless operation. The variable INITRD_MODULES in /etc/sysconfig/kernel determines which kernel modules will be loaded in the initrd before the kernel has mounted its actual root filesystem. The variable should contain your SCSI adapter (if any) or filesystem driver modules. With the installation of the new kernel, the initrd has to be re-packed with the update kernel modules. Please run the command mk_initrd as root to create a new init ramdisk (initrd) for your system. On SuSE Linux 8.1 and later, this is done automatically when the RPM is installed. **** Step 5: bootloader If you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there are two options: Depending on your software configuration, you have either the lilo bootloader or the grub bootloader installed and initialized on your system. The grub bootloader does not require any further actions to be performed after the new kernel images have been moved in place by the rpm Update command. If you have a lilo bootloader installed and initialized, then the lilo program must be run as root. Use the command grep LOADER_TYPE /etc/sysconfig/bootloader to find out which boot loader is configured. If it is lilo, then you must run the lilo command as root. If grub is listed, then your system does not require any bootloader initialization. Warning: An improperly installed bootloader may render your system unbootable. **** Step 6: reboot If all of the steps above have been successfully completed on your system, then the new kernel including the kernel modules and the initrd should be ready to boot. The system needs to be rebooted for the changes to become active. Please make sure that all steps have completed, then reboot using the command shutdown -r now or init 6 Your system should now shut down and reboot with the new kernel. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/Intel-536ep-4.69-5.6.i586.rpm a3e7ae43ed40beb4e6a91c12173a6208 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-2.6.8-24.13.i586.rpm d6f629086c8021c31579bfab6f966a80 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-bigsmp-nongpl-2.6.8-24.13.i586.rpm c677ef5d3738fd3d9fa660a2eb5e6c9d ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-2.6.8-24.13.i586.rpm 856a9ef25235c42782e6de073523b975 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-default-nongpl-2.6.8-24.13.i586.rpm 29279144bdf0ba5884b98b764851dd34 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-2.6.8-24.13.i586.rpm 57090bf8316f5c44ce6a66011bae0db2 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-smp-nongpl-2.6.8-24.13.i586.rpm 14714e1bb4f1b6395a0ed7d92499628e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-source-2.6.8-24.13.i586.rpm 07601eb3f22def95f2f77222db6c74c8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-syms-2.6.8-24.13.i586.rpm 00e4a56bc7a009399b0f7536e20d6a0e ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-2.6.8-24.13.i586.rpm c9f5e9965ace4fe7019a8dec74b5b898 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/kernel-um-nongpl-2.6.8-24.13.i586.rpm 2a62d57e412f4e10d156734906face7c ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ltmodem-8.31a8-6.6.i586.rpm ebd3ea3dca91dda23b5b008f34cb2635 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-install-initrd-1.0-48.6.i586.rpm bbecc9e23da79030b213f2fa0dc45b44 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/um-host-kernel-2.6.8-24.13.i586.rpm efb8ff7a0680e983579c7319f8068b1a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/noarch/kernel-docs-2.6.8-24.13.noarch.rpm 12793882c2100201dd76de65c5ed26f9 SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.151.i586.rpm d801daf8beed0792c84316e2e7713f41 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.151.i586.rpm 332f1a58948d88e85e755238ea3096b6 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.151.i586.rpm 568b83f27bbae07274bd165bff4630cf ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.151.i586.rpm 03f54f3a2fb9508747be5fca11cabe9f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-syms-2.6.5-7.151.i586.rpm faff02a2390bfc99215afe0724823d9e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ltmodem-2.6.2-38.14.i586.rpm 940a9aa4170b14d19077915512dcbecd ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/noarch/kernel-docs-2.6.5-7.151.noarch.rpm 5fc9640689ba9abc1199e016b96e5df7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.151.nosrc.rpm 600a651760dc303fdc24417e6f28457f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.151.nosrc.rpm 1ca101fe4bc7a0565bdfe95ec50e575b ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-docs-2.6.5-7.151.src.rpm 73853c8f22b1dc0ad3c8f2cfb3fa7bcc ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.151.nosrc.rpm 8956a79089e858d53833729514b4ecb4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.151.src.rpm 9fc52075c3d76aae66698dafe2a34ef4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-syms-2.6.5-7.151.src.rpm cfeb547283923ec6bb7ecde68e87959e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ltmodem-2.6.2-38.14.src.rpm 1b72810d556f330f0387b0f3f0e74279 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/Intel-536ep-4.62-23.i586.rpm 642d10aff71b590d3bcddfabca8f08da ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/Intel-v92ham-4.53-23.i586.rpm 12daaa6a39215f6e121bc73b259c2f89 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-280.i586.rpm 3dd964eac3f9d9e7464c1ea54778a759 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-280.i586.rpm 095d7247628617edede02dd7fb70b5a4 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-280.i586.rpm 3723ff0f79d44ebc2cc99fb7b57bdc5d ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-280.i586.rpm 2930b366a93fba8eb8330b12a5e40caa ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-280.i586.rpm 349e1d2949cc14ba8d0cad5c21cdfe7b ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-280.i586.rpm 9395b0db44137f9bf2a5317db8cde4cf ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ltmodem-8.26a-212.i586.rpm 1ef3564ca4af69b09add35fcc1c45d6c source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/Intel-536ep-4.62-23.src.rpm 5d19d98ffde19ed08f017aed5f764568 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/Intel-v92ham-4.53-23.src.rpm 296b905a65ceb9301dc3a596d4dc6a32 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-280.src.rpm d5cac11c24e3519d90cac12bf1f088d0 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-280.src.rpm e08d8762e628110b4d6f4ad03030e68a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-280.src.rpm 072fad1ee699d8a621da2c6eac7a8d24 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-280.src.rpm 88fba9a0d5adc6580ddca48834fecefe ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-280.src.rpm 8baf03af3bb72840ce2f9da7f89fb92f ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-280.src.rpm 71053f5317ab1bc7fec545126e840ccf ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/ltmodem-8.26a-212.src.rpm c0033f8e34944c7ce03eed94b70cf918 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-131.i586.rpm 89313ab4063e37d971d31356b9c56980 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-131.i586.rpm ec0b7ad6970af84a249040733179f83d ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-131.i586.rpm e7e2a0db12da34d29ae8a868096c664c ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-131.i586.rpm 70c75029b29d5d0683bb1602304bac6e ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-131.i586.rpm 2dd77f5c8c66f2395de227c265b80631 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-131.src.rpm 87ead9ecc8ab30422cc0999ba8993c97 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-131.src.rpm c154007e11d1203bb52402f300d4e2ee ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-131.src.rpm 57ce340d5ef4c167ae8e0a506bcc0648 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-131.src.rpm fbb8f6f6d3d79e3597fe9ce39bda2169 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-131.src.rpm c12c9e264115a760a7a8e30ce3ea67c7 x86-64 Platform: SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-2.6.8-24.13.x86_64.rpm 24ea3cb00cceba43c5bed19b897bb1b8 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-nongpl-2.6.8-24.13.x86_64.rpm 668e6786f937eda584f74a231adfa2a1 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-2.6.8-24.13.x86_64.rpm 26091c7fd2be2714a187477d658e8318 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-nongpl-2.6.8-24.13.x86_64.rpm e516f01b4a263239ef30b713fb755feb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-source-2.6.8-24.13.x86_64.rpm 423dcb129d2111f7c17387d4b36fcabb ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-syms-2.6.8-24.13.x86_64.rpm 840a17c71109bd07224ad6ae12e8be75 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-default-2.6.8-24.13.nosrc.rpm 8a90f26cb375a89035e3ef90566aa95a ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-smp-2.6.8-24.13.nosrc.rpm 681402af4423507b1e73d82beb0507c7 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-source-2.6.8-24.13.src.rpm 3ffd0c15edad64abe53947f6b647f373 ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/kernel-syms-2.6.8-24.13.src.rpm 520ad02e64ac8ce376ba8cfaf65e6efd SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/noarch/kernel-docs-2.6.5-7.151.noarch.rpm 49c8b1ed045cc0a760d09d7d6d4da690 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6.5-7.151.x86_64.rpm af7a4838080ad1272951879d2e802ba6 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7.151.x86_64.rpm d7391560609a9b0125b5e79680e56f83 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.5-7.151.x86_64.rpm fdda8b9e9d64442dea793ab125579fac ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-syms-2.6.5-7.151.x86_64.rpm 82406cb16948a71e28d51b208d2d7c4b source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-7.151.nosrc.rpm 7c966d16b28889f63100422ff6a5b7ff ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-docs-2.6.5-7.151.src.rpm 8d8709865b81e58f877b309f3b660624 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.151.nosrc.rpm d5d41f7e71debed968c7aee447c12b62 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7.151.src.rpm cbc9c7939523a2bca9196823721d1d98 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-syms-2.6.5-7.151.src.rpm f889be09d14562571d9ce8e9e2324a84 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-280.x86_64.rpm 77c93ceeea9f8bc72a063e2fa77fce6a ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-280.x86_64.rpm 427a8eab8be60b5a0ced43edb0d63fe3 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-280.x86_64.rpm 8483b74bdf8f1bc6961f96bebdc79df8 source rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-280.src.rpm f13741d16c360b17cce88ef9b9267df1 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-280.src.rpm be8d6a26a943cd8dddb26ce8706ec76d ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-280.src.rpm 4b56dc0c82f127689ab23745629d8e5b ______________________________________________________________________________ 5) Pending vulnerabilities in SUSE Distributions and Workarounds: See the SUSE Security Summary report after Easter holidays. ______________________________________________________________________________ 6) standard appendix: authenticity verification, additional information - Package authenticity verification: SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SUSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ===================================================================== SUSE's security contact is or . @suse.de>. The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQkLq13ey5gA9JdPZAQHfDAf/T4/pj2c3Q/OtwMxs0c/tnodFYoLEvuz0 cjsE/AODKSoziYk1q4FJbW+J4e49NVjMs6OCYSGHzGR3HLxDX8AoIblxpv0PIk9L mUHNyFt9hvD5ykny6dkkJOdpD///eEXlp85Y6xB1BRoLZQYw22AeV2WmOy0b204w a9/h+J1IAQGw1baptKLLNdsDZ8i6y9gdM6Qt3FVI7V7fuKPvrv5PuVWQVnlpxmk8 FPz151umjteLX5y9gnmXzfjvURYYk2VrVV/04kj6HIjb+z+CKQK4NaBLSpkaSAA+ KvjDv8v8McjY+VKgUKHA2o4JQIhslEoHZpWiSShB6fWvbDMNVzQREA== =7WND -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/