SUSE has issued an update for multiple packages. This fixes a weakness, security issues, and vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, and gain escalated privileges, and by malicious people to conduct spoofing attacks, disclose system and potentially sensitive information, bypass certain security restrictions, cause a DoS, and potentially compromise a vulnerable system.

For more information:
SA30134
SA33077
SA36378
SA37364
SA37372
SA37842
SA38257
SA38364
SA38390
SA38451
SA38454
SA38700
SA38789
SA38895
SA39010

1) A security issue is caused due to MySQL checking the validity of a local path by using a requested table name without extension. This can be exploited to bypass table access restrictions in CREATE TABLE statements via symlink attacks.

This is related to:
SA30134

2) A security issue is caused due to pulseaudio performing chown() and chmod() calls without checking for symbolic links in existing directories. This can be exploited to e.g. change permissions and ownership of arbitrary files via symlink attacks.

3) The "mount.cifs" utility does not properly sanitise certain input, which can be exploited to corrupt the /etc/mtab file.

Successful exploitation requires that "mount.cifs" is setuid root (not setuid root by default).

Solution
Apply updated packages via YaST Online Update or the SUSE FTP server.
Original Advisory
SUSE-SR:2010:007:
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00008.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area