From sle-security-updates at lists.suse.com Tue Apr 2 14:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Apr 2013 22:04:29 +0200 (CEST) Subject: SUSE-SU-2013:0595-1: moderate: Security update for poppler Message-ID: <20130402200429.713A1320A9@maintenance.suse.de> SUSE Security Update: Security update for poppler ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0595-1 Rating: moderate References: #745620 #806793 Cross-References: CVE-2013-1788 CVE-2013-1789 CVE-2013-1790 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update of poppler fixes the following vulnerabilities: * CVE-2013-1788: Various invalid memory issues could be used by attackers supplying PDFs to crash the PDF viewer or potentially execute code. * CVE-2013-1789: A crash in poppler could be used by attackers providing PDFs to crash the PDF viewer. * CVE-2013-1790: An uninitialized memory read could be used by attackers providing PDFs to crash the PDF viewer. This also fixes that transparent background in images are rendered black with evince. (bnc#745620). Security Issue references: * CVE-2013-1788 * CVE-2013-1789 * CVE-2013-1790 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): poppler-0.4.4-19.29.1 poppler-glib-0.4.4-19.29.1 poppler-qt-0.4.4-19.29.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): poppler-0.4.4-19.29.1 poppler-devel-0.4.4-19.29.1 poppler-glib-0.4.4-19.29.1 poppler-qt-0.4.4-19.29.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): poppler-devel-0.4.4-19.29.1 References: http://support.novell.com/security/cve/CVE-2013-1788.html http://support.novell.com/security/cve/CVE-2013-1789.html http://support.novell.com/security/cve/CVE-2013-1790.html https://bugzilla.novell.com/745620 https://bugzilla.novell.com/806793 http://download.novell.com/patch/finder/?keywords=c6f02331d1ee67b8fc7c6997d72f8cf0 From sle-security-updates at lists.suse.com Tue Apr 2 14:04:35 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Apr 2013 22:04:35 +0200 (CEST) Subject: SUSE-SU-2013:0596-1: moderate: Security update for poppler Message-ID: <20130402200436.007E232255@maintenance.suse.de> SUSE Security Update: Security update for poppler ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0596-1 Rating: moderate References: #806793 Cross-References: CVE-2013-1788 CVE-2013-1789 CVE-2013-1790 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update of poppler fixes the following vulnerabilities: * CVE-2013-1788: Various invalid memory issues could be used by attackers supplying PDFs to crash the PDF viewer or potentially execute code. * CVE-2013-1789: A crash in poppler could be used by attackers providing PDFs to crash the PDF viewer. * CVE-2013-1790: An uninitialized memory read could be used by attackers providing PDFs to crash the PDF viewer. Security Issue references: * CVE-2013-1788 * CVE-2013-1789 * CVE-2013-1790 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libpoppler-devel-7560 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libpoppler-devel-7560 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libpoppler-devel-7560 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libpoppler-devel-7560 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libpoppler-devel-0.12.3-1.8.1 libpoppler-glib-devel-0.12.3-1.8.1 libpoppler-qt2-0.12.3-1.8.1 libpoppler-qt3-devel-0.12.3-1.8.1 libpoppler-qt4-devel-0.12.3-1.8.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): poppler-tools-0.12.3-1.8.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libpoppler-glib4-0.12.3-1.8.1 libpoppler-qt4-3-0.12.3-1.8.1 libpoppler5-0.12.3-1.8.1 poppler-tools-0.12.3-1.8.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libpoppler-glib4-0.12.3-1.8.1 libpoppler-qt4-3-0.12.3-1.8.1 libpoppler5-0.12.3-1.8.1 poppler-tools-0.12.3-1.8.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libpoppler-glib4-0.12.3-1.8.1 libpoppler-qt4-3-0.12.3-1.8.1 libpoppler5-0.12.3-1.8.1 poppler-tools-0.12.3-1.8.1 References: http://support.novell.com/security/cve/CVE-2013-1788.html http://support.novell.com/security/cve/CVE-2013-1789.html http://support.novell.com/security/cve/CVE-2013-1790.html https://bugzilla.novell.com/806793 http://download.novell.com/patch/finder/?keywords=bb9ecd801817f4eb89c3e7244bd48256 From sle-security-updates at lists.suse.com Wed Apr 3 09:04:35 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 17:04:35 +0200 (CEST) Subject: SUSE-SU-2013:0599-1: moderate: Security update for Xen Message-ID: <20130403150435.4564E32256@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0599-1 Rating: moderate References: #793927 #794316 #797014 #797031 #797523 #798188 #799694 #800156 #800275 #802690 #805094 #806736 Cross-References: CVE-2012-5634 CVE-2012-6075 CVE-2013-0153 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 9 fixes is now available. Description: XEN has been updated to fix various bugs and security issues: * CVE-2013-0153: (XSA 36) To avoid an erratum in early hardware, the Xen AMD IOMMU code by default choose to use a single interrupt remapping table for the whole system. This sharing implied that any guest with a passed through PCI device that is bus mastering capable can inject interrupts into other guests, including domain 0. This has been disabled for AMD chipsets not capable of it. * CVE-2012-6075: qemu: The e1000 had overflows under some conditions, potentially corrupting memory. * CVE-2013-0154: (XSA 37) Hypervisor crash due to incorrect ASSERT (debug build only) * CVE-2012-5634: (XSA-33) A VT-d interrupt remapping source validation flaw was fixed. Also the following bugs have been fixed: * bnc#805094 - xen hot plug attach/detach fails * bnc#802690 - domain locking can prevent a live migration from completing * bnc#797014 - no way to control live migrations o fix logic error in stdiostream_progress o restore logging in xc_save o add options to control migration tunables * bnc#806736: enabling xentrace crashes hypervisor * Upstream patches from Jan 26287-sched-credit-pick-idle.patch 26501-VMX-simplify-CR0-update.patch 26502-VMX-disable-SMEP-when-not-paging.patch 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) * bnc#798188 - Add $network to xend initscript dependencies * bnc#799694 - Unable to dvd or cdrom-boot DomU after xen-tools update Fixed with update to Xen version 4.1.4 * bnc#800156 - L3: HP iLo Generate NMI function not working in XEN kernel * Upstream patches from Jan 26404-x86-forward-both-NMI-kinds.patch 26427-x86-AMD-enable-WC+.patch * bnc#793927 - Xen VMs with more than 2 disks randomly fail to start * Upstream patches from Jan 26332-x86-compat-show-guest-stack-mfn.patch 26333-x86-get_page_type-assert.patch (Replaces CVE-2013-0154-xsa37.patch) 26340-VT-d-intremap-verify-legacy-bridge.patch (Replaces CVE-2012-5634-xsa33.patch) 26370-libxc-x86-initial-mapping-fit.patch * Update to Xen 4.1.4 c/s 23432 * Update xenpaging.guest-memusage.patch add rule for xenmem to avoid spurious build failures * Upstream patches from Jan 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch 26200-IOMMU-debug-verbose.patch 26203-x86-HAP-dirty-vram-leak.patch 26229-gnttab-version-switch.patch (Replaces CVE-2012-5510-xsa26.patch) 26230-x86-HVM-limit-batches.patch (Replaces CVE-2012-5511-xsa27.patch) 26231-memory-exchange-checks.patch (Replaces CVE-2012-5513-xsa29.patch) 26232-x86-mark-PoD-error-path.patch (Replaces CVE-2012-5514-xsa30.patch) 26233-memop-order-checks.patch (Replaces CVE-2012-5515-xsa31.patch) 26235-IOMMU-ATS-max-queue-depth.patch 26272-x86-EFI-makefile-cflags-filter.patch 26294-x86-AMD-Fam15-way-access-filter.patch CVE-2013-0154-xsa37.patch * Restore c/s 25751 in 23614-x86_64-EFI-boot.patch. Modify the EFI Makefile to do additional filtering. Security Issue references: * CVE-2013-0153 * CVE-2012-6075 * CVE-2012-5634 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-xen-7492 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-xen-7492 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-xen-7492 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-xen-7492 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): xen-devel-4.1.4_02-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): xen-kmp-trace-4.1.4_02_3.0.58_0.6.6-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): xen-kmp-default-4.1.4_02_3.0.58_0.6.6-0.5.1 xen-kmp-trace-4.1.4_02_3.0.58_0.6.6-0.5.1 xen-libs-4.1.4_02-0.5.1 xen-tools-domU-4.1.4_02-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (x86_64): xen-4.1.4_02-0.5.1 xen-doc-html-4.1.4_02-0.5.1 xen-doc-pdf-4.1.4_02-0.5.1 xen-libs-32bit-4.1.4_02-0.5.1 xen-tools-4.1.4_02-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586): xen-kmp-pae-4.1.4_02_3.0.58_0.6.6-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): xen-kmp-default-4.1.4_02_3.0.58_0.6.6-0.5.1 xen-kmp-trace-4.1.4_02_3.0.58_0.6.6-0.5.1 xen-libs-4.1.4_02-0.5.1 xen-tools-domU-4.1.4_02-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): xen-4.1.4_02-0.5.1 xen-doc-html-4.1.4_02-0.5.1 xen-doc-pdf-4.1.4_02-0.5.1 xen-libs-32bit-4.1.4_02-0.5.1 xen-tools-4.1.4_02-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586): xen-kmp-pae-4.1.4_02_3.0.58_0.6.6-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-5634.html http://support.novell.com/security/cve/CVE-2012-6075.html http://support.novell.com/security/cve/CVE-2013-0153.html https://bugzilla.novell.com/793927 https://bugzilla.novell.com/794316 https://bugzilla.novell.com/797014 https://bugzilla.novell.com/797031 https://bugzilla.novell.com/797523 https://bugzilla.novell.com/798188 https://bugzilla.novell.com/799694 https://bugzilla.novell.com/800156 https://bugzilla.novell.com/800275 https://bugzilla.novell.com/802690 https://bugzilla.novell.com/805094 https://bugzilla.novell.com/806736 http://download.novell.com/patch/finder/?keywords=6ce1ad48227bea66786cefd7aba4662f From sle-security-updates at lists.suse.com Wed Apr 3 11:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 19:04:29 +0200 (CEST) Subject: SUSE-SU-2013:0355-3: moderate: Security update for rubygem-rack Message-ID: <20130403170429.7DFFD32255@maintenance.suse.de> SUSE Security Update: Security update for rubygem-rack ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0355-3 Rating: moderate References: #798452 #802794 Cross-References: CVE-2012-6109 CVE-2013-0183 CVE-2013-0184 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: Various security problems in the Rack 1.1 rubygem were fixed. Rack has been updated to 1.1.6: * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie Rack was updated to 1.1.5: * Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings (CVE-2013-0184) * Add warnings when users do not provide a session secret * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html For further information please read http://jruby.org/2011/12/27/jruby-1-6-5-1 Security Issue references: * CVE-2013-0184 * CVE-2013-0183 * CVE-2012-6109 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.2: zypper in -t patch slewyst12-rack-201302-7389 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rack-201302-7389 - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rack-201302-7389 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rack-201302-7389 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.1.6]: rubygem-rack-1.1.6-0.8.8.1 - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 1.1.6]: rubygem-rack-1.1.6-0.8.8.1 - SUSE Studio Onsite 1.2 (x86_64) [New Version: 1.1.6]: rubygem-rack-1.1.6-0.8.8.1 - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 1.1.6]: rubygem-rack-1.1.6-0.8.8.1 References: http://support.novell.com/security/cve/CVE-2012-6109.html http://support.novell.com/security/cve/CVE-2013-0183.html http://support.novell.com/security/cve/CVE-2013-0184.html https://bugzilla.novell.com/798452 https://bugzilla.novell.com/802794 http://download.novell.com/patch/finder/?keywords=047b4c67e9ed56ad87fac73b3fdf4e1b From sle-security-updates at lists.suse.com Wed Apr 3 12:06:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 20:06:09 +0200 (CEST) Subject: SUSE-SU-2013:0606-1: important: Security update for Ruby on Rails Message-ID: <20130403180609.586CC32255@maintenance.suse.de> SUSE Security Update: Security update for Ruby on Rails ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0606-1 Rating: important References: #796712 #797449 #797452 #800320 #803336 #803339 Cross-References: CVE-2012-5664 CVE-2013-0155 CVE-2013-0156 CVE-2013-0276 CVE-2013-0333 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. It includes one version update. Description: The Ruby on Rails stack has been updated to 2.3.17 to fix various security issues and bugs. The rails gems were updated to fix: * Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155) * Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) * SQL Injection Vulnerability in Active Record (CVE-2012-5664) * rails: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 (CVE-2013-0333) * activerecord: Circumvention of attr_protected (CVE-2013-0276) * activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277) Security Issue references: * CVE-2012-5664 * CVE-2013-0155 * CVE-2013-0156 * CVE-2013-0333 * CVE-2013-0276 * CVE-2013-0276 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.2: zypper in -t patch slewyst12-rubygem-actionmailer-2_3-7364 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rubygem-actionmailer-2_3-7364 - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rubygem-actionmailer-2_3-7364 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubygem-actionmailer-2_3-7364 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]: rubygem-actionmailer-2_3-2.3.17-0.6.1 rubygem-actionpack-2_3-2.3.17-0.6.1 rubygem-activerecord-2_3-2.3.17-0.6.1 rubygem-activeresource-2_3-2.3.17-0.6.1 rubygem-activesupport-2_3-2.3.17-0.6.1 rubygem-rails-2_3-2.3.17-0.6.2 - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 2.3.17]: rubygem-actionmailer-2_3-2.3.17-0.6.1 rubygem-actionpack-2_3-2.3.17-0.6.1 rubygem-activerecord-2_3-2.3.17-0.6.1 rubygem-activeresource-2_3-2.3.17-0.6.1 rubygem-activesupport-2_3-2.3.17-0.6.1 rubygem-rails-2_3-2.3.17-0.6.2 - SUSE Studio Standard Edition 1.2 (noarch) [New Version: 2.3.17]: rubygem-rails-2.3.17-0.4.6.1 - SUSE Studio Onsite 1.2 (x86_64) [New Version: 2.3.17]: rubygem-actionmailer-2_3-2.3.17-0.6.1 rubygem-actionpack-2_3-2.3.17-0.6.1 rubygem-activerecord-2_3-2.3.17-0.6.1 rubygem-activeresource-2_3-2.3.17-0.6.1 rubygem-activesupport-2_3-2.3.17-0.6.1 rubygem-rails-2_3-2.3.17-0.6.2 - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 2.3.17]: rubygem-actionmailer-2_3-2.3.17-0.6.1 rubygem-actionpack-2_3-2.3.17-0.6.1 rubygem-activerecord-2_3-2.3.17-0.6.1 rubygem-activeresource-2_3-2.3.17-0.6.1 rubygem-activesupport-2_3-2.3.17-0.6.1 rubygem-rails-2_3-2.3.17-0.6.2 References: http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0276.html http://support.novell.com/security/cve/CVE-2013-0333.html https://bugzilla.novell.com/796712 https://bugzilla.novell.com/797449 https://bugzilla.novell.com/797452 https://bugzilla.novell.com/800320 https://bugzilla.novell.com/803336 https://bugzilla.novell.com/803339 http://download.novell.com/patch/finder/?keywords=dfb687aafb848ceb562a7f371bb1ccf7 From sle-security-updates at lists.suse.com Wed Apr 3 12:08:16 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 20:08:16 +0200 (CEST) Subject: SUSE-SU-2013:0609-1: important: Security update for rubygem-json_pure Message-ID: <20130403180816.F131032255@maintenance.suse.de> SUSE Security Update: Security update for rubygem-json_pure ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0609-1 Rating: important References: #803342 Cross-References: CVE-2013-0269 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Extension for System z 1.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The json_pure Ruby Gem has been updated to fix a Denial of Service and Unsafe Object Creation vulnerability in JSON (CVE-2013-0269) Additional fixes: * Entity expansion DoS vulnerability in REXML (XML bomb) Security Issue reference: * CVE-2013-0269 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.2: zypper in -t patch slewyst12-rubygem-json_pure-7486 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rubygem-json_pure-7486 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubygem-json_pure-7486 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64): rubygem-json_pure-1.2.0-0.4.1 - SUSE Studio Standard Edition 1.2 (x86_64): rubygem-json_pure-1.2.0-0.4.1 - SUSE Studio Extension for System z 1.2 (s390x): rubygem-json_pure-1.2.0-0.4.1 References: http://support.novell.com/security/cve/CVE-2013-0269.html https://bugzilla.novell.com/803342 http://download.novell.com/patch/finder/?keywords=231bb11d5d47466d339ecd1ec5122771 From sle-security-updates at lists.suse.com Wed Apr 3 12:09:00 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 20:09:00 +0200 (CEST) Subject: SUSE-SU-2013:0610-1: moderate: Security update for jakarta Message-ID: <20130403180900.7EF5832255@maintenance.suse.de> SUSE Security Update: Security update for jakarta ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0610-1 Rating: moderate References: #803332 Cross-References: CVE-2012-5783 Affected Products: SUSE Manager 1.2 for SLE 11 SP1 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The following issue has been fixed: * SSL certificate hostname verification was not done and is fixed by this update. (CVE-2012-5783) Security Issue reference: * CVE-2012-5783 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-jakarta-commons-httpclient3-7572 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-jakarta-commons-httpclient3-7574 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-jakarta-commons-httpclient3-7574 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.2 for SLE 11 SP1 (noarch): jakarta-commons-httpclient3-3.0.1-253.36.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (noarch): jakarta-commons-httpclient3-3.0.1-253.36.1 - SUSE Linux Enterprise Server 11 SP2 (noarch): jakarta-commons-httpclient3-3.0.1-253.36.1 References: http://support.novell.com/security/cve/CVE-2012-5783.html https://bugzilla.novell.com/803332 http://download.novell.com/patch/finder/?keywords=11e51870f192ca2581fc5dc05cf45231 http://download.novell.com/patch/finder/?keywords=76a0d043211786acbd2b95314284def2 From sle-security-updates at lists.suse.com Wed Apr 3 12:09:44 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 20:09:44 +0200 (CEST) Subject: SUSE-SU-2013:0611-1: moderate: Security update for ruby Message-ID: <20130403180945.03E9432255@maintenance.suse.de> SUSE Security Update: Security update for ruby ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0611-1 Rating: moderate References: #704409 #783525 #808137 Cross-References: CVE-2011-2686 CVE-2012-4522 CVE-2013-1821 Affected Products: SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The ruby interpreter received a fix for two security issues: * CVE-2012-4466: Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox. The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively. http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cv e-2012-4466/ * CVE-2011-2686: Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process. * CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When reading text nodes from an XML document, the REXML parser could be coerced into allocating extremely large string objects which could consume all available memory on the system. Security Issue references: * CVE-2012-4522 * CVE-2013-1821 * CVE-2011-2686 Package List: - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): ruby-1.8.6.p369-0.14.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): ruby-1.8.6.p369-0.14.1 ruby-devel-1.8.6.p369-0.14.1 ruby-doc-html-1.8.6.p369-0.14.1 ruby-doc-ri-1.8.6.p369-0.14.1 ruby-examples-1.8.6.p369-0.14.1 ruby-test-suite-1.8.6.p369-0.14.1 ruby-tk-1.8.6.p369-0.14.1 References: http://support.novell.com/security/cve/CVE-2011-2686.html http://support.novell.com/security/cve/CVE-2012-4522.html http://support.novell.com/security/cve/CVE-2013-1821.html https://bugzilla.novell.com/704409 https://bugzilla.novell.com/783525 https://bugzilla.novell.com/808137 http://download.novell.com/patch/finder/?keywords=4c9e95f258c3139c5c70de419c8f734b From sle-security-updates at lists.suse.com Wed Apr 3 12:10:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 20:10:29 +0200 (CEST) Subject: SUSE-SU-2013:0612-1: important: Security update for rubygem-extlib Message-ID: <20130403181029.F03D132255@maintenance.suse.de> SUSE Security Update: Security update for rubygem-extlib ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0612-1 Rating: important References: #804719 Cross-References: CVE-2013-0269 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The Extlib Ruby Gem has been updated to fix a Denial of Service vulnerability in XML (CVE-2013-1802) Security Issue references: * CVE-2013-0269 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rubygem-extlib-7498 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): rubygem-extlib-0.9.15-0.9.1 References: http://support.novell.com/security/cve/CVE-2013-0269.html https://bugzilla.novell.com/804719 http://download.novell.com/patch/finder/?keywords=e1291d45bc0b7f1bc2197ac8c930bc4b From sle-security-updates at lists.suse.com Wed Apr 3 12:13:33 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 20:13:33 +0200 (CEST) Subject: SUSE-SU-2013:0615-1: important: Security update for rubygem-crack Message-ID: <20130403181333.EA5C332255@maintenance.suse.de> SUSE Security Update: Security update for rubygem-crack ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0615-1 Rating: important References: #804721 Cross-References: CVE-2013-0269 Affected Products: SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The Ruby Gem crack has been updated to 0.1.7 and to fix a security issue: * CVE-2013-1800: Multiple xml parsing issues were fixed that could be used by attackers able to inject XML to cause denial of service problems. Security Issue reference: * CVE-2013-0269 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rubygem-crack-7530 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubygem-crack-7530 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.2 (x86_64): rubygem-crack-0.1.7-0.5.4 - SUSE Studio Extension for System z 1.2 (s390x): rubygem-crack-0.1.7-0.5.4 References: http://support.novell.com/security/cve/CVE-2013-0269.html https://bugzilla.novell.com/804721 http://download.novell.com/patch/finder/?keywords=db8654d7f66749acf4c49dd5a2d0d4a5 From sle-security-updates at lists.suse.com Wed Apr 3 14:05:50 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 22:05:50 +0200 (CEST) Subject: SUSE-SU-2013:0616-1: moderate: Security update for rubygem-ruby-openid Message-ID: <20130403200551.09BC132255@maintenance.suse.de> SUSE Security Update: Security update for rubygem-ruby-openid ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0616-1 Rating: moderate References: #804717 Affected Products: SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 SUSE Cloud 1.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: An XML entity expansion problem in rubygem-ruby-openid has been fixed. (CVE-2013-1812) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rubygem-ruby-openid-7488 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubygem-ruby-openid-7488 - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rubygem-ruby-openid-7487 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.2 (x86_64): rubygem-ruby-openid-2.1.8-0.5.1 - SUSE Studio Extension for System z 1.2 (s390x): rubygem-ruby-openid-2.1.8-0.5.1 - SUSE Cloud 1.0 (x86_64): rubygem-ruby-openid-2.1.5-0.4.1 References: https://bugzilla.novell.com/804717 http://download.novell.com/patch/finder/?keywords=096e9149ee1486f9ae0f40863e1a9404 http://download.novell.com/patch/finder/?keywords=1e86f4669cbfca4b53db7a0c1e3ea849 From sle-security-updates at lists.suse.com Wed Apr 3 15:06:14 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 23:06:14 +0200 (CEST) Subject: SUSE-SU-2013:0617-1: moderate: Security update for ClamAV Message-ID: <20130403210614.785B032255@maintenance.suse.de> SUSE Security Update: Security update for ClamAV ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0617-1 Rating: moderate References: #809945 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: ClamAV has been updated to the 0.97.7 release that contains various security related hardening fixes. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-clamav-7557 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-clamav-7557 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-clamav-7557 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 0.97.7]: clamav-0.97.7-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.97.7]: clamav-0.97.7-0.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 0.97.7]: clamav-0.97.7-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 0.97.7]: clamav-0.97.7-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 0.97.7]: clamav-0.97.7-0.5.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 0.97.7]: clamav-0.97.7-0.5.1 References: https://bugzilla.novell.com/809945 http://download.novell.com/patch/finder/?keywords=4558705d7f740c5a18df6acebc56b2de http://download.novell.com/patch/finder/?keywords=b06bfeae1ed794d0942fffd51c9d49c8 From sle-security-updates at lists.suse.com Wed Apr 3 15:07:00 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Apr 2013 23:07:00 +0200 (CEST) Subject: SUSE-SU-2013:0618-1: important: Security update for puppet Message-ID: <20130403210700.2CE8832255@maintenance.suse.de> SUSE Security Update: Security update for puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0618-1 Rating: important References: #809839 Cross-References: CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2274 CVE-2013-2275 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. It includes one version update. Description: puppet has been updated to fix 2.6.18 multiple vulnerabilities and bugs. * (#19391) Find the catalog for the specified node name * Don't assume master supports SSLv2 * Don't require openssl client to return 0 on failure * Display SSL messages so we can match our regex * Don't assume puppetbindir is defined * Remove unnecessary rubygems require * Run openssl from windows when trying to downgrade master * Separate tests for same CVEs into separate files * Fix order-dependent test failure in rest_authconfig_spec * Always read request body when using Rack * (#19392) (CVE-2013-1653) Fix acceptance test to catch unvalidated model on 2.6 * (#19392) (CVE-2013-1653) Validate indirection model in save handler * Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654, 2274, 2275) * (#19531) (CVE-2013-2275) Only allow report save from the node matching the certname * (#19391) Backport Request#remote? method * (#8858) Explicitly set SSL peer verification mode. * (#8858) Refactor tests to use real HTTP objects * (#19392) (CVE-2013-1653) Validate instances passed to indirector * (#19391) (CVE-2013-1652) Disallow use_node compiler parameter for remote requests * (#19151) Reject SSLv2 SSL handshakes and ciphers * (#14093) Restore access to the filename in the template * (#14093) Remove unsafe attributes from TemplateWrapper Security Issue references: * CVE-2013-2275 * CVE-2013-2274 * CVE-2013-1655 * CVE-2013-1654 * CVE-2013-1653 * CVE-2013-1652 * CVE-2013-1640 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-puppet-7526 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-puppet-7526 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-puppet-7526 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 2.6.18]: puppet-2.6.18-0.4.2 puppet-server-2.6.18-0.4.2 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.18]: puppet-2.6.18-0.4.2 puppet-server-2.6.18-0.4.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 2.6.18]: puppet-2.6.18-0.4.2 References: http://support.novell.com/security/cve/CVE-2013-1640.html http://support.novell.com/security/cve/CVE-2013-1652.html http://support.novell.com/security/cve/CVE-2013-1653.html http://support.novell.com/security/cve/CVE-2013-1654.html http://support.novell.com/security/cve/CVE-2013-1655.html http://support.novell.com/security/cve/CVE-2013-2274.html http://support.novell.com/security/cve/CVE-2013-2275.html https://bugzilla.novell.com/809839 http://download.novell.com/patch/finder/?keywords=bc7ffedd9ace9c95117aaf0acbf73ccc From sle-security-updates at lists.suse.com Fri Apr 5 11:06:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 5 Apr 2013 19:06:09 +0200 (CEST) Subject: SUSE-SU-2013:0633-1: important: Security update for PostgreSQL Message-ID: <20130405170609.DB5F13225A@maintenance.suse.de> SUSE Security Update: Security update for PostgreSQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0633-1 Rating: important References: #812525 Cross-References: CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: This update to version 9.1.9 fixes: * CVE-2013-1899: Fix insecure parsing of server command-line switches. * CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. * CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. Security Issue references: * CVE-2013-1899 * CVE-2013-1900 * CVE-2013-1901 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-libecpg6-7585 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libecpg6-7585 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libecpg6-7585 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libecpg6-7585 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libecpg6-7585 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libecpg6-9.1.9-0.3.1 postgresql91-devel-9.1.9-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.9]: postgresql91-devel-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 9.1.9]: libecpg6-9.1.9-0.3.1 libpq5-9.1.9-0.3.1 postgresql91-9.1.9-0.3.1 postgresql91-contrib-9.1.9-0.3.1 postgresql91-docs-9.1.9-0.3.1 postgresql91-server-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 9.1.9]: libpq5-32bit-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.9]: libecpg6-9.1.9-0.3.1 libpq5-9.1.9-0.3.1 postgresql91-9.1.9-0.3.1 postgresql91-contrib-9.1.9-0.3.1 postgresql91-docs-9.1.9-0.3.1 postgresql91-server-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 9.1.9]: libpq5-32bit-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 9.1.9]: libpq5-x86-9.1.9-0.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 9.1.9]: libecpg6-9.1.9-0.3.1 libpq5-9.1.9-0.3.1 postgresql91-9.1.9-0.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 9.1.9]: libpq5-32bit-9.1.9-0.3.1 References: http://support.novell.com/security/cve/CVE-2013-1899.html http://support.novell.com/security/cve/CVE-2013-1900.html http://support.novell.com/security/cve/CVE-2013-1901.html https://bugzilla.novell.com/812525 http://download.novell.com/patch/finder/?keywords=0b64ee73ca3435028350ef0220fbc29d From sle-security-updates at lists.suse.com Mon Apr 8 13:04:30 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Apr 2013 21:04:30 +0200 (CEST) Subject: SUSE-SU-2013:0645-1: important: Security update for Mozilla Firefox Message-ID: <20130408190430.661183225D@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0645-1 Rating: important References: #813026 Cross-References: CVE-2013-0788 CVE-2013-0789 CVE-2013-0790 CVE-2013-0791 CVE-2013-0792 CVE-2013-0794 CVE-2013-0795 CVE-2013-0796 CVE-2013-0797 CVE-2013-0798 CVE-2013-0799 CVE-2013-0800 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. It includes four new package versions. Description: MozillaFirefox has been updated to the 17.0.5ESR release fixing bugs and security issues. Also Mozilla NSS has been updated to version 3.14.3 and Mozilla NSPR to 4.9.6. * MFSA 2013-30: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian Holler, Milan Sreckovic, and Joe Drew reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 19. (CVE-2013-0788) Andrew McCreight, Randell Jesup, Gary Kwong, Jesse Ruderman, Christian Holler, and Mats Palmgren reported memory safety problems and crashes that affect Firefox 19. (CVE-2013-0789) Jim Chen reported a memory safety problem that affects Firefox for Android * (CVE-2013-0790) * MFSA 2013-31 / CVE-2013-0800: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading to a potentially exploitable crash in some instances. * MFSA 2013-32 / CVE-2013-0799: Security researcher Frederic Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control (UAC) prompt. The Mozilla Maintenance Service is configured to allow unprivileged users to start it with arbitrary arguments. By manipulating the data passed in these arguments, an attacker can execute arbitrary code with the system privileges used by the service. This issue requires local file system access to be exploitable. * MFSA 2013-33 / CVE-2013-0798: Security researcher Shuichiro Suzuki of the Fourteenforty Research Institute reported the app_tmp directory is set to be world readable and writeable by Firefox for Android. This potentially allows for third party applications to replace or alter Firefox add-ons when downloaded because they are temporarily stored in the app_tmp directory before installation. This vulnerability only affects Firefox for Android. * MFSA 2013-34 / CVE-2013-0797: Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is placed in a specific location on the local system before the Mozilla Updater is run. Local file system access is necessary in order for this issue to be exploitable. * MFSA 2013-35 / CVE-2013-0796: Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable. * MFSA 2013-36 / CVE-2013-0795: Security researcher Cody Crews reported a mechanism to use the cloneNode method to bypass System Only Wrappers (SOW) and clone a protected node. This allows violation of the browser's same origin policy and could also lead to privilege escalation and the execution of arbitrary code. * MFSA 2013-37 / CVE-2013-0794: Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter data into a modal prompt dialog on an attacking, site while appearing to be from the displayed site. * MFSA 2013-38 / CVE-2013-079: Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows for a cross-site scripting (XSS) attack or the theft of data through a phishing attack. * MFSA 2013-39 / CVE-2013-0792: Mozilla community member Tobias Schula reported that if gfx.color_management.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image could use this flaw to leak data through rendered images drawing from random memory. By default, this preference is not enabled. * MFSA 2013-40 / CVE-2013-0791: Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) libary when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash. Security Issue references: * CVE-2013-0788 * CVE-2013-0789 * CVE-2013-0790 * CVE-2013-0791 * CVE-2013-0792 * CVE-2013-0794 * CVE-2013-0795 * CVE-2013-0796 * CVE-2013-0797 * CVE-2013-0798 * CVE-2013-0799 * CVE-2013-0800 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-firefox-20130404-7599 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-20130404-7599 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-20130404-7599 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-20130404-7599 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-devel-4.9.6-0.3.1 mozilla-nss-devel-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 17.0.5esr,3.14.3 and 4.9.6]: MozillaFirefox-17.0.5esr-0.4.1 MozillaFirefox-translations-17.0.5esr-0.4.1 libfreebl3-3.14.3-0.4.3.1 mozilla-nspr-4.9.6-0.3.1 mozilla-nss-3.14.3-0.4.3.1 mozilla-nss-tools-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 3.14.3 and 4.9.6]: libfreebl3-32bit-3.14.3-0.4.3.1 mozilla-nspr-32bit-4.9.6-0.3.1 mozilla-nss-32bit-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.5esr,3.14.3 and 4.9.6]: MozillaFirefox-17.0.5esr-0.4.1 MozillaFirefox-branding-SLED-7-0.6.9.17 MozillaFirefox-translations-17.0.5esr-0.4.1 libfreebl3-3.14.3-0.4.3.1 mozilla-nspr-4.9.6-0.3.1 mozilla-nss-3.14.3-0.4.3.1 mozilla-nss-tools-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 3.14.3 and 4.9.6]: libfreebl3-32bit-3.14.3-0.4.3.1 mozilla-nspr-32bit-4.9.6-0.3.1 mozilla-nss-32bit-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 3.14.3 and 4.9.6]: libfreebl3-x86-3.14.3-0.4.3.1 mozilla-nspr-x86-4.9.6-0.3.1 mozilla-nss-x86-3.14.3-0.4.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-4.9.6-0.5.1 mozilla-nspr-devel-4.9.6-0.5.1 mozilla-nss-3.14.3-0.5.1 mozilla-nss-devel-3.14.3-0.5.1 mozilla-nss-tools-3.14.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 17.0.5esr and 7]: MozillaFirefox-17.0.5esr-0.8.1 MozillaFirefox-branding-SLED-7-0.10.11 MozillaFirefox-translations-17.0.5esr-0.8.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-32bit-4.9.6-0.5.1 mozilla-nss-32bit-3.14.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-x86-4.9.6-0.5.1 mozilla-nss-x86-3.14.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-64bit-4.9.6-0.5.1 mozilla-nss-64bit-3.14.3-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 17.0.5esr,3.14.3 and 4.9.6]: MozillaFirefox-17.0.5esr-0.4.1 MozillaFirefox-branding-SLED-7-0.6.9.17 MozillaFirefox-translations-17.0.5esr-0.4.1 libfreebl3-3.14.3-0.4.3.1 mozilla-nspr-4.9.6-0.3.1 mozilla-nss-3.14.3-0.4.3.1 mozilla-nss-tools-3.14.3-0.4.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 3.14.3 and 4.9.6]: libfreebl3-32bit-3.14.3-0.4.3.1 mozilla-nspr-32bit-4.9.6-0.3.1 mozilla-nss-32bit-3.14.3-0.4.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-4.9.6-0.5.1 mozilla-nspr-devel-4.9.6-0.5.1 mozilla-nss-3.14.3-0.5.1 mozilla-nss-devel-3.14.3-0.5.1 mozilla-nss-tools-3.14.3-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-32bit-4.9.6-0.5.1 mozilla-nss-32bit-3.14.3-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 17.0.5esr and 7]: MozillaFirefox-17.0.5esr-0.8.1 MozillaFirefox-branding-SLED-7-0.10.11 MozillaFirefox-translations-17.0.5esr-0.8.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14.3]: mozilla-nss-tools-3.14.3-0.5.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-17.0.5esr-0.8.1 References: http://support.novell.com/security/cve/CVE-2013-0788.html http://support.novell.com/security/cve/CVE-2013-0789.html http://support.novell.com/security/cve/CVE-2013-0790.html http://support.novell.com/security/cve/CVE-2013-0791.html http://support.novell.com/security/cve/CVE-2013-0792.html http://support.novell.com/security/cve/CVE-2013-0794.html http://support.novell.com/security/cve/CVE-2013-0795.html http://support.novell.com/security/cve/CVE-2013-0796.html http://support.novell.com/security/cve/CVE-2013-0797.html http://support.novell.com/security/cve/CVE-2013-0798.html http://support.novell.com/security/cve/CVE-2013-0799.html http://support.novell.com/security/cve/CVE-2013-0800.html https://bugzilla.novell.com/813026 http://download.novell.com/patch/finder/?keywords=bb37c4e63c825ec7312dcfd2614bcab2 http://download.novell.com/patch/finder/?keywords=c2b6f5f84d016484ab6f637f9b3ed49e From sle-security-updates at lists.suse.com Tue Apr 9 11:04:55 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Apr 2013 19:04:55 +0200 (CEST) Subject: SUSE-SU-2013:0609-2: important: Security update for rubygem-json_pure Message-ID: <20130409170455.1A0B332166@maintenance.suse.de> SUSE Security Update: Security update for rubygem-json_pure ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0609-2 Rating: important References: #803342 Cross-References: CVE-2013-0269 Affected Products: WebYaST 1.3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Lifecycle Management Server 1.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The json_pure Ruby Gem has been updated to fix a Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) * Entity expansion DoS vulnerability in REXML (XML bomb) Security Issues: * CVE-2013-0269 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.3: zypper in -t patch slewyst13-rubygem-json_pure-7527 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubygem-json_pure-7527 - SUSE Lifecycle Management Server 1.3: zypper in -t patch sleslms13-rubygem-json_pure-7527 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64): rubygem-json_pure-1.2.0-0.4.4 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): rubygem-json_pure-1.2.0-0.4.4 - SUSE Lifecycle Management Server 1.3 (x86_64): rubygem-json_pure-1.2.0-0.4.4 References: http://support.novell.com/security/cve/CVE-2013-0269.html https://bugzilla.novell.com/803342 http://download.novell.com/patch/finder/?keywords=59c25e19a4a6f534d0c992634f28b511 From sle-security-updates at lists.suse.com Tue Apr 9 11:05:01 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Apr 2013 19:05:01 +0200 (CEST) Subject: SUSE-SU-2013:0647-1: important: Security update for Ruby 1.9 Message-ID: <20130409170501.C0F4132257@maintenance.suse.de> SUSE Security Update: Security update for Ruby 1.9 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0647-1 Rating: important References: #783511 #789983 #791199 #796757 #802406 #803342 Cross-References: CVE-2013-0269 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: The Ruby script interpreter 1.9 has been updated to 1.9.3 p392 fixing various bugs and security issues: This release includes security fixes about bundled JSON and REXML. * Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) * Entity expansion DoS vulnerability in REXML (XML bomb) * XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) And some small bugfixes are also included see /usr/share/doc/packages/ruby19/Changelog for more details Also the following bugfix was added: * added bind_stack.patch: (bnc#796757) Fixes stack boundary issues when embedding Ruby into threaded C code (Ruby bug #229) Security Issue reference: * CVE-2013-0269 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-ruby19-7496 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): ruby19-1.9.3.p392-0.7.1 ruby19-devel-1.9.3.p392-0.7.1 ruby19-devel-extra-1.9.3.p392-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-0269.html https://bugzilla.novell.com/783511 https://bugzilla.novell.com/789983 https://bugzilla.novell.com/791199 https://bugzilla.novell.com/796757 https://bugzilla.novell.com/802406 https://bugzilla.novell.com/803342 http://download.novell.com/patch/finder/?keywords=e50f6dac0ba6a3ba64aeb6f6f0f9b922 From sle-security-updates at lists.suse.com Tue Apr 9 11:05:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Apr 2013 19:05:09 +0200 (CEST) Subject: SUSE-SU-2013:0648-1: moderate: Security update for Apache Message-ID: <20130409170509.A199832166@maintenance.suse.de> SUSE Security Update: Security update for Apache ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0648-1 Rating: moderate References: #806458 #807152 Cross-References: CVE-2012-3499 CVE-2012-4558 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Apache2 has been updated to fix multiple XSS flaws. * CVE-2012-4558: Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server potentially allowed remote attackers to inject arbitrary web script or HTML via a crafted string. * CVE-2012-3499: Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server allowed remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. Security Issue references: * CVE-2012-3499 * CVE-2012-4558 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-7570 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-apache2-7570 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-apache2-7570 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-devel-2.2.12-1.38.2 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): apache2-2.2.12-1.38.2 apache2-doc-2.2.12-1.38.2 apache2-example-pages-2.2.12-1.38.2 apache2-prefork-2.2.12-1.38.2 apache2-utils-2.2.12-1.38.2 apache2-worker-2.2.12-1.38.2 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): apache2-2.2.12-1.38.2 apache2-doc-2.2.12-1.38.2 apache2-example-pages-2.2.12-1.38.2 apache2-prefork-2.2.12-1.38.2 apache2-utils-2.2.12-1.38.2 apache2-worker-2.2.12-1.38.2 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-2.2.12-1.38.2 apache2-doc-2.2.12-1.38.2 apache2-example-pages-2.2.12-1.38.2 apache2-prefork-2.2.12-1.38.2 apache2-utils-2.2.12-1.38.2 apache2-worker-2.2.12-1.38.2 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-2.2.3-16.48.1 apache2-devel-2.2.3-16.48.1 apache2-doc-2.2.3-16.48.1 apache2-example-pages-2.2.3-16.48.1 apache2-prefork-2.2.3-16.48.1 apache2-worker-2.2.3-16.48.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-2.2.3-16.48.1 apache2-devel-2.2.3-16.48.1 apache2-doc-2.2.3-16.48.1 apache2-example-pages-2.2.3-16.48.1 apache2-prefork-2.2.3-16.48.1 apache2-worker-2.2.3-16.48.1 References: http://support.novell.com/security/cve/CVE-2012-3499.html http://support.novell.com/security/cve/CVE-2012-4558.html https://bugzilla.novell.com/806458 https://bugzilla.novell.com/807152 http://download.novell.com/patch/finder/?keywords=18ad45618c96913c17def337384ed724 http://download.novell.com/patch/finder/?keywords=97088094794178f9a70859d71149c0e0 From sle-security-updates at lists.suse.com Thu Apr 11 13:04:31 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Apr 2013 21:04:31 +0200 (CEST) Subject: SUSE-SU-2013:0669-1: Security update for systemtap Message-ID: <20130411190431.4A50732257@maintenance.suse.de> SUSE Security Update: Security update for systemtap ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0669-1 Rating: low References: #748564 #796574 #800335 Cross-References: CVE-2012-0875 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This collective update for systemtap provides the following fixes: * Change how systemtap looks for tracepoint header files. (bnc#796574) * Systemtap manually loads libebl backends. Add libebl1 dependency. (bnc#800335) * Fix kernel panic when processing malformed DWARF unwind data. (bnc#748564, CVE-2012-0875) Security Issue reference: * CVE-2012-0875 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-systemtap-7444 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-systemtap-7444 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): systemtap-1.5-0.9.1 systemtap-server-1.5-0.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): systemtap-1.5-0.9.1 systemtap-server-1.5-0.9.1 References: http://support.novell.com/security/cve/CVE-2012-0875.html https://bugzilla.novell.com/748564 https://bugzilla.novell.com/796574 https://bugzilla.novell.com/800335 http://download.novell.com/patch/finder/?keywords=da58c88a9d2d5da2cf356729b896548f From sle-security-updates at lists.suse.com Thu Apr 11 15:04:32 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Apr 2013 23:04:32 +0200 (CEST) Subject: SUSE-SU-2013:0670-1: important: Security update for flash-player Message-ID: <20130411210432.DCFBC32249@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0670-1 Rating: important References: #814635 Cross-References: CVE-2013-1378 CVE-2013-1379 CVE-2013-1380 CVE-2013-2555 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player has been updated to 11.2.202.280 to fix various bugs and security issues. More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-11.ht ml * APSB13-11, CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555 Security Issue references: * CVE-2013-1378 * CVE-2013-1379 * CVE-2013-1380 * CVE-2013-2555 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-flash-player-7613 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.280]: flash-player-11.2.202.280-0.3.1 flash-player-gnome-11.2.202.280-0.3.1 flash-player-kde4-11.2.202.280-0.3.1 References: http://support.novell.com/security/cve/CVE-2013-1378.html http://support.novell.com/security/cve/CVE-2013-1379.html http://support.novell.com/security/cve/CVE-2013-1380.html http://support.novell.com/security/cve/CVE-2013-2555.html https://bugzilla.novell.com/814635 http://download.novell.com/patch/finder/?keywords=e6da66ddfe80c70ce9ed319d699c3d47 From sle-security-updates at lists.suse.com Fri Apr 12 11:04:58 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Apr 2013 19:04:58 +0200 (CEST) Subject: SUSE-SU-2013:0670-2: important: Security update for flash-player Message-ID: <20130412170458.D16F63225C@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0670-2 Rating: important References: #814635 Cross-References: CVE-2013-1378 CVE-2013-1379 CVE-2013-1380 CVE-2013-2555 Affected Products: SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player has been updated to 11.2.202.280 to fix various bugs and security issues. More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-11.ht ml * APSB13-11, CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555 Security Issue references: * CVE-2013-1378 * CVE-2013-1379 * CVE-2013-1380 * CVE-2013-2555 Package List: - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 11.2.202.280]: flash-player-11.2.202.280-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-1378.html http://support.novell.com/security/cve/CVE-2013-1379.html http://support.novell.com/security/cve/CVE-2013-1380.html http://support.novell.com/security/cve/CVE-2013-2555.html https://bugzilla.novell.com/814635 http://download.novell.com/patch/finder/?keywords=43a0afb56e4fabafdd73f008f7cc5db2 From sle-security-updates at lists.suse.com Fri Apr 12 17:04:37 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 13 Apr 2013 01:04:37 +0200 (CEST) Subject: SUSE-SU-2013:0674-1: important: Security update for Linux kernel Message-ID: <20130412230437.4230632257@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0674-1 Rating: important References: #742111 #765687 #769093 #770980 #776370 #781485 #785101 #786013 #787272 #789012 #790236 #792697 #795075 #795335 #797175 #799611 #800280 #801178 #802642 #804154 #809692 Cross-References: CVE-2012-4530 CVE-2013-0160 CVE-2013-0216 CVE-2013-0231 CVE-2013-0268 CVE-2013-0871 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 15 fixes is now available. Description: This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed: * CVE-2013-0871: A race condition in ptrace(2) could be used by local attackers to crash the kernel and/or execute code in kernel context. * CVE-2013-0160: Avoid side channel information leaks from the ptys via ptmx, which allowed local attackers to guess keypresses. * CVE-2012-4530: Avoid leaving bprm->interp on the stack which might have leaked information from the kernel to userland attackers. * CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. * CVE-2013-0216: The Xen netback functionality in the Linux kernel allowed guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. * CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel allowed guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information. Also the following non-security bugs have been fixed: S/390: * s390x: tty struct used after free (bnc#809692, LTC#90216). * s390x/kernel: sched_clock() overflow (bnc#799611, LTC#87978). * qeth: set new mac even if old mac is gone (bnc#789012,LTC#86643). * qeth: set new mac even if old mac is gone (2) (bnc#792697,LTC#87138). * qeth: fix deadlock between recovery and bonding driver (bnc#785101,LTC#85905). * dasd: check count address during online setting (bnc#781485,LTC#85346). * hugetlbfs: add missing TLB invalidation (bnc#781485,LTC#85463). * s390/kernel: make user-access pagetable walk code huge page aware (bnc#781485,LTC#85455). XEN: * xen/netback: fix netbk_count_requests(). * xen: properly bound buffer access when parsing cpu/availability. * xen/scsiback/usbback: move cond_resched() invocations to proper place. * xen/pciback: properly clean up after calling pcistub_device_find(). * xen: add further backward-compatibility configure options. * xen/PCI: suppress bogus warning on old hypervisors. * xenbus: fix overflow check in xenbus_dev_write(). * xen/x86: do not corrupt %eip when returning from a signal handler. Other: * kernel: Restrict clearing TIF_SIGPENDING (bnc#742111). * kernel: recalc_sigpending_tsk fixes (bnc#742111). * xfs: Do not reclaim new inodes in xfs_sync_inodes() (bnc#770980). * jbd: Avoid BUG_ON when checkpoint stalls (bnc#795335). * reiserfs: Fix int overflow while calculating free space (bnc#795075). * cifs: clarify the meaning of tcpStatus == CifsGood (bnc#769093). * cifs: do not allow cifs_reconnect to exit with NULL socket pointer (bnc#769093). * cifs: switch to seq_files (bnc#776370). * scsi: fix check of PQ and PDT bits for WLUNs (bnc#765687). * hugetlb: preserve hugetlb pte dirty state (bnc#790236). * poll: enforce RLIMIT_NOFILE in poll() (bnc#787272). * proc: fix ->open less usage due to ->proc_fops flip (bnc#776370). * rpm/kernel-binary.spec.in: Ignore kabi errors if %%ignore_kabi_badness is defined. This is used in the Kernel:* projects in the OBS. Security Issue references: * CVE-2012-4530 * CVE-2013-0160 * CVE-2013-0216 * CVE-2013-0231 * CVE-2013-0268 * CVE-2013-0871 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): kernel-default-2.6.16.60-0.101.1 kernel-source-2.6.16.60-0.101.1 kernel-syms-2.6.16.60-0.101.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 x86_64): kernel-debug-2.6.16.60-0.101.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc x86_64): kernel-kdump-2.6.16.60-0.101.1 - SUSE Linux Enterprise Server 10 SP4 (i586 x86_64): kernel-smp-2.6.16.60-0.101.1 kernel-xen-2.6.16.60-0.101.1 - SUSE Linux Enterprise Server 10 SP4 (i586): kernel-bigsmp-2.6.16.60-0.101.1 kernel-kdumppae-2.6.16.60-0.101.1 kernel-vmi-2.6.16.60-0.101.1 kernel-vmipae-2.6.16.60-0.101.1 kernel-xenpae-2.6.16.60-0.101.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): kernel-iseries64-2.6.16.60-0.101.1 kernel-ppc64-2.6.16.60-0.101.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): kernel-default-2.6.16.60-0.101.1 kernel-smp-2.6.16.60-0.101.1 kernel-source-2.6.16.60-0.101.1 kernel-syms-2.6.16.60-0.101.1 kernel-xen-2.6.16.60-0.101.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586): kernel-bigsmp-2.6.16.60-0.101.1 kernel-xenpae-2.6.16.60-0.101.1 - SLE SDK 10 SP4 (i586 ia64 x86_64): kernel-debug-2.6.16.60-0.101.1 - SLE SDK 10 SP4 (i586 ppc x86_64): kernel-kdump-2.6.16.60-0.101.1 - SLE SDK 10 SP4 (i586 x86_64): kernel-xen-2.6.16.60-0.101.1 - SLE SDK 10 SP4 (i586): kernel-xenpae-2.6.16.60-0.101.1 References: http://support.novell.com/security/cve/CVE-2012-4530.html http://support.novell.com/security/cve/CVE-2013-0160.html http://support.novell.com/security/cve/CVE-2013-0216.html http://support.novell.com/security/cve/CVE-2013-0231.html http://support.novell.com/security/cve/CVE-2013-0268.html http://support.novell.com/security/cve/CVE-2013-0871.html https://bugzilla.novell.com/742111 https://bugzilla.novell.com/765687 https://bugzilla.novell.com/769093 https://bugzilla.novell.com/770980 https://bugzilla.novell.com/776370 https://bugzilla.novell.com/781485 https://bugzilla.novell.com/785101 https://bugzilla.novell.com/786013 https://bugzilla.novell.com/787272 https://bugzilla.novell.com/789012 https://bugzilla.novell.com/790236 https://bugzilla.novell.com/792697 https://bugzilla.novell.com/795075 https://bugzilla.novell.com/795335 https://bugzilla.novell.com/797175 https://bugzilla.novell.com/799611 https://bugzilla.novell.com/800280 https://bugzilla.novell.com/801178 https://bugzilla.novell.com/802642 https://bugzilla.novell.com/804154 https://bugzilla.novell.com/809692 http://download.novell.com/patch/finder/?keywords=2b51bf3e02179f8f70c7b2ada2571a2d http://download.novell.com/patch/finder/?keywords=7cf4de409b28c5f187bc1e9f71ccd64f http://download.novell.com/patch/finder/?keywords=ac5626f6e7f483c6dac1cc5fe253fcf9 http://download.novell.com/patch/finder/?keywords=ba0e542087a9075aed8c17a29d5f1cb8 http://download.novell.com/patch/finder/?keywords=dba6fc0fdae22199ec260695a6d2179e From sle-security-updates at lists.suse.com Mon Apr 15 13:04:22 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 15 Apr 2013 21:04:22 +0200 (CEST) Subject: SUSE-SU-2013:0549-2: moderate: Security update for OpenSSL Message-ID: <20130415190422.D428532260@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0549-2 Rating: moderate References: #779952 #802648 #802746 Cross-References: CVE-2013-0166 CVE-2013-0169 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed. Security Issue references: * CVE-2013-0169 * CVE-2013-0166 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.45.69.1 openssl-devel-0.9.8a-18.45.69.1 openssl-doc-0.9.8a-18.45.69.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.45.69.1 openssl-devel-32bit-0.9.8a-18.45.69.1 References: http://support.novell.com/security/cve/CVE-2013-0166.html http://support.novell.com/security/cve/CVE-2013-0169.html https://bugzilla.novell.com/779952 https://bugzilla.novell.com/802648 https://bugzilla.novell.com/802746 http://download.novell.com/patch/finder/?keywords=c554034a3af450bcfad676917143134b From sle-security-updates at lists.suse.com Wed Apr 17 12:04:25 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Apr 2013 20:04:25 +0200 (CEST) Subject: SUSE-SU-2013:0696-1: moderate: Security update for dhcp Message-ID: <20130417180425.99EC932261@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0696-1 Rating: moderate References: #783002 #811934 Cross-References: CVE-2013-2266 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: The ISC DHCP server had a denial of service issue in handling specific DDNS requests which could cause a out of memory usage situation. (CVE-2013-2266) This update also adds a dhcp6-server service template for SuSEfirewall2 (bnc#783002) Security Issues: * CVE-2013-2266 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-dhcp-7571 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-dhcp-7571 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-dhcp-7571 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-dhcp-7571 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.2.4.P2]: dhcp-devel-4.2.4.P2-0.11.13.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 4.2.4.P2]: dhcp-4.2.4.P2-0.11.13.1 dhcp-client-4.2.4.P2-0.11.13.1 dhcp-relay-4.2.4.P2-0.11.13.1 dhcp-server-4.2.4.P2-0.11.13.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.2.4.P2]: dhcp-4.2.4.P2-0.11.13.1 dhcp-client-4.2.4.P2-0.11.13.1 dhcp-relay-4.2.4.P2-0.11.13.1 dhcp-server-4.2.4.P2-0.11.13.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 4.2.4.P2]: dhcp-4.2.4.P2-0.11.13.1 dhcp-client-4.2.4.P2-0.11.13.1 References: http://support.novell.com/security/cve/CVE-2013-2266.html https://bugzilla.novell.com/783002 https://bugzilla.novell.com/811934 http://download.novell.com/patch/finder/?keywords=2cf22668be5ed5e6cda7436a867d8b3f From sle-security-updates at lists.suse.com Wed Apr 17 13:04:24 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Apr 2013 21:04:24 +0200 (CEST) Subject: SUSE-SU-2013:0697-1: moderate: Security update for telepathy-gabble Message-ID: <20130417190424.5DB6B32261@maintenance.suse.de> SUSE Security Update: Security update for telepathy-gabble ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0697-1 Rating: moderate References: #807449 Cross-References: CVE-2013-1769 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: telepathy-gabble was updated to fix several remotely-triggerable NULL crashes (CVE-2013-1769) Security Issues: * CVE-2013-1769 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-telepathy-gabble-7506 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-telepathy-gabble-7506 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): telepathy-gabble-0.7.10-2.19.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): telepathy-gabble-0.7.10-2.19.1 References: http://support.novell.com/security/cve/CVE-2013-1769.html https://bugzilla.novell.com/807449 http://download.novell.com/patch/finder/?keywords=614b16ae78d9d84168b5fabf584615a9 From sle-security-updates at lists.suse.com Thu Apr 18 11:04:36 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Apr 2013 19:04:36 +0200 (CEST) Subject: SUSE-SU-2013:0701-1: important: Security update for java-1_7_0-ibm Message-ID: <20130418170436.A8C1C3225C@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0701-1 Rating: important References: #813939 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Java 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 7 was updated to SR4-FP1, fixing bugs and security issues. More information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/ and on: http://www.ibm.com/developerworks/java/jdk/aix/j764/Java7_64 .fixes.html#SR4FP1 Security Issues: * CVE-2013-0485 * CVE-2013-0809 * CVE-2013-1493 * CVE-2013-0169 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_7_0-ibm-7623 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_7_0-ibm-7623 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_7_0-ibm-7623 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_7_0-ibm-7623 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-devel-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_7_0-ibm-1.7.0_sr4.1-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr4.1-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_7_0-ibm-alsa-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr4.1-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): java-1_7_0-ibm-plugin-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_7_0-ibm-alsa-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr4.1-0.5.1 java-1_7_0-ibm-devel-1.7.0_sr4.1-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr4.1-0.5.1 - SUSE Linux Enterprise Java 11 SP2 (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr4.1-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr4.1-0.5.1 References: https://bugzilla.novell.com/813939 http://download.novell.com/patch/finder/?keywords=f7dbe2a771e408bfd6c779f9db1f8683 From sle-security-updates at lists.suse.com Mon Apr 22 13:04:27 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 22 Apr 2013 21:04:27 +0200 (CEST) Subject: SUSE-SU-2013:0549-3: moderate: Security update for OpenSSL Message-ID: <20130422190427.F19EF32261@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0549-3 Rating: moderate References: #779952 #802648 #802746 Cross-References: CVE-2013-0166 CVE-2013-0169 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. It includes one version update. Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed. Security Issue references: * CVE-2013-0169 * CVE-2013-0166 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-libopenssl-devel-7564 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libopenssl-devel-7564 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.50.1 libopenssl0_9_8-hmac-0.9.8j-0.50.1 openssl-0.9.8j-0.50.1 openssl-doc-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.50.1 libopenssl0_9_8-hmac-0.9.8j-0.50.1 openssl-0.9.8j-0.50.1 openssl-doc-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.50.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.50.1 References: http://support.novell.com/security/cve/CVE-2013-0166.html http://support.novell.com/security/cve/CVE-2013-0169.html https://bugzilla.novell.com/779952 https://bugzilla.novell.com/802648 https://bugzilla.novell.com/802746 http://download.novell.com/patch/finder/?keywords=ffd2313ed884ceca393f1e800ab93e0f From sle-security-updates at lists.suse.com Mon Apr 22 13:04:32 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 22 Apr 2013 21:04:32 +0200 (CEST) Subject: SUSE-SU-2013:0706-1: moderate: Security update for apache2-mod_security2 Message-ID: <20130422190432.4CF8A27FFB@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_security2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0706-1 Rating: moderate References: #768293 #789393 #811624 #813190 Cross-References: CVE-2012-4528 CVE-2013-1915 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. It includes one version update. Description: apache2-mod_security2 has been updated to Version 2.7.1. (FATE#309433). It contains a lot of bug and security fixes and also new features. * version upgrade to 2.7.1. [fate#309433] * fix for [bnc#813190] CVE-2013-1915: Vulnerable to XXE attacks * fix for [bnc#768293]: multi-part bypass; This minor security threat is not mediated by the old version, and the corresponding configuration directives are not present there. * new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_se tup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf * New from 2.5.6 to 2.7.1 (excerpt, the most important changes): o GPLv2 replaced by Apache License v2 o rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. o documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. o renamed the term "Encryption" in directives that actually refer to hashes. See CHANGES file for more details. o byte conversion issues on s390x when logging fixed. o many small issues fixed that were discovered by a Coverity scanner o updated reference manual o wrong time calculation when logging for some timezones fixed. o replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) o cookie parser memory leak fix o parsing of quoted strings in multipart Content-Disposition headers fixed. * apache2-mod_security2-CVE-2009-5031_CVE-2012-2751.diff: 2 CVE IDs for the same issue that was incompletely fixed in 2009. Fix for improper handling of quotes of request parameter values in the Content-Disposition field of a request with a multipart/form-data Content-Type header. This is CVE-2009-5031 and CVE-2012-2751. [bnc#768293] Please note that both mod_security2 and mod_unique_id (which is required by mod_security2) modules need to be enabled at the same time. [bnc#811624] Security Issue references: * CVE-2012-4528 * CVE-2013-1915 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-mod_security2-7606 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.7.1]: apache2-mod_security2-2.7.1-0.2.12.1 References: http://support.novell.com/security/cve/CVE-2012-4528.html http://support.novell.com/security/cve/CVE-2013-1915.html https://bugzilla.novell.com/768293 https://bugzilla.novell.com/789393 https://bugzilla.novell.com/811624 https://bugzilla.novell.com/813190 http://download.novell.com/patch/finder/?keywords=e34478a88c1cc9a22674b27f59b84c88 From sle-security-updates at lists.suse.com Mon Apr 22 16:04:56 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Apr 2013 00:04:56 +0200 (CEST) Subject: SUSE-SU-2013:0707-1: moderate: Security update for Ruby on Rails Message-ID: <20130422220456.BBB3432260@maintenance.suse.de> SUSE Security Update: Security update for Ruby on Rails ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0707-1 Rating: moderate References: #809932 #809935 #809940 Cross-References: CVE-2013-1854 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Cloud 1.0 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. It includes one version update. Description: The Ruby on Rails 2.3 stack received security fixes for following issues: ActionPack: * CVE-2013-1855: A XSS vulnerability in sanitize_css in Action Pack was fixed (bnc#809935). * CVE-2013-1857: A XSS Vulnerability in the sanitize helper of Ruby on Rails was fixed (bnc#809940). ActiveRecord: * CVE-2013-1854: A Symbol DoS vulnerability in Active Record was fixed (bnc#809932). ActiveSupport: * CVE-2013-1854: A Symbol DoS vulnerability in Active Record was fixed (bnc#809932). Security Issue reference: * CVE-2013-1854 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.2: zypper in -t patch slewyst12-rubyrails-2_3-201304-7590 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rubyrails-2_3-201304-7590 - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rubyrails-2_3-201304-7590 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubyrails-2_3-201304-7590 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubyrails-2_3-201304-7589 - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rubyrails-2_3-201304-7589 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]: rubygem-actionpack-2_3-2.3.17-0.8.8.1 rubygem-activerecord-2_3-2.3.17-0.8.8.1 rubygem-activesupport-2_3-2.3.17-0.8.8.1 - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 2.3.17]: rubygem-actionpack-2_3-2.3.17-0.8.8.1 rubygem-activerecord-2_3-2.3.17-0.8.8.1 rubygem-activesupport-2_3-2.3.17-0.8.8.1 - SUSE Studio Onsite 1.2 (x86_64) [New Version: 2.3.17]: rubygem-actionpack-2_3-2.3.17-0.8.8.1 rubygem-activerecord-2_3-2.3.17-0.8.8.1 rubygem-activesupport-2_3-2.3.17-0.8.8.1 - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 2.3.17]: rubygem-actionpack-2_3-2.3.17-0.8.8.1 rubygem-activerecord-2_3-2.3.17-0.8.8.1 rubygem-activesupport-2_3-2.3.17-0.8.8.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]: rubygem-actionpack-2_3-2.3.17-0.11.1 rubygem-activerecord-2_3-2.3.17-0.11.1 rubygem-activesupport-2_3-2.3.17-0.11.1 - SUSE Cloud 1.0 (x86_64) [New Version: 2.3.17]: rubygem-actionpack-2_3-2.3.17-0.11.1 rubygem-activerecord-2_3-2.3.17-0.11.1 rubygem-activesupport-2_3-2.3.17-0.11.1 References: http://support.novell.com/security/cve/CVE-2013-1854.html https://bugzilla.novell.com/809932 https://bugzilla.novell.com/809935 https://bugzilla.novell.com/809940 http://download.novell.com/patch/finder/?keywords=087db4f44aa8af9e31e72ca7a4471ed7 http://download.novell.com/patch/finder/?keywords=e752b41dd60e41af5879ea236b7914bf From sle-security-updates at lists.suse.com Tue Apr 23 08:04:36 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Apr 2013 16:04:36 +0200 (CEST) Subject: SUSE-SU-2013:0709-1: moderate: Security update for stunnel Message-ID: <20130423140436.B636C32263@maintenance.suse.de> SUSE Security Update: Security update for stunnel ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0709-1 Rating: moderate References: #807450 Cross-References: CVE-2013-1762 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for stunnel fixes a buffer overflow vulnerability caused by incorrect integer conversion in the NTLM authentication of the CONNECT protocol negotiation (CVE-2013-1762). Security Issue reference: * CVE-2013-1762 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-stunnel-7449 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-stunnel-7449 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): stunnel-4.36-0.12.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): stunnel-4.36-0.12.1 References: http://support.novell.com/security/cve/CVE-2013-1762.html https://bugzilla.novell.com/807450 http://download.novell.com/patch/finder/?keywords=d4d9d09581bebf8f5c331b5aa4d23c88 From sle-security-updates at lists.suse.com Tue Apr 23 13:04:24 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Apr 2013 21:04:24 +0200 (CEST) Subject: SUSE-SU-2013:0710-1: important: Security update for IBM Java Message-ID: <20130423190424.6FDCD3213E@maintenance.suse.de> SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0710-1 Rating: important References: #809321 #813939 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Java 11 SP2 SUSE Linux Enterprise Java 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.4.2 has been updated to SR13 FP16 which fixes bugs and security issues. More information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/ and on: https://www.ibm.com/developerworks/java/jdk/aix/142_64/fixes .html#SR13FP16 CVEs fixed: CVE-2013-0485, CVE-2013-0809, CVE-2013-1493 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_4_2-ibm-7618 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_4_2-ibm-7618 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_4_2-ibm-7618 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_4_2-ibm-7618 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-devel-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.16-0.2.1 java-1_4_2-ibm-plugin-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.16-0.2.1 java-1_4_2-ibm-plugin-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.16-0.5.1 java-1_4_2-ibm-devel-1.4.2_sr13.16-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc): java-1_4_2-ibm-jdbc-1.4.2_sr13.16-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (i586): java-1_4_2-ibm-plugin-1.4.2_sr13.16-0.5.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Java 11 SP2 (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.16-0.2.1 java-1_4_2-ibm-plugin-1.4.2_sr13.16-0.2.1 - SUSE Linux Enterprise Java 10 SP4 (i586 ia64 ppc s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.16-0.5.1 java-1_4_2-ibm-devel-1.4.2_sr13.16-0.5.1 - SUSE Linux Enterprise Java 10 SP4 (i586 ppc): java-1_4_2-ibm-jdbc-1.4.2_sr13.16-0.5.1 - SUSE Linux Enterprise Java 10 SP4 (i586): java-1_4_2-ibm-plugin-1.4.2_sr13.16-0.5.1 References: https://bugzilla.novell.com/809321 https://bugzilla.novell.com/813939 http://download.novell.com/patch/finder/?keywords=2a81d052caa79801cec9cd0150025540 http://download.novell.com/patch/finder/?keywords=7a55fbf728115132117fd64c8347049a From sle-security-updates at lists.suse.com Tue Apr 23 14:04:33 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Apr 2013 22:04:33 +0200 (CEST) Subject: SUSE-SU-2013:0633-2: important: Security update for PostgreSQL Message-ID: <20130423200433.981A432251@maintenance.suse.de> SUSE Security Update: Security update for PostgreSQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0633-2 Rating: important References: #812525 Cross-References: CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: This update of PostgreSQL to version 9.1.9 fixes: * CVE-2013-1899: Fix insecure parsing of server command-line switches. * CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. * CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. Security Issue references: * CVE-2013-1899 * CVE-2013-1900 * CVE-2013-1901 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-libecpg6-7601 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libecpg6-7601 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 9.1.9]: libecpg6-9.1.9-0.3.1 libpq5-9.1.9-0.3.1 postgresql91-9.1.9-0.3.1 postgresql91-contrib-9.1.9-0.3.1 postgresql91-docs-9.1.9-0.3.1 postgresql91-server-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (x86_64) [New Version: 9.1.9]: libpq5-32bit-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 9.1.9]: libecpg6-9.1.9-0.3.1 libpq5-9.1.9-0.3.1 postgresql91-9.1.9-0.3.1 postgresql91-contrib-9.1.9-0.3.1 postgresql91-docs-9.1.9-0.3.1 postgresql91-server-9.1.9-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 9.1.9]: libpq5-32bit-9.1.9-0.3.1 References: http://support.novell.com/security/cve/CVE-2013-1899.html http://support.novell.com/security/cve/CVE-2013-1900.html http://support.novell.com/security/cve/CVE-2013-1901.html https://bugzilla.novell.com/812525 http://download.novell.com/patch/finder/?keywords=6a0c9dcd9511dbcaec90c28d67b514e8 From sle-security-updates at lists.suse.com Tue Apr 23 14:04:37 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Apr 2013 22:04:37 +0200 (CEST) Subject: SUSE-SU-2013:0701-2: important: Security update for java-1_6_0-ibm Message-ID: <20130423200437.51E3D32251@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0701-2 Rating: important References: #813939 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Java 11 SP2 SUSE Linux Enterprise Java 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 6 was updated to SR13 FP1, fixing bugs and security issues. More information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/ and on: http://www.ibm.com/developerworks/java/jdk/aix/j664/Java6_64 .fixes.html#SR13FP1 Security issues: - CVE-2013-0485 - CVE-2013-0809 - CVE-2013-1493 - CVE-2013-0169 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_6_0-ibm-7627 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_6_0-ibm-7627 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_6_0-ibm-7627 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_6_0-ibm-7627 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-fonts-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-fonts-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-plugin-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-fonts-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-devel-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-fonts-1.5.0_sr16.1-0.5.1 java-1_6_0-ibm-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-devel-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-fonts-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.1-0.5.1 java-1_6_0-ibm-32bit-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc): java-1_5_0-ibm-jdbc-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-plugin-1.5.0_sr16.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.1-0.5.1 java-1_6_0-ibm-alsa-32bit-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.1-0.5.1 java-1_6_0-ibm-alsa-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): java-1_5_0-ibm-64bit-1.5.0_sr16.1-0.5.1 java-1_6_0-ibm-64bit-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-devel-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-fonts-1.6.0_sr13.1-0.9.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Java 11 SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Java 11 SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.1-0.9.1 - SUSE Linux Enterprise Java 10 SP4 (i586 ppc s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-devel-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-fonts-1.5.0_sr16.1-0.5.1 - SUSE Linux Enterprise Java 10 SP4 (x86_64): java-1_6_0-ibm-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-devel-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-fonts-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.1-0.14.1 java-1_6_0-ibm-plugin-1.6.0_sr13.1-0.14.1 - SUSE Linux Enterprise Java 10 SP4 (ppc): java-1_5_0-ibm-jdbc-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-plugin-1.5.0_sr16.1-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): java-1_5_0-ibm-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-demo-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-devel-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-fonts-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-src-1.5.0_sr16.1-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.1-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.1-0.5.1 java-1_5_0-ibm-plugin-1.5.0_sr16.1-0.5.1 References: https://bugzilla.novell.com/813939 http://download.novell.com/patch/finder/?keywords=21fefcc00cce0e179e00b2e042716dd3 http://download.novell.com/patch/finder/?keywords=5af9a7844c94f8453bb2fcbdd610b058 http://download.novell.com/patch/finder/?keywords=68dff9a90877961ddadf162e06d37083 From sle-security-updates at lists.suse.com Thu Apr 25 15:04:30 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Apr 2013 23:04:30 +0200 (CEST) Subject: SUSE-SU-2013:0713-1: moderate: Security update for OFED Message-ID: <20130425210430.AF2D432257@maintenance.suse.de> SUSE Security Update: Security update for OFED ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0713-1 Rating: moderate References: #767610 Cross-References: CVE-2012-2372 Affected Products: SUSE Linux Enterprise Server 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: rds-ping in the OFED stack could have triggered a kernel BUG, which could have caused a local denial of service attack. (CVE-2012-2372) Security Issue reference: * CVE-2012-2372 Package List: - SUSE Linux Enterprise Server 10 SP4 (ia64 x86_64): ofed-1.5.2-0.14.3 ofed-cxgb3-NIC-kmp-debug-1.5.2_2.6.16.60_0.99.38-0.14.2 ofed-cxgb3-NIC-kmp-default-1.5.2_2.6.16.60_0.99.38-0.14.2 ofed-doc-1.5.2-0.14.3 ofed-kmp-debug-1.5.2_2.6.16.60_0.99.38-0.14.3 ofed-kmp-default-1.5.2_2.6.16.60_0.99.38-0.14.3 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc): ofed-1.5.2-0.14.1 ofed-cxgb3-NIC-kmp-default-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-cxgb3-NIC-kmp-kdump-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-doc-1.5.2-0.14.1 ofed-kmp-default-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-kdump-1.5.2_2.6.16.60_0.99.36-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (x86_64): ofed-cxgb3-NIC-kmp-kdump-1.5.2_2.6.16.60_0.99.38-0.14.2 ofed-cxgb3-NIC-kmp-smp-1.5.2_2.6.16.60_0.99.38-0.14.2 ofed-kmp-kdump-1.5.2_2.6.16.60_0.99.38-0.14.3 ofed-kmp-smp-1.5.2_2.6.16.60_0.99.38-0.14.3 - SUSE Linux Enterprise Server 10 SP4 (i586): ofed-cxgb3-NIC-kmp-bigsmp-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-cxgb3-NIC-kmp-debug-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-cxgb3-NIC-kmp-kdumppae-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-cxgb3-NIC-kmp-smp-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-cxgb3-NIC-kmp-vmi-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-cxgb3-NIC-kmp-vmipae-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-bigsmp-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-debug-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-kdumppae-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-smp-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-vmi-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-vmipae-1.5.2_2.6.16.60_0.99.36-0.14.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): ofed-cxgb3-NIC-kmp-ppc64-1.5.2_2.6.16.60_0.99.36-0.14.1 ofed-kmp-ppc64-1.5.2_2.6.16.60_0.99.36-0.14.1 - SLE SDK 10 SP4 (ia64 x86_64): ofed-devel-1.5.2-0.14.3 - SLE SDK 10 SP4 (i586 ppc): ofed-devel-1.5.2-0.14.1 References: http://support.novell.com/security/cve/CVE-2012-2372.html https://bugzilla.novell.com/767610 http://download.novell.com/patch/finder/?keywords=b49853a37fed1bd24d9f0c87f66fc4d7 From sle-security-updates at lists.suse.com Fri Apr 26 08:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 26 Apr 2013 16:04:29 +0200 (CEST) Subject: SUSE-SU-2013:0714-1: moderate: Security update for wireshark Message-ID: <20130426140429.C723432265@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0714-1 Rating: moderate References: #807942 Cross-References: CVE-2013-2475 CVE-2013-2476 CVE-2013-2477 CVE-2013-2478 CVE-2013-2479 CVE-2013-2480 CVE-2013-2481 CVE-2013-2482 CVE-2013-2483 CVE-2013-2484 CVE-2013-2485 CVE-2013-2486 CVE-2013-2487 CVE-2013-2488 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. It includes one version update. Description: wireshark has been updated to 1.8.6 which fixes bugs and security issues: Vulnerabilities fixed: * The TCP dissector could crash. wnpa-sec-2013-10 CVE-2013-2475 * The HART/IP dissectory could go into an infinite loop. wnpa-sec-2013-11 CVE-2013-2476 * The CSN.1 dissector could crash. wnpa-sec-2013-12 CVE-2013-2477 * The MS-MMS dissector could crash. wnpa-sec-2013-13 CVE-2013-2478 * The MPLS Echo dissector could go into an infinite loop. wnpa-sec-2013-14 CVE-2013-2479 * The RTPS and RTPS2 dissectors could crash. wnpa-sec-2013-15 CVE-2013-2480 * The Mount dissector could crash. wnpa-sec-2013-16 CVE-2013-2481 * The AMPQ dissector could go into an infinite loop. wnpa-sec-2013-17 CVE-2013-2482 * The ACN dissector could attempt to divide by zero. wnpa-sec-2013-18 CVE-2013-2483 * The CIMD dissector could crash. wnpa-sec-2013-19 CVE-2013-2484 * The FCSP dissector could go into an infinite loop. wnpa-sec-2013-20 CVE-2013-2485 * The RELOAD dissector could go into an infinite loop. wnpa-sec-2013-21 CVE-2013-2486 CVE-2013-2487 * The DTLS dissector could crash. wnpa-sec-2013-22 CVE-2013-2488 More information about further bug fixes and updated protocol support are listed here: http://www.wireshark.org/docs/relnotes/wireshark-1.8.6.html Security Issue references: * CVE-2013-2475 * CVE-2013-2476 * CVE-2013-2477 * CVE-2013-2478 * CVE-2013-2479 * CVE-2013-2480 * CVE-2013-2481 * CVE-2013-2482 * CVE-2013-2483 * CVE-2013-2484 * CVE-2013-2485 * CVE-2013-2486 * CVE-2013-2487 * CVE-2013-2488 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-wireshark-7490 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-wireshark-7490 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-wireshark-7490 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-wireshark-7490 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.6]: wireshark-devel-1.8.6-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64) [New Version: 1.8.6]: wireshark-1.8.6-0.2.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 1.8.6]: wireshark-1.8.6-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.6]: wireshark-1.8.6-0.2.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): wireshark-1.6.14-0.5.1 wireshark-devel-1.6.14-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 1.8.6]: wireshark-1.8.6-0.2.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): wireshark-1.6.14-0.5.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): wireshark-devel-1.6.14-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-2475.html http://support.novell.com/security/cve/CVE-2013-2476.html http://support.novell.com/security/cve/CVE-2013-2477.html http://support.novell.com/security/cve/CVE-2013-2478.html http://support.novell.com/security/cve/CVE-2013-2479.html http://support.novell.com/security/cve/CVE-2013-2480.html http://support.novell.com/security/cve/CVE-2013-2481.html http://support.novell.com/security/cve/CVE-2013-2482.html http://support.novell.com/security/cve/CVE-2013-2483.html http://support.novell.com/security/cve/CVE-2013-2484.html http://support.novell.com/security/cve/CVE-2013-2485.html http://support.novell.com/security/cve/CVE-2013-2486.html http://support.novell.com/security/cve/CVE-2013-2487.html http://support.novell.com/security/cve/CVE-2013-2488.html https://bugzilla.novell.com/807942 http://download.novell.com/patch/finder/?keywords=3db4a4d24062a3721e7cba8ec8f8d3a4 http://download.novell.com/patch/finder/?keywords=60a3f6bd75943bedb717cfb3ac997f9a From sle-security-updates at lists.suse.com Fri Apr 26 23:04:27 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 27 Apr 2013 07:04:27 +0200 (CEST) Subject: SUSE-SU-2013:0717-1: moderate: Security update for icedtea-web Message-ID: <20130427050427.645A132269@maintenance.suse.de> SUSE Security Update: Security update for icedtea-web ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0717-1 Rating: moderate References: #815596 Cross-References: CVE-2013-1926 CVE-2013-1927 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: This update to version 1.3.2 fixes several security updates and common fixes. (bnc#815596) Security Updates * CVE-2013-1927: fixed gifar vulnerability * CVE-2013-1926: Class-loader incorrectly shared for applets with same relative-path. Common * Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. NetX * PR580: http://www.horaoficial.cl/ loads improperly Plugin * PR1260: IcedTea-Web should not rely on GTK obsoletes icedtea-web-remove-gtk-dep.patch * PR1157: Applets can hang browser after fatal exception Security Issue references: * CVE-2013-1926 * CVE-2013-1927 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-icedtea-web-7642 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 1.3.2]: icedtea-web-1.3.2-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-1926.html http://support.novell.com/security/cve/CVE-2013-1927.html https://bugzilla.novell.com/815596 http://download.novell.com/patch/finder/?keywords=bf686ddf221652db91a12eb9eaf531d5 From sle-security-updates at lists.suse.com Fri Apr 26 23:04:32 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 27 Apr 2013 07:04:32 +0200 (CEST) Subject: SUSE-SU-2013:0718-1: moderate: Security update for Openstack Nova Message-ID: <20130427050432.68D2132023@maintenance.suse.de> SUSE Security Update: Security update for Openstack Nova ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0718-1 Rating: moderate References: #803351 #806240 #808622 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Openstack Nova has been updated to fix the following security issues: * CVE-2013-0280: Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server. This only affects servers with XML support enabled. * CVE-2013-0335: Loganathan Parthipan (HP) and Rohit Karajgi (NTT Data) independently reported a vulnerability in Nova. If a user requests a console and then deletes the VM, it is possible that the console token could allow connectivity to a different VM before the console token expires if the VNC port gets reused in that time period. This issue can be worked around by disabling VNC support. * CVE-2013-1838: Vish Ishaya reported a vulnerability in Nova where there is no quota for Fixed IPs. Previously the instance quota acted as a proxy for a Fixed IP quota, but if your configuration allows an instance to consume more than one Fixed IP via an extension such as multinic then this is no longer true. Running out of Fixed IPs would result in not being able to spawn new instances. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-nova-7661 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-nova-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-api-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-cert-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-compute-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-doc-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-network-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-objectstore-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-scheduler-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-vncproxy-2012.1+git.1364234478.e52e691-0.5.1 openstack-nova-volume-2012.1+git.1364234478.e52e691-0.5.1 python-nova-2012.1+git.1364234478.e52e691-0.5.1 References: https://bugzilla.novell.com/803351 https://bugzilla.novell.com/806240 https://bugzilla.novell.com/808622 http://download.novell.com/patch/finder/?keywords=8f98eb3d0da00abeb4826120151fc736 From sle-security-updates at lists.suse.com Tue Apr 30 09:04:50 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Apr 2013 17:04:50 +0200 (CEST) Subject: SUSE-SU-2013:0727-1: moderate: Security update for libxslt Message-ID: <20130430150450.075D73213E@maintenance.suse.de> SUSE Security Update: Security update for libxslt ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0727-1 Rating: moderate References: #811686 Cross-References: CVE-2012-6139 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: libxslt has been updated to fix two denial of service issues via crashes by NULL pointer dereference on attacker supplied XSLT scripts (CVE-2012-6139). Security Issue references: * CVE-2012-6139 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libxslt-7569 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libxslt-7569 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libxslt-7569 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libxslt-7569 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libxslt-devel-1.1.24-19.21.1 libxslt-python-1.1.24-19.21.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libxslt-devel-32bit-1.1.24-19.21.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libxslt-1.1.24-19.21.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libxslt-32bit-1.1.24-19.21.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libxslt-1.1.24-19.21.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libxslt-32bit-1.1.24-19.21.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libxslt-x86-1.1.24-19.21.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libxslt-1.1.15-15.20.1 libxslt-devel-1.1.15-15.20.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libxslt-32bit-1.1.15-15.20.1 libxslt-devel-32bit-1.1.15-15.20.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): libxslt-x86-1.1.15-15.20.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): libxslt-64bit-1.1.15-15.20.1 libxslt-devel-64bit-1.1.15-15.20.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libxslt-1.1.24-19.21.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libxslt-32bit-1.1.24-19.21.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libxslt-1.1.15-15.20.1 libxslt-devel-1.1.15-15.20.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libxslt-32bit-1.1.15-15.20.1 libxslt-devel-32bit-1.1.15-15.20.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): libxslt-python-1.1.15-15.20.1 References: http://support.novell.com/security/cve/CVE-2012-6139.html https://bugzilla.novell.com/811686 http://download.novell.com/patch/finder/?keywords=16d4ac2788f86d14cc32baec588ac866 http://download.novell.com/patch/finder/?keywords=f2c4e439c56211a8185d4b4e23db8694 From sle-security-updates at lists.suse.com Tue Apr 30 15:04:27 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Apr 2013 23:04:27 +0200 (CEST) Subject: SUSE-SU-2013:0731-1: moderate: Security update for GnuTLS Message-ID: <20130430210427.4924F32269@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0731-1 Rating: moderate References: #802651 Cross-References: CVE-2013-1619 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This GnuTLS update fixes incorrect padding which weakens the encryption. CVE-2013-1619 has been assigned to this issue. Security Issue reference: * CVE-2013-1619 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-gnutls-7660 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-gnutls-7660 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-gnutls-7660 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-gnutls-7660 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libgnutls-devel-2.4.1-24.39.45.1 libgnutls-extra-devel-2.4.1-24.39.45.1 libgnutls-extra26-2.4.1-24.39.45.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): gnutls-2.4.1-24.39.45.1 libgnutls26-2.4.1-24.39.45.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libgnutls26-32bit-2.4.1-24.39.45.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): gnutls-2.4.1-24.39.45.1 libgnutls-extra26-2.4.1-24.39.45.1 libgnutls26-2.4.1-24.39.45.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libgnutls26-32bit-2.4.1-24.39.45.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libgnutls26-x86-2.4.1-24.39.45.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): gnutls-1.2.10-13.32.1 gnutls-devel-1.2.10-13.32.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): gnutls-32bit-1.2.10-13.32.1 gnutls-devel-32bit-1.2.10-13.32.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): gnutls-x86-1.2.10-13.32.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): gnutls-64bit-1.2.10-13.32.1 gnutls-devel-64bit-1.2.10-13.32.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): gnutls-2.4.1-24.39.45.1 libgnutls26-2.4.1-24.39.45.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libgnutls26-32bit-2.4.1-24.39.45.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): gnutls-1.2.10-13.32.1 gnutls-devel-1.2.10-13.32.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): gnutls-32bit-1.2.10-13.32.1 gnutls-devel-32bit-1.2.10-13.32.1 References: http://support.novell.com/security/cve/CVE-2013-1619.html https://bugzilla.novell.com/802651 http://download.novell.com/patch/finder/?keywords=25bff8c073ecb5178ad094a1a09f8a33 http://download.novell.com/patch/finder/?keywords=dd094c662f5b2c2ef45b6af4fec820a9