[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 398/06 - Three SUSE Security Announcements:



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 398/06 dated 12.06.06  Time: 15:25  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three SUSE Security Announcements:

1. SUSE-SA:2006:030 - postgresql

2. SUSE-SR:2006:013 - Summary Report

3. Update for SUSE Linux 10.1 Package Management

Detail
====== 

1. Two character set encoding related security problems were fixed in the
   PostgreSQL database server.

2. To avoid flooding mailing lists with SUSE Security Announcements for minor
   issues, SUSE Security releases weekly summary reports for the low profile
   vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
   or download URLs like the SUSE Security Announcements that are released for
   more severe vulnerabilities.

3. Update for SUSE Linux 10.1 Package Management



1.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                postgresql
        Announcement ID:        SUSE-SA:2006:030
        Date:                   Fri, 09 Jun 2006 16:00:00 +0000
        Affected Products:      SUSE LINUX 10.1
                                SUSE LINUX 10.0
                                SUSE LINUX 9.3
                                SUSE LINUX 9.2
                                SUSE LINUX 9.1
                                SUSE SLES 9
        Vulnerability Type:     remote code execution
        Severity (1-10):        7
        SUSE Default Package:   no
        Cross-References:       CVE-2006-2313, CVE-2006-2314

    Content of This Advisory:
        1) Security Vulnerability Resolved:
             PostgreSQL SQL injection problems due to encoding problems
           Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Package Location and Checksums
        5) Pending Vulnerabilities, Solutions, and Work-Arounds:
            See SUSE Security Summary Report.
        6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

   Two character set encoding related security problems were fixed in the
   PostgreSQL database server:

   CVE-2006-2313:
       Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling
       of invalidly-encoded multibyte text data. If a client application
       processed untrusted input without respecting its encoding and
       applied standard string escaping techniques (such as replacing a
       single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server
       could interpret the resulting string in a way that allowed an
       attacker to inject arbitrary SQL commands into the resulting SQL
       query. The PostgreSQL server has been modified to reject such
       invalidly encoded strings now, which completely fixes the problem
       for some 'safe' multibyte encodings like UTF-8.

   CVE-2006-2314:
       However, there are some less popular and client-only multibyte
       encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which
       contain valid multibyte characters that end with the byte 0x5c,
       which is the representation of the backslash character >>\<< in
       ASCII. Many client libraries and applications use the non-standard,
       but popular way of escaping the >>'<< character by replacing all
       occurrences of it with >>\'<<. If a client application uses one of
       the affected encodings and does not interpret multibyte characters,
       and an attacker supplies a specially crafted byte sequence as an
       input string parameter, this escaping method would then produce a
       validly-encoded character and an excess >>'<< character which would
       end the string. All subsequent characters would then be interpreted
       as SQL code, so the attacker could execute arbitrary SQL commands.

       To fix this vulnerability end-to-end, client-side applications
       must be fixed to properly interpret multibyte encodings and use
       >>''<< instead of >>\'<<. However, as a precautionary measure,
       the sequence >>\'<< is now regarded as invalid when one of the
       affected client encodings is in use. If you depend on the previous
       behavior, you can restore it by setting 'backslash_quote = on'
       in postgresql.conf.  However, please be aware that this could
       render you vulnerable again.

       This issue does not affect you if you only use single-byte (like
       SQL_ASCII or the ISO-8859-X family) or unaffected multibyte
       (like UTF-8) encodings.

   Please see http://www.postgresql.org/docs/techdocs.50 for further
   details.

   Unfortunately we are not yet able to provide back ported patches for
   the PostgreSQL included in SUSE Linux Enterprise Server 8 at this
   time. We are working on a solution for this problem.

2) Solution or Work-Around

   There is no known workaround, please install the update packages.

3) Special Instructions and Notes

   If you are running a PostgreSQL server please make sure that it
   is stopped or at least doesn't have any client connections during
   the update.

   If you are running or using a PostgreSQL server please carefully follow
   the instructions in /usr/share/doc/packages/postgresql/SECURITY-NOTICE
   to complete this security update

4) Package Location and Checksums

   The preferred method for installing security updates is to use the YaST
   Online Update (YOU) tool. YOU detects which updates are required and
   automatically performs the necessary steps to verify and install them.
   Alternatively, download the update packages for your distribution manually
   and verify their integrity by the methods listed in Section 6 of this
   announcement. Then install the packages using the command

     rpm -Fhv <file.rpm>

   to apply the update, replacing <file.rpm> with the filename of the
   downloaded RPM package.


   x86 Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-8.1.4-1.2.i586.rpm
          8fb5e2f12fb4db3b468a735be55902bc
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-contrib-8.1.4-1.2.i586.rpm
          fd229189b9b93d90cf223fbe29ecf937
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-devel-8.1.4-1.2.i586.rpm
          278a5823adcc686131b55cad9984f34c
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-docs-8.1.4-1.2.i586.rpm
          a91427f863badb6edc03ae27b3e5f15e
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-libs-8.1.4-1.2.i586.rpm
          ea7ce106f0bc482469e96e27b8e544bc
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-pl-8.1.4-1.2.i586.rpm
          56a69980760509bb49de4868315d5baa
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-server-8.1.4-1.2.i586.rpm
          ed388e0c0a524559d13050eb1dfdc9c1

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-8.0.8-0.2.i586.rpm
          923404a774e7cabec9df64c62da88a27
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-contrib-8.0.8-0.2.i586.rpm
          85b25723f9d67a70b04e0ce3811cc85c
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-devel-8.0.8-0.2.i586.rpm
          50e5a977ed8b9120768bc5e603961f98
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-docs-8.0.8-0.2.i586.rpm
          e45faf70ef7def2aade7b94ba89bd864
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-libs-8.0.8-0.2.i586.rpm
          36b5719ca00eaf3cddb4c2d506d1d2fa
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-pl-8.0.8-0.2.i586.rpm
          318081f3601d5f7baf872c94b104b2fc
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-server-8.0.8-0.2.i586.rpm
          05d154dcc296a9c7e956e9138a312108

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-8.0.8-0.2.i586.rpm
          a260aec2aef3ea77694a76a0201044ae
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-contrib-8.0.8-0.2.i586.rpm
          37b5114bbbb78f6e80ffb1b89401e8da
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-devel-8.0.8-0.2.i586.rpm
          a61d1e17cd2ccc61f6b4975520ab7e9f
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-docs-8.0.8-0.2.i586.rpm
          841b0470d29b9170b18bbfbaafe41435
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-libs-8.0.8-0.2.i586.rpm
          78ef824e90a62d24d6bb2deaa9b74ab9
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-pl-8.0.8-0.2.i586.rpm
          733a5aa1b89477c2011910d0fa72e166
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-server-8.0.8-0.2.i586.rpm
          f688fedcc332b893e0ac9e5154d977c1

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-7.4.13-0.2.i586.rpm
          ea88d118184c182bfacb7544d48f34c6
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-contrib-7.4.13-0.2.i586.rpm
          ce7b90c42fb477b97c0dbc64c147b5e0
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-devel-7.4.13-0.2.i586.rpm
          1bcfeb756fe5c5d5e347a5ff4ccf84fe
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-docs-7.4.13-0.2.i586.rpm
          890c3a7ced118229ec9bc640cb057800
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-libs-7.4.13-0.2.i586.rpm
          b7ec99237d6fe4e8682c78f7a8bcdb63
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-pl-7.4.13-0.2.i586.rpm
          96a4e10fee0a465819a07ee2e89b03e2
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-server-7.4.13-0.2.i586.rpm
          5ca65525e7d340e4e98a3a59dac1cbe3

   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-7.4.13-0.4.i586.rpm
          34eed42fd77148c86ec86c086a18af0d
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-contrib-7.4.13-0.4.i586.rpm
          e05064dbdfba0a0a0ca43b745f2a6402
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-devel-7.4.13-0.4.i586.rpm
          8ecb634c77035ccac12cee347c632f99
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-docs-7.4.13-0.4.i586.rpm
          f3ac880c647474f1bee6c72fec75b550
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-libs-7.4.13-0.4.i586.rpm
          92e1ed36148af0b98691296b5f20074d
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-pl-7.4.13-0.4.i586.rpm
          76c494f41f4cc6d31d181c0d672b85db
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-server-7.4.13-0.4.i586.rpm
          77dddc495feae1c6b0f926b0169585af
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/postgresql-libs-32bit-9.1-200605310116.i586.rpm
          e1def686b4da15034ecdba05ae52d317

   Power PC Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-8.1.4-1.2.ppc.rpm
          20bf4b672950391a885c39647be3fd29
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-contrib-8.1.4-1.2.ppc.rpm
          a438d0c348de0e2352a24ba34f1b3efd
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-devel-8.1.4-1.2.ppc.rpm
          a24d09f29f4dc635420a4cf44d01de7a
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-docs-8.1.4-1.2.ppc.rpm
          733ebb4b98b47c4ae645b2a6d3f5f127
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-64bit-8.1.4-1.2.ppc.rpm
          2e2a884eb58f654bad8b4986f8347d63
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-8.1.4-1.2.ppc.rpm
          afb35a53b9dad8e2b7f193eb59265c94
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-pl-8.1.4-1.2.ppc.rpm
          e26756896b6023f3b7a56edf504508e0
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-server-8.1.4-1.2.ppc.rpm
          3e7b5e34ab551a15adf87a4533f71919

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-8.0.8-0.2.ppc.rpm
          1f0d19658278ce363a02f34c8408badc
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-contrib-8.0.8-0.2.ppc.rpm
          ab128f5681367e3260f28007f1eb223b
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-devel-8.0.8-0.2.ppc.rpm
          4934796258b5095bde35d82dcce8400e
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-docs-8.0.8-0.2.ppc.rpm
          c6ed5f891260a707ff34d2c0d6bc8dd5
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-64bit-8.0.8-0.2.ppc.rpm
          11eae2961bc6806c81144f980cf47c26
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-8.0.8-0.2.ppc.rpm
          84d1d74b1be2fa9bc3814347e48d666a
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-pl-8.0.8-0.2.ppc.rpm
          7c2091e7324d055d584d18de5d016b02
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-server-8.0.8-0.2.ppc.rpm
          565f8479ac8b992cc6dee514d009c6a0

   ppc64:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc64/postgresql-8.1.4-1.2.ppc64.rpm
          eaaea2f30a115beed208a33fb7985319

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc64/postgresql-8.0.8-0.2.ppc64.rpm
          a16b451535c8a819814fc0081a6a3855

   x86-64 Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-8.1.4-1.2.x86_64.rpm
          7037db2dbb3d7d251f74a383a8779ebd
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-contrib-8.1.4-1.2.x86_64.rpm
          efc0a6e5c729fa83995b24ac9cb248de
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-devel-8.1.4-1.2.x86_64.rpm
          dba4d4671e306ea3f610576b8e455152
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-docs-8.1.4-1.2.x86_64.rpm
          ad4d0ceb06de8f4a66506ce8822752f9
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-32bit-8.1.4-1.2.x86_64.rpm
          4ee45efb63361bba98e6d65d07187afa
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-8.1.4-1.2.x86_64.rpm
          c5a016add913fdaad2b5157d705e3fe4
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-pl-8.1.4-1.2.x86_64.rpm
          109a82fdb9ba89bd72323906d03ef0a8
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-server-8.1.4-1.2.x86_64.rpm
          e2100dbf6917d14f375d7860275d35e5

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-8.0.8-0.2.x86_64.rpm
          aeae0da5a394b4c24d8cda8560f18dbb
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-contrib-8.0.8-0.2.x86_64.rpm
          10e6615d3c4648b9cc9d0c69e10a5e23
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-devel-8.0.8-0.2.x86_64.rpm
          42fa8a74543ba2dc5983829e87f9cf03
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-docs-8.0.8-0.2.x86_64.rpm
          f39ed20c68895151c7540224bfa733e5
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-32bit-8.0.8-0.2.x86_64.rpm
          694a1886b2d287fe91b7182d5d9a6cd2
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-8.0.8-0.2.x86_64.rpm
          07a3202ef0840ebd64c797570ad37959
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-pl-8.0.8-0.2.x86_64.rpm
          d16750bdb4d6c7c8c9a4d770db05224f
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-server-8.0.8-0.2.x86_64.rpm
          f16b518aa08e10c7afea31b294cfc778

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-8.0.8-0.2.x86_64.rpm
          3e1d2b7a5f48312f45629ef1e2aca09e
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-contrib-8.0.8-0.2.x86_64.rpm
          c93b8d25d8c1c8d3ff71330148b0bfe1
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-devel-8.0.8-0.2.x86_64.rpm
          7282ec73b022c0a64df4131449ffa03e
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-docs-8.0.8-0.2.x86_64.rpm
          6555bbcb2dece1509ce34689e6866089
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-32bit-9.3-7.3.x86_64.rpm
          b3bb611cbe68ca215f5dddad9c5427a6
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-8.0.8-0.2.x86_64.rpm
          01e3fa4fe1de5c07c923f86b8b6edfe1
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-pl-8.0.8-0.2.x86_64.rpm
          b19f8062671374939259f1a283736622
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-server-8.0.8-0.2.x86_64.rpm
          691e3d79c8fd58acd3e754b3ac3085b1

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-7.4.13-0.2.x86_64.rpm
          e4b11cc66197cf5f186f07ee9928e66e
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-contrib-7.4.13-0.2.x86_64.rpm
          c6b41d5cbf22749909f787a4618037da
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-devel-7.4.13-0.2.x86_64.rpm
          1f0119c73b50f3a5da6d31e2eea35369
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-docs-7.4.13-0.2.x86_64.rpm
          9a8f7959d081395e312ca02a8a7a5fc3
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-32bit-9.2-200605301412.x86_64.rpm
          2ddf607af4ce09f4269cbca02ec03a7d
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-7.4.13-0.2.x86_64.rpm
          272ef016cd23ae673b803b5767a1554c
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-pl-7.4.13-0.2.x86_64.rpm
          51523699fb995488a1dbded7eb5fe2cc
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-server-7.4.13-0.2.x86_64.rpm
          897a20ab9ea122d43f89567e485ff500

   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-7.4.13-0.4.x86_64.rpm
          a38b622178a32cdd06233c842327295d
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-contrib-7.4.13-0.4.x86_64.rpm
          085aab7d5729e3f27dbab7fb9e420254
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-devel-7.4.13-0.4.x86_64.rpm
          4691be0aa24c42eeaa50c092353bd6f4
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-docs-7.4.13-0.4.x86_64.rpm
          5bc0a01514247c29c765b3c8938c795d
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-libs-7.4.13-0.4.x86_64.rpm
          c12dc2877ec65c6a3f988b51157b5ab7
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-pl-7.4.13-0.4.x86_64.rpm
          83fa45b8a322910a38f071e9bd0d9031
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-server-7.4.13-0.4.x86_64.rpm
          79ad3926185107da714ab3754aa889e7

   Sources:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-8.1.4-1.2.src.rpm
          44f36fd35b82cea18e01a4fe667ad40d
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-pl-8.1.4-1.2.nosrc.rpm
          f189f8e0fca64e0e3991c7d4f928327f

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-8.0.8-0.2.src.rpm
          361ca18474faf36146a84236618afaf2
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-pl-8.0.8-0.2.nosrc.rpm
          5a7a5a8af3c4bc930300c908413d8fe0

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-8.0.8-0.2.src.rpm
          384b25b835cfd3990395967571ae2b05
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-pl-8.0.8-0.2.nosrc.rpm
          a1155e3cadf7907178c57fc20a3b2aa1

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-7.4.13-0.2.src.rpm
          186111c9f577a1583725aef28da96636
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-pl-7.4.13-0.2.nosrc.rpm
          fb124cb2d1424d21035040847423e7b6

   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-7.4.13-0.4.src.rpm
          7a76decace79f6dcb7d183f461626b2e
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-pl-7.4.13-0.4.nosrc.rpm
          4739e9d6fee0bee6934be76870d4ce51
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-7.4.13-0.4.src.rpm
          7fadd3d1bed3c30759d94af7cd924800
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-pl-7.4.13-0.4.nosrc.rpm
          a357ff94aec54e5ebb08c7fd758fbdeb

   Our maintenance customers are notified individually. The packages are
   offered for installation from the maintenance web:

   SUSE SLES 9
     http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/da59db7f50aac32f6bd1b258f6e09652.html

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

   See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify <file>

    replacing <file> with the name of the file where you saved the
    announcement. The output for a valid signature looks like:

      gpg: Signature made <DATE> using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team <security@xxxxxxx>"

    where <DATE> is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and the integrity of
    a package needs to be verified to ensure that it has not been tampered
    with.

    There are two verification methods that can be used independently from
    each other to prove the authenticity of a downloaded file or RPM package:

    1) Using the internal gpg signatures of the rpm package
    2) MD5 checksums as provided in this announcement

    1) The internal rpm package signatures provide an easy way to verify the
       authenticity of an RPM package. Use the command

        rpm -v --checksig <file.rpm>

       to verify the signature of the package, replacing <file.rpm> with the
       filename of the RPM package downloaded. The package is unmodified if it
       contains a valid signature from build@xxxxxxx with the key ID 9C800ACA.

       This key is automatically imported into the RPM database (on
       RPMv4-based distributions) and the gpg key ring of 'root' during
       installation. You can also find it on the first installation CD and at
       the end of this announcement.

    2) If you need an alternative means of verification, use the md5sum
       command to verify the authenticity of the packages. Execute the command

         md5sum <filename.rpm>

       after you downloaded the file from a SUSE FTP server or its mirrors.
       Then compare the resulting md5sum with the one that is listed in the
       SUSE security announcement. Because the announcement containing the
       checksums is cryptographically signed (by security@xxxxxxx), the
       checksums show proof of the authenticity of the package if the
       signature of the announcement is valid. Note that the md5 sums
       published in the SUSE Security Announcements are valid for the
       respective packages only. Newer versions of these packages cannot be
       verified.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@xxxxxxxx
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                <suse-security-subscribe@xxxxxxxx>.

    suse-security-announce@xxxxxxxx
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                <suse-security-announce-subscribe@xxxxxxxx>.

    For general information or the frequently asked questions (FAQ),
    send mail to <suse-security-info@xxxxxxxx> or
    <suse-security-faq@xxxxxxxx>.

    =====================================================================
    SUSE's security contact is <security@xxxxxxxx> or <security@xxxxxxx>.
    The <security@xxxxxxx> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular, the
    clear text signature should show proof of the authenticity of the text.

    SUSE Linux Products GmbH provides no warranties of any kind whatsoever
    with respect to the information contained in this security advisory.

Type Bits/KeyID     Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@xxxxxxx>

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- - -----END PGP PUBLIC KEY BLOCK-----

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRIl/Zney5gA9JdPZAQJLuwf/Rn+cDRFVAD23X0K8Ll6zjyU8qQdOytud
sxK+awU9ncb4dVE8iEW6U6Vt8P+/HvQHroQom73StxzSK7oEFCG4Ss6kU+Ov8oCO
wm8hxEEcXf7NE29xDsY0q+pGbrM1tBXzUITaYDEN9OC5G6ltwMj6BTANkooLVl4S
I1vwG58EHDLBf8FGsNuEFOREffjtiS06dpQZX2h1OFWbSmE8QjOsUlPSPX3eaNrH
c7yEOcrp+LUOWHBGhtknCWy/OMuSbvwPGaUqggINg4/+H7SzE7gJ+3Ea4j8U1IbE
VFl6E56qEnHqQbu0uyvSHCCBG/3Glq3LjmpmQBrEOVSednG9e8haKA==
=EBgW
- -----END PGP SIGNATURE-----



2.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Summary Report

        Announcement ID:        SUSE-SR:2006:013
        Date:                   Fri, 09 Jun 2006 17:00:00 +0000
        Cross-References:       CVE-2006-2417, CVE-2006-2418, CVE-2006-2452

    Content of this advisory:
        1) Solved Security Vulnerabilities:
            - phpMyAdmin cross site scripting issues
            - gdm login configuration problem
        2) Pending Vulnerabilities, Solutions, and Work-Arounds:
            - none listed today
        3) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Solved Security Vulnerabilities

   To avoid flooding mailing lists with SUSE Security Announcements for minor
   issues, SUSE Security releases weekly summary reports for the low profile
   vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
   or download URLs like the SUSE Security Announcements that are released for
   more severe vulnerabilities.

   Fixed packages for the following incidents are already available on our FTP
   server and via the YaST Online Update.

   - phpMyAdmin cross site scripting issues

     Cross site scripting problems due to missing checks of the 'db'
     and 'theme' parameters could be exploited for cross site scripting
     attacks in the phpMyAdmin package.

     All SUSE Linux versions were affected, and these issues are tracked
     by the Mitre CVE IDs CVE-2006-2417 and CVE-2006-2418.

   - gdm login configuration problem

     A bug in GDM was fixed that allowed local users to bypass root
     authorization to access the login configuration.

     All SUSE Linux versions were affected and this issue has been
     assigned the Mitre CVE ID CVE-2006-2452.
______________________________________________________________________________

2) Pending Vulnerabilities, Solutions, and Work-Arounds

   None listed today.
______________________________________________________________________________

3) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify <file>

    replacing <file> with the name of the file containing the announcement.
    The output for a valid signature looks like:

      gpg: Signature made <DATE> using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team <security@xxxxxxx>"

    where <DATE> is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and integrity of a
    package needs to be verified to ensure that it has not been tampered with.

    The internal RPM package signatures provide an easy way to verify the
    authenticity of an RPM package. Use the command

      rpm -v --checksig <file.rpm>

    to verify the signature of the package, replacing <file.rpm> with the
    filename of the RPM package downloaded. The package is unmodified if it
    contains a valid signature from build@xxxxxxx with the key ID 9C800ACA.

    This key is automatically imported into the RPM database (on RPMv4-based
    distributions) and the gpg key ring of 'root' during installation. You can
    also find it on the first installation CD and included at the end of this
    announcement.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@xxxxxxxx
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                <suse-security-subscribe@xxxxxxxx>.

    suse-security-announce@xxxxxxxx
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                <suse-security-announce-subscribe@xxxxxxxx>.

    For general information or the frequently asked questions (FAQ)
    send mail to <suse-security-info@xxxxxxxx> or
    <suse-security-faq@xxxxxxxx>.

    =====================================================================
    SUSE's security contact is <security@xxxxxxxx> or <security@xxxxxxx>.
    The <security@xxxxxxx> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular, the
    clear text signature should show proof of the authenticity of the text.

    SUSE Linux Products GmbH provides no warranties of any kind whatsoever
    with respect to the information contained in this security advisory.

Type Bits/KeyID     Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@xxxxxxx>

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- - -----END PGP PUBLIC KEY BLOCK-----

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRImMlney5gA9JdPZAQL0iAf/WJsuS0DqDU4Q7ckhy22GGmvfToZh2d4v
Fldby7lHFmn4AWth9BsVm2r8+w3k/suEIHI3WZwRJaFuHq01SqMj6dI9LzcS1BDm
Kl+70MCdIs1ZIltWdtrR9u13kxm16V2Vw+UOaV1coNqcwlQNo8TYJeN2EzY5KfLk
zroIkbmRqtM12squhIoupp4i+7A3os/StlQVy68CrMmqFEQ0la/PSEYiHIFM3qIy
dWT+unfRb4lNSlMcma3N4rV7l+UyaivQD2jdS81Bok3PKNs/825CJXsLS4A9l28f
YgFFg//zHoeNkj63j18CaLMxrvRGoFEN80Qgt1/o0B5SMdAappPyPQ==
=9z8e
- -----END PGP SIGNATURE-----



3.




If you are a user of SUSE Linux 10.1 you will have likely noticed that
the Package Update System is not up to the quality you were accustomed
to in previous SUSE Linux versions.

The reason for this is that SUSE Linux 10.1 got a completely rewritten
package handling, which offers a multitude of new features necessary in
todays world of dozens external package repositories, Add-On products,
multiple update sources, remote management and cryptographic repository
integrity assurance.

This incurred not just a new lowlevel packagement (called ZYPP) but
also inclusion of the Novell product Zenworks in the form of the ZMD
daemon, the commandline tool "rug", and the graphical "zen-updater",
"zen-installer" and "zen-remover" frontends.

As we shipped SUSE Linux 10.1 we were aware of these quality issues and
had already planned to release a online update. At that time we were
confident that it would be possible to use all updater frontends to
install this update.

Unfortunately this was not the case so some special procedure is required
once to install this update:


- - Start the YaST Online Update (as root user).

  If you are not familar with YaST this can for instance be done:

  - via The KDE or GNOME menu link to the YaST control center
  	-> System -> YaST (Control Center) -> Online Update

  - by starting:
 	KDE:	kdesu yast2 online_update
	GNOME:	gnomesu yast2 online_update

  - By opening an shell window (xterm, konsole, or similar) and doing:
  	$ su
	Password: <enter rootpassword here>
	# you
	... follow the graphical interface ...

- - In the patch overview only the "libzypp update" patch will be selected.

  Just press "Accept" to install it.

  This will install the update and should not result in errors.

- - Afterwards you will need to restart "zen-updater" once on the desktop to be
  able to install the rest of the updates.


If you install a new system now, you can avoid this by running the
Online Update during installation (if network is available). This will
also download the "libzypp patch".

Also please note that not all of our mirrors have this update yet and
might take some days to get it.

The list of fixed bugs can be found below.

Open issues:
- - Patch and Delta RPMs are not supported yet. The update will always
  download full RPMs.
- - Performance and memory usage is not optimal.


* Do not create anymore /.gnupg (the directory can be removed)
  (#171055)
* Handle daemons launched in rpm %post that do not close
  filedescriptors (#174548)
* Really get all package descriptions (#159109)
* Support large files, e.g. DVDs as installation source (#173753)
* Handle update source setup after installation (#172665)
* Do not add duplicate update sources (#168740)
* Fix yast2 instserver module so that it works with 10.1 (#171157)
* Do not exit in online_update when only packages (and no patches) are
  selected for installation or deletion (#175668)
* Improve syncronising sources between yast and zmd (#168740, 175174,
  175159, 175173)
* Fix segmentation fault with non-signed repositories (#173291)
* Handle system proxy setting with zmd (#160830)
* Fix zen-updater bugs when installing packages (#171171, 174740)
* Update packages to follow ABI change in libzypp.
* restarting zmd if it is updated (#178218)
* While updating ourself delay the call to
  ShutdownManager.allow() so the client polling
  the transaction can get the final status of the transaction
  before we restart (#179413)




- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of SUSE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the site of the
original source to ensure that you receive the most current information concerning 
that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBRI14aopao72zK539AQGl9gP/WWUdycFU3x5SLEy475fTHzzpOajhMuPW
tvCeCDKE/jpkQQfZdEAfrf7DhYCO8VpddZ59kggvHjKrV8h8DQf1hVAe+aYfaoP4
mdph08ywmGKLY1pw/NwfdKEN77upBbcCS+rfKPkodlbR7KS7HPkBwPg6d3WpNViE
2On0X1DqHGM=
=f2UT
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________