SUSE Security Advisory SUSE-SR:2008:010: Fixes CVEs in licq, Blender, Asterisk, libpng

Announcement ID: SUSE-SR:2008:010 Date: April 25, 2008 Related CVE IDs: CVE-2007-6698, CVE-2008-0658, CVE-2008-1102, CVE-2008-1103, CVE-2008-1332, CVE-2008-1382, CVE-2008-1628 Security Vulnerabilities Addressed: 1. licq Denial of Service - An attacker could crash licq by initiating more than 1024 connections. - Fixed in openSUSE 10.2 and 10.3. 2. libpng Crash or Potential Code Execution - A specially crafted PNG file could overwrite arbitrary memory. - A fixed libpng package has been provided for all SUSE Linux-based distributions. 3. Asterisk Unauthorized Calls - The open-source PBX Asterisk allowed remote attackers to make calls via SIP channels without prior authentication. - Asterisk packages have been released for SUSE Linux 10.1 and openSUSE 10.2. 4. openldap2 Denial of Service Issue - An authenticated user could crash the LDAP server 'slapd' using the 'NOOP' command. - A fixed openldap2 package has been released for all distributions. 5. Audit Log Buffer Overflow - A flaw in the audit log user command function could lead to a buffer overflow. - An updated audit package has been released for openSUSE 10.3. 6. Blender Buffer Overflow - The Blender rendering program had a buffer overflow in RGBE header parsing and some temporary file issues. - This issue has been fixed in future products. Outstanding Vulnerabilities, Workarounds, and Mitigations: No outstanding issues are listed for this week. Authentication and Additional Information: SUSE security announcements are distributed via mailing lists and the website. The integrity and authenticity of announcements are guaranteed by cryptographic signatures included in each announcement. All SUSE security announcements are published with valid signatures. Announcements can be verified using , and RPM packages can be verified using .

Goal Reached Thanks to every supporter — we hit 100%!

SUSE Security Advisory SUSE-SR:2008:010: Fixes CVEs in licq, Blender, Asterisk, libpng