From sle-security-updates at lists.suse.com Thu Aug 1 07:04:11 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Aug 2013 15:04:11 +0200 (CEST) Subject: SUSE-SU-2013:1287-1: moderate: Security update for glibc Message-ID: <20130801130411.9762B32278@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1287-1 Rating: moderate References: #661460 #676178 #691365 #732110 #735850 #743689 #747768 #753756 #760216 #770891 #774467 #775690 #783196 #796982 #805899 #813121 #818630 #828637 Cross-References: CVE-2009-5029 CVE-2010-4756 CVE-2011-1089 CVE-2012-0864 CVE-2012-3480 CVE-2013-1914 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 12 fixes is now available. Description: This collective update for the GNU C library (glibc) provides the following fixes and enhancements: Security issues fixed: - Fix stack overflow in getaddrinfo with many results. (bnc#813121, CVE-2013-1914) - Fixed another stack overflow in getaddrinfo with many results (bnc#828637) - Fix buffer overflow in glob. (bnc#691365) (CVE-2010-4756) - Fix array overflow in floating point parser [bnc#775690] (CVE-2012-3480) - Fix strtod integer/buffer overflows [bnc#775690] (CVE-2012-3480) - Make addmntent return errors also for cached streams. [bnc #676178, CVE-2011-1089] - Fix overflows in vfprintf. [bnc #770891, CVE 2012-3406] - Add vfprintf-nargs.diff for possible format string overflow. [bnc #747768, CVE-2012-0864] - Check values from file header in __tzfile_read. [bnc #735850, CVE-2009-5029] Also several bugs were fixed: - Fix locking in _IO_cleanup. (bnc#796982) - Fix memory leak in execve. (bnc#805899) - Fix nscd timestamps in logging (bnc#783196) - Fix perl script error message (bnc#774467) - Fall back to localhost if no nameserver defined (bnc#818630) - Fix incomplete results from nscd. [bnc #753756] - Fix a deadlock in dlsym in case the symbol isn't found, for multithreaded programs. [bnc #760216] - Fix problem with TLS and dlopen. [#732110] - Backported regex fix for skipping of valid EUC-JP matches [bnc#743689] - Fixed false regex match on incomplete chars in EUC-JP [bnc#743689] - Add glibc-pmap-timeout.diff in order to fix useless connection attempts to NFS servers. [bnc #661460] Security Issues: * CVE-2009-5029 * CVE-2010-4756 * CVE-2011-1089 * CVE-2012-0864 * CVE-2012-3480 * CVE-2013-1914 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 i686 s390x x86_64): glibc-2.4-31.77.102.1 glibc-devel-2.4-31.77.102.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): glibc-html-2.4-31.77.102.1 glibc-i18ndata-2.4-31.77.102.1 glibc-info-2.4-31.77.102.1 glibc-locale-2.4-31.77.102.1 glibc-profile-2.4-31.77.102.1 nscd-2.4-31.77.102.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): glibc-32bit-2.4-31.77.102.1 glibc-devel-32bit-2.4-31.77.102.1 glibc-locale-32bit-2.4-31.77.102.1 glibc-profile-32bit-2.4-31.77.102.1 References: http://support.novell.com/security/cve/CVE-2009-5029.html http://support.novell.com/security/cve/CVE-2010-4756.html http://support.novell.com/security/cve/CVE-2011-1089.html http://support.novell.com/security/cve/CVE-2012-0864.html http://support.novell.com/security/cve/CVE-2012-3480.html http://support.novell.com/security/cve/CVE-2013-1914.html https://bugzilla.novell.com/661460 https://bugzilla.novell.com/676178 https://bugzilla.novell.com/691365 https://bugzilla.novell.com/732110 https://bugzilla.novell.com/735850 https://bugzilla.novell.com/743689 https://bugzilla.novell.com/747768 https://bugzilla.novell.com/753756 https://bugzilla.novell.com/760216 https://bugzilla.novell.com/770891 https://bugzilla.novell.com/774467 https://bugzilla.novell.com/775690 https://bugzilla.novell.com/783196 https://bugzilla.novell.com/796982 https://bugzilla.novell.com/805899 https://bugzilla.novell.com/813121 https://bugzilla.novell.com/818630 https://bugzilla.novell.com/828637 http://download.novell.com/patch/finder/?keywords=17c15337eaf4f28f28cdc9f9d3d731ec From sle-security-updates at lists.suse.com Thu Aug 1 12:04:13 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Aug 2013 20:04:13 +0200 (CEST) Subject: SUSE-SU-2013:1237-3: moderate: Security update for strongswan Message-ID: <20130801180413.9E1FD3227A@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1237-3 Rating: moderate References: #815236 Cross-References: CVE-2013-2944 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the ECDSA signature vulnerability in strongswan. CVE-2013-2944 was assigned to this issue. Security Issue references: * CVE-2013-2944 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-strongswan-8021 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-strongswan-8021 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-strongswan-8021 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): strongswan-4.4.0-6.17.5 strongswan-doc-4.4.0-6.17.5 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): strongswan-4.4.0-6.17.5 strongswan-doc-4.4.0-6.17.5 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): strongswan-4.4.0-6.17.5 strongswan-doc-4.4.0-6.17.5 References: http://support.novell.com/security/cve/CVE-2013-2944.html https://bugzilla.novell.com/815236 http://download.novell.com/patch/finder/?keywords=3a772836080f180531c4b38e258c1b04 From sle-security-updates at lists.suse.com Fri Aug 2 12:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Aug 2013 20:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1292-1: moderate: Security update for openstack-nova Message-ID: <20130802180409.7F7503227B@maintenance.suse.de> SUSE Security Update: Security update for openstack-nova ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1292-1 Rating: moderate References: #817181 #821879 #829068 Cross-References: CVE-2013-2096 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: A local DoS condition in openstack-nova's qcow2 virtual image size handling has been fixed. CVE-2013-2096 was assigned to this issue. Security Issue reference: * CVE-2013-2096 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-nova-8097 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-nova-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-api-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-cert-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-compute-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-network-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-objectstore-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-scheduler-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-vncproxy-2012.1+git.1364234478.e52e691-0.7.1 openstack-nova-volume-2012.1+git.1364234478.e52e691-0.7.1 python-nova-2012.1+git.1364234478.e52e691-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-2096.html https://bugzilla.novell.com/817181 https://bugzilla.novell.com/821879 https://bugzilla.novell.com/829068 http://download.novell.com/patch/finder/?keywords=e57190d51898cdc8d8e87a413912b595 From sle-security-updates at lists.suse.com Fri Aug 2 15:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Aug 2013 23:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1293-1: important: Security update for IBMJava5 JRE and IBMJava5 SDK Message-ID: <20130802210410.688F93227B@maintenance.suse.de> SUSE Security Update: Security update for IBMJava5 JRE and IBMJava5 SDK ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1293-1 Rating: important References: #823034 #829212 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and security issues: CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002 CVE-2013-2469, CVE-2013-2465, CVE-2013-2464, CVE-2013-2463, CVE-2013-2473, CVE-2013-2472, CVE-2013-2471, CVE-2013-2470, CVE-2013-2459, CVE-2013-3743, CVE-2013-2448, CVE-2013-2454, CVE-2013-2456 CVE-2013-2457, CVE-2013-2455, CVE-2013-2443, CVE-2013-2447 CVE-2013-2444, CVE-2013-2452, CVE-2013-2446, CVE-2013-2450, CVE-2013-1571, CVE-2013-1500 Please see also http://www.ibm.com/developerworks/java/jdk/alerts/ Also the following bugs have been fixed: * add Europe/Busingen to tzmappings (bnc#817062) * mark files in jre/bin and bin/ as executable (bnc#823034) Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): IBMJava2-JRE-1.4.2_sr13.18-0.4 IBMJava2-SDK-1.4.2_sr13.18-0.4 IBMJava5-JRE-1.5.0_sr16.3-0.4 IBMJava5-SDK-1.5.0_sr16.3-0.4 References: https://bugzilla.novell.com/823034 https://bugzilla.novell.com/829212 http://download.novell.com/patch/finder/?keywords=7680f8140c62f26ce3174024373514a1 http://download.novell.com/patch/finder/?keywords=bf6c59989a94daa5af11dc7d56857d21 From sle-security-updates at lists.suse.com Mon Aug 5 12:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Aug 2013 20:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1293-2: important: Security update for IBM Java 1.4.2 Message-ID: <20130805180409.78FC43227D@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 1.4.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1293-2 Rating: important References: #823034 #829212 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.4.2 has been updated to SR13-FP18 to fix bugs and security issues: CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-2469, CVE-2013-2465, CVE-2013-2464, CVE-2013-2463, CVE-2013-2473, CVE-2013-2472, CVE-2013-2471, CVE-2013-2470, CVE-2013-2459, CVE-2013-2456, CVE-2013-2447, CVE-2013-2452, CVE-2013-2446, CVE-2013-2450, CVE-2013-1500 Please see also http://www.ibm.com/developerworks/java/jdk/alerts/ Also following bug has been fixed: * mark files in jre/bin and bin/ as executable (bnc#823034) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-java-1_4_2-ibm-8113 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_4_2-ibm-8113 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.18-0.4.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.18-0.4.1 java-1_4_2-ibm-plugin-1.4.2_sr13.18-0.4.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.18-0.4.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.18-0.4.1 java-1_4_2-ibm-plugin-1.4.2_sr13.18-0.4.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.18-0.7.1 java-1_4_2-ibm-devel-1.4.2_sr13.18-0.7.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.18-0.7.1 java-1_4_2-ibm-plugin-1.4.2_sr13.18-0.7.1 References: https://bugzilla.novell.com/823034 https://bugzilla.novell.com/829212 http://download.novell.com/patch/finder/?keywords=218af645ef5f0082097200b5e9788a5a http://download.novell.com/patch/finder/?keywords=76ae3ed7fc780d986eebf8b71a352ade From sle-security-updates at lists.suse.com Tue Aug 6 12:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Aug 2013 20:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1304-1: critical: Security update for puppet Message-ID: <20130806180409.6B9073227D@maintenance.suse.de> SUSE Security Update: Security update for puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1304-1 Rating: critical References: #825878 Cross-References: CVE-2013-3567 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This puppet update fixes a remote code execution issue: * Unauthenticated Remote Code Execution Vulnerability with YAML and REST API calls (bug#825878, CVE-2013-3567) Security Issue reference: * CVE-2013-3567 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-puppet-8132 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-puppet-8132 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-puppet-8131 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-puppet-8131 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-puppet-8132 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-puppet-8131 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): puppet-2.6.18-0.6.1 puppet-server-2.6.18-0.6.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): puppet-2.6.18-0.6.1 puppet-server-2.6.18-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 2.6.18]: puppet-2.6.18-0.6.1 puppet-server-2.6.18-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.18]: puppet-2.6.18-0.6.1 puppet-server-2.6.18-0.6.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): puppet-2.6.18-0.6.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 2.6.18]: puppet-2.6.18-0.6.1 References: http://support.novell.com/security/cve/CVE-2013-3567.html https://bugzilla.novell.com/825878 http://download.novell.com/patch/finder/?keywords=257dd8125d8a1d0ff79cfbc990fb2583 http://download.novell.com/patch/finder/?keywords=3cee502500023425010c6abfb51fa21e From sle-security-updates at lists.suse.com Tue Aug 6 15:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Aug 2013 23:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1305-1: important: Security update for IBM Java 1.6.0 Message-ID: <20130806210410.44F7F3227D@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 1.6.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1305-1 Rating: important References: #817062 #823034 #829212 #831936 Cross-References: CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2437 CVE-2013-2442 CVE-2013-2443 CVE-2013-2444 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2459 CVE-2013-2463 CVE-2013-2464 CVE-2013-2465 CVE-2013-2466 CVE-2013-2468 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 CVE-2013-3009 CVE-2013-3011 CVE-2013-3012 CVE-2013-3743 CVE-2013-4002 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes 35 vulnerabilities is now available. Description: IBM Java 1.6.0 has been updated to SR14 to fix bugs and security issues. Please see also http://www.ibm.com/developerworks/java/jdk/alerts/ Also the following bugs have been fixed: * add Europe/Busingen to tzmappings (bnc#817062) * mark files in jre/bin and bin/ as executable (bnc#823034) * check if installed qa_filelist is not empty (bnc#831936) Security Issue references: * CVE-2013-3009 * CVE-2013-3011 * CVE-2013-3012 * CVE-2013-4002 * CVE-2013-2468 * CVE-2013-2469 * CVE-2013-2465 * CVE-2013-2464 * CVE-2013-2463 * CVE-2013-2473 * CVE-2013-2472 * CVE-2013-2471 * CVE-2013-2470 * CVE-2013-2459 * CVE-2013-2466 * CVE-2013-3743 * CVE-2013-2448 * CVE-2013-2442 * CVE-2013-2407 * CVE-2013-2454 * CVE-2013-2456 * CVE-2013-2453 * CVE-2013-2457 * CVE-2013-2455 * CVE-2013-2412 * CVE-2013-2443 * CVE-2013-2447 * CVE-2013-2437 * CVE-2013-2444 * CVE-2013-2452 * CVE-2013-2446 * CVE-2013-2450 * CVE-2013-1571 * CVE-2013-2451 * CVE-2013-1500 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr14.0-0.6.6.1 java-1_6_0-ibm-devel-1.6.0_sr14.0-0.6.6.1 java-1_6_0-ibm-fonts-1.6.0_sr14.0-0.6.6.1 java-1_6_0-ibm-jdbc-1.6.0_sr14.0-0.6.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr14.0-0.6.6.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr14.0-0.6.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr14.0-0.6.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr14.0-0.6.6.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr14.0-0.6.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr14.0-0.6.6.1 References: http://support.novell.com/security/cve/CVE-2013-1500.html http://support.novell.com/security/cve/CVE-2013-1571.html http://support.novell.com/security/cve/CVE-2013-2407.html http://support.novell.com/security/cve/CVE-2013-2412.html http://support.novell.com/security/cve/CVE-2013-2437.html http://support.novell.com/security/cve/CVE-2013-2442.html http://support.novell.com/security/cve/CVE-2013-2443.html http://support.novell.com/security/cve/CVE-2013-2444.html http://support.novell.com/security/cve/CVE-2013-2446.html http://support.novell.com/security/cve/CVE-2013-2447.html http://support.novell.com/security/cve/CVE-2013-2448.html http://support.novell.com/security/cve/CVE-2013-2450.html http://support.novell.com/security/cve/CVE-2013-2451.html http://support.novell.com/security/cve/CVE-2013-2452.html http://support.novell.com/security/cve/CVE-2013-2453.html http://support.novell.com/security/cve/CVE-2013-2454.html http://support.novell.com/security/cve/CVE-2013-2455.html http://support.novell.com/security/cve/CVE-2013-2456.html http://support.novell.com/security/cve/CVE-2013-2457.html http://support.novell.com/security/cve/CVE-2013-2459.html http://support.novell.com/security/cve/CVE-2013-2463.html http://support.novell.com/security/cve/CVE-2013-2464.html http://support.novell.com/security/cve/CVE-2013-2465.html http://support.novell.com/security/cve/CVE-2013-2466.html http://support.novell.com/security/cve/CVE-2013-2468.html http://support.novell.com/security/cve/CVE-2013-2469.html http://support.novell.com/security/cve/CVE-2013-2470.html http://support.novell.com/security/cve/CVE-2013-2471.html http://support.novell.com/security/cve/CVE-2013-2472.html http://support.novell.com/security/cve/CVE-2013-2473.html http://support.novell.com/security/cve/CVE-2013-3009.html http://support.novell.com/security/cve/CVE-2013-3011.html http://support.novell.com/security/cve/CVE-2013-3012.html http://support.novell.com/security/cve/CVE-2013-3743.html http://support.novell.com/security/cve/CVE-2013-4002.html https://bugzilla.novell.com/817062 https://bugzilla.novell.com/823034 https://bugzilla.novell.com/829212 https://bugzilla.novell.com/831936 http://download.novell.com/patch/finder/?keywords=83286d2f8367035fc1294114aff55891 From sle-security-updates at lists.suse.com Wed Aug 7 13:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Aug 2013 21:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1310-1: important: Security update for bind Message-ID: <20130807190409.6936A32283@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1310-1 Rating: important References: #831899 Cross-References: CVE-2013-4854 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: A specially crafted query with malicious rdata could have caused a crash (DoS) in named. Security Issue reference: * CVE-2013-4854 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-bind-8161 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-bind-8160 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-bind-8161 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-bind-8161 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-bind-8160 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-bind-8160 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-bind-8161 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-bind-8160 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.9.3P2]: bind-devel-9.9.3P2-0.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64) [New Version: 9.9.3P2]: bind-devel-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.9.3P2]: bind-devel-9.9.3P2-0.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64) [New Version: 9.9.3P2]: bind-devel-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 9.9.3P2]: bind-9.9.3P2-0.5.1 bind-chrootenv-9.9.3P2-0.5.1 bind-doc-9.9.3P2-0.5.1 bind-libs-9.9.3P2-0.5.1 bind-utils-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 9.9.3P2]: bind-libs-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.9.3P2]: bind-9.9.3P2-0.5.1 bind-chrootenv-9.9.3P2-0.5.1 bind-doc-9.9.3P2-0.5.1 bind-libs-9.9.3P2-0.5.1 bind-utils-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 9.9.3P2]: bind-libs-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 9.9.3P2]: bind-libs-x86-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 9.9.3P2]: bind-9.9.3P2-0.5.1 bind-chrootenv-9.9.3P2-0.5.1 bind-doc-9.9.3P2-0.5.1 bind-libs-9.9.3P2-0.5.1 bind-utils-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 9.9.3P2]: bind-libs-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.9.3P2]: bind-9.9.3P2-0.5.1 bind-chrootenv-9.9.3P2-0.5.1 bind-doc-9.9.3P2-0.5.1 bind-libs-9.9.3P2-0.5.1 bind-utils-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 9.9.3P2]: bind-libs-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 9.9.3P2]: bind-libs-x86-9.9.3P2-0.5.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 9.9.3P2]: bind-libs-9.9.3P2-0.5.1 bind-utils-9.9.3P2-0.5.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 9.9.3P2]: bind-libs-32bit-9.9.3P2-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 9.9.3P2]: bind-libs-9.9.3P2-0.5.1 bind-utils-9.9.3P2-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 9.9.3P2]: bind-libs-32bit-9.9.3P2-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-4854.html https://bugzilla.novell.com/831899 http://download.novell.com/patch/finder/?keywords=6b7570508ab209647dc76ea23518d5e9 http://download.novell.com/patch/finder/?keywords=b60df9afc37de4b5115de94bdcd07cce From sle-security-updates at lists.suse.com Fri Aug 9 08:04:11 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Aug 2013 16:04:11 +0200 (CEST) Subject: SUSE-SU-2013:1314-1: important: Security update for Xen Message-ID: <20130809140411.307FF32370@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1314-1 Rating: important References: #801663 #808085 #808269 #817210 #820917 #820919 #820920 #823011 #823608 Cross-References: CVE-2013-2194 CVE-2013-2195 CVE-2013-2196 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has 6 fixes is now available. Description: The Xen hypervisor and toolset has been updated to 4.2.2_06 to fix various bugs and security issues: The following security issues have been addressed: * CVE-2013-2194: Various integer overflows in the ELF loader were fixed. (XSA-55) * CVE-2013-2195: Various pointer dereferences issues in the ELF loader were fixed. (XSA-55) * CVE-2013-2196: Various other problems in the ELF loader were fixed. (XSA-55) * CVE-2013-2078: A Hypervisor crash due to missing exception recovery on XSETBV was fixed. (XSA-54) * CVE-2013-2077: A Hypervisor crash due to missing exception recovery on XRSTOR was fixed. (XSA-53) * CVE-2013-2211: libxl allowed guest write access to sensitive console related xenstore keys. (XSA-57) * CVE-2013-2076: An information leak on XSAVE/XRSTOR capable AMD CPUs (XSA-52) was fixed, where parts of this state could leak to other VMs. Also the following bugs have been fixed: * performance issues in mirror lvm (bnc#801663) * aacraid driver panics mapping INT A when booting kernel-xen (bnc#808085) * Fully Virtualized Windows VM install failed on Ivy Bridge platforms with Xen kernel (bnc#808269) * Did not boot with i915 graphics controller with VT-d enabled (bnc#817210) Security Issue references: * CVE-2013-2194 * CVE-2013-2195 * CVE-2013-2196 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xen-201307-8063 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xen-201307-8063 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xen-201307-8063 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): xen-devel-4.2.2_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): xen-kmp-default-4.2.2_06_3.0.82_0.7-0.7.1 xen-libs-4.2.2_06-0.7.1 xen-tools-domU-4.2.2_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (x86_64): xen-4.2.2_06-0.7.1 xen-doc-html-4.2.2_06-0.7.1 xen-doc-pdf-4.2.2_06-0.7.1 xen-libs-32bit-4.2.2_06-0.7.1 xen-tools-4.2.2_06-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586): xen-kmp-pae-4.2.2_06_3.0.82_0.7-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xen-kmp-default-4.2.2_06_3.0.82_0.7-0.7.1 xen-libs-4.2.2_06-0.7.1 xen-tools-domU-4.2.2_06-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): xen-4.2.2_06-0.7.1 xen-doc-html-4.2.2_06-0.7.1 xen-doc-pdf-4.2.2_06-0.7.1 xen-libs-32bit-4.2.2_06-0.7.1 xen-tools-4.2.2_06-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586): xen-kmp-pae-4.2.2_06_3.0.82_0.7-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-2194.html http://support.novell.com/security/cve/CVE-2013-2195.html http://support.novell.com/security/cve/CVE-2013-2196.html https://bugzilla.novell.com/801663 https://bugzilla.novell.com/808085 https://bugzilla.novell.com/808269 https://bugzilla.novell.com/817210 https://bugzilla.novell.com/820917 https://bugzilla.novell.com/820919 https://bugzilla.novell.com/820920 https://bugzilla.novell.com/823011 https://bugzilla.novell.com/823608 http://download.novell.com/patch/finder/?keywords=6f245c857571421a6701c20d04b046cb From sle-security-updates at lists.suse.com Fri Aug 9 14:04:11 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Aug 2013 22:04:11 +0200 (CEST) Subject: SUSE-SU-2013:1315-1: important: Security update for PHP5 Message-ID: <20130809200411.8AFFD3236F@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1315-1 Rating: important References: #775852 #778003 #783239 #807707 #828020 #829207 Cross-References: CVE-2013-4113 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. It includes one version update. Description: The following security issues have been fixed in PHP5: * CVE-2013-4635: Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP allowed context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. * CVE-2013-1635: ext/soap/soap.c in PHP did not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allowed remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. * CVE-2013-1643: The SOAP parser in PHP allowed remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. * CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. * CVE-2011-1398 / CVE-2012-4388: The sapi_header_op function in main/SAPI.c in PHP did not check for %0D sequences (aka carriage return characters), which allowed remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. A hardening measure has been implemented without CVE: * use FilesMatch with 'SetHandler' rather than 'AddHandler' [bnc#775852] * fixed php bug #43200 (Interface implementation / inheritence not possible in abstract classes) [bnc#783239] Security Issue reference: * CVE-2013-4113 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-apache2-mod_php5-8112 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-apache2-mod_php5-8112 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 5.2.14]: apache2-mod_php5-5.2.14-0.7.30.48.1 php5-5.2.14-0.7.30.48.1 php5-bcmath-5.2.14-0.7.30.48.1 php5-bz2-5.2.14-0.7.30.48.1 php5-calendar-5.2.14-0.7.30.48.1 php5-ctype-5.2.14-0.7.30.48.1 php5-curl-5.2.14-0.7.30.48.1 php5-dba-5.2.14-0.7.30.48.1 php5-dbase-5.2.14-0.7.30.48.1 php5-dom-5.2.14-0.7.30.48.1 php5-exif-5.2.14-0.7.30.48.1 php5-fastcgi-5.2.14-0.7.30.48.1 php5-ftp-5.2.14-0.7.30.48.1 php5-gd-5.2.14-0.7.30.48.1 php5-gettext-5.2.14-0.7.30.48.1 php5-gmp-5.2.14-0.7.30.48.1 php5-hash-5.2.14-0.7.30.48.1 php5-iconv-5.2.14-0.7.30.48.1 php5-json-5.2.14-0.7.30.48.1 php5-ldap-5.2.14-0.7.30.48.1 php5-mbstring-5.2.14-0.7.30.48.1 php5-mcrypt-5.2.14-0.7.30.48.1 php5-mysql-5.2.14-0.7.30.48.1 php5-odbc-5.2.14-0.7.30.48.1 php5-openssl-5.2.14-0.7.30.48.1 php5-pcntl-5.2.14-0.7.30.48.1 php5-pdo-5.2.14-0.7.30.48.1 php5-pear-5.2.14-0.7.30.48.1 php5-pgsql-5.2.14-0.7.30.48.1 php5-pspell-5.2.14-0.7.30.48.1 php5-shmop-5.2.14-0.7.30.48.1 php5-snmp-5.2.14-0.7.30.48.1 php5-soap-5.2.14-0.7.30.48.1 php5-suhosin-5.2.14-0.7.30.48.1 php5-sysvmsg-5.2.14-0.7.30.48.1 php5-sysvsem-5.2.14-0.7.30.48.1 php5-sysvshm-5.2.14-0.7.30.48.1 php5-tokenizer-5.2.14-0.7.30.48.1 php5-wddx-5.2.14-0.7.30.48.1 php5-xmlreader-5.2.14-0.7.30.48.1 php5-xmlrpc-5.2.14-0.7.30.48.1 php5-xmlwriter-5.2.14-0.7.30.48.1 php5-xsl-5.2.14-0.7.30.48.1 php5-zip-5.2.14-0.7.30.48.1 php5-zlib-5.2.14-0.7.30.48.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 5.2.14]: apache2-mod_php5-5.2.14-0.7.30.48.1 php5-5.2.14-0.7.30.48.1 php5-bcmath-5.2.14-0.7.30.48.1 php5-bz2-5.2.14-0.7.30.48.1 php5-calendar-5.2.14-0.7.30.48.1 php5-ctype-5.2.14-0.7.30.48.1 php5-curl-5.2.14-0.7.30.48.1 php5-dba-5.2.14-0.7.30.48.1 php5-dbase-5.2.14-0.7.30.48.1 php5-dom-5.2.14-0.7.30.48.1 php5-exif-5.2.14-0.7.30.48.1 php5-fastcgi-5.2.14-0.7.30.48.1 php5-ftp-5.2.14-0.7.30.48.1 php5-gd-5.2.14-0.7.30.48.1 php5-gettext-5.2.14-0.7.30.48.1 php5-gmp-5.2.14-0.7.30.48.1 php5-hash-5.2.14-0.7.30.48.1 php5-iconv-5.2.14-0.7.30.48.1 php5-json-5.2.14-0.7.30.48.1 php5-ldap-5.2.14-0.7.30.48.1 php5-mbstring-5.2.14-0.7.30.48.1 php5-mcrypt-5.2.14-0.7.30.48.1 php5-mysql-5.2.14-0.7.30.48.1 php5-odbc-5.2.14-0.7.30.48.1 php5-openssl-5.2.14-0.7.30.48.1 php5-pcntl-5.2.14-0.7.30.48.1 php5-pdo-5.2.14-0.7.30.48.1 php5-pear-5.2.14-0.7.30.48.1 php5-pgsql-5.2.14-0.7.30.48.1 php5-pspell-5.2.14-0.7.30.48.1 php5-shmop-5.2.14-0.7.30.48.1 php5-snmp-5.2.14-0.7.30.48.1 php5-soap-5.2.14-0.7.30.48.1 php5-suhosin-5.2.14-0.7.30.48.1 php5-sysvmsg-5.2.14-0.7.30.48.1 php5-sysvsem-5.2.14-0.7.30.48.1 php5-sysvshm-5.2.14-0.7.30.48.1 php5-tokenizer-5.2.14-0.7.30.48.1 php5-wddx-5.2.14-0.7.30.48.1 php5-xmlreader-5.2.14-0.7.30.48.1 php5-xmlrpc-5.2.14-0.7.30.48.1 php5-xmlwriter-5.2.14-0.7.30.48.1 php5-xsl-5.2.14-0.7.30.48.1 php5-zip-5.2.14-0.7.30.48.1 php5-zlib-5.2.14-0.7.30.48.1 References: http://support.novell.com/security/cve/CVE-2013-4113.html https://bugzilla.novell.com/775852 https://bugzilla.novell.com/778003 https://bugzilla.novell.com/783239 https://bugzilla.novell.com/807707 https://bugzilla.novell.com/828020 https://bugzilla.novell.com/829207 http://download.novell.com/patch/finder/?keywords=2ab3ed25399f2e9a36f4f4b0da18d493 From sle-security-updates at lists.suse.com Fri Aug 9 15:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Aug 2013 23:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1316-1: important: Security update for PHP5 Message-ID: <20130809210410.D829A3236F@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1316-1 Rating: important References: #828020 #829207 Cross-References: CVE-2013-4113 CVE-2013-4635 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The following security issues have been fixed: * CVE-2013-4635 (bnc#828020): o Integer overflow in SdnToJewish() * CVE-2013-4113 (bnc#829207): o heap corruption due to badly formed xml Security Issues: * CVE-2013-4113 * CVE-2013-4635 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-apache2-mod_php53-8088 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-apache2-mod_php53-8088 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-apache2-mod_php53-8088 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-0.15.1 php53-imap-5.3.17-0.15.1 php53-posix-5.3.17-0.15.1 php53-readline-5.3.17-0.15.1 php53-sockets-5.3.17-0.15.1 php53-sqlite-5.3.17-0.15.1 php53-tidy-5.3.17-0.15.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): apache2-mod_php53-5.3.17-0.15.1 php53-5.3.17-0.15.1 php53-bcmath-5.3.17-0.15.1 php53-bz2-5.3.17-0.15.1 php53-calendar-5.3.17-0.15.1 php53-ctype-5.3.17-0.15.1 php53-curl-5.3.17-0.15.1 php53-dba-5.3.17-0.15.1 php53-dom-5.3.17-0.15.1 php53-exif-5.3.17-0.15.1 php53-fastcgi-5.3.17-0.15.1 php53-fileinfo-5.3.17-0.15.1 php53-ftp-5.3.17-0.15.1 php53-gd-5.3.17-0.15.1 php53-gettext-5.3.17-0.15.1 php53-gmp-5.3.17-0.15.1 php53-iconv-5.3.17-0.15.1 php53-intl-5.3.17-0.15.1 php53-json-5.3.17-0.15.1 php53-ldap-5.3.17-0.15.1 php53-mbstring-5.3.17-0.15.1 php53-mcrypt-5.3.17-0.15.1 php53-mysql-5.3.17-0.15.1 php53-odbc-5.3.17-0.15.1 php53-openssl-5.3.17-0.15.1 php53-pcntl-5.3.17-0.15.1 php53-pdo-5.3.17-0.15.1 php53-pear-5.3.17-0.15.1 php53-pgsql-5.3.17-0.15.1 php53-pspell-5.3.17-0.15.1 php53-shmop-5.3.17-0.15.1 php53-snmp-5.3.17-0.15.1 php53-soap-5.3.17-0.15.1 php53-suhosin-5.3.17-0.15.1 php53-sysvmsg-5.3.17-0.15.1 php53-sysvsem-5.3.17-0.15.1 php53-sysvshm-5.3.17-0.15.1 php53-tokenizer-5.3.17-0.15.1 php53-wddx-5.3.17-0.15.1 php53-xmlreader-5.3.17-0.15.1 php53-xmlrpc-5.3.17-0.15.1 php53-xmlwriter-5.3.17-0.15.1 php53-xsl-5.3.17-0.15.1 php53-zip-5.3.17-0.15.1 php53-zlib-5.3.17-0.15.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-0.15.1 php53-5.3.17-0.15.1 php53-bcmath-5.3.17-0.15.1 php53-bz2-5.3.17-0.15.1 php53-calendar-5.3.17-0.15.1 php53-ctype-5.3.17-0.15.1 php53-curl-5.3.17-0.15.1 php53-dba-5.3.17-0.15.1 php53-dom-5.3.17-0.15.1 php53-exif-5.3.17-0.15.1 php53-fastcgi-5.3.17-0.15.1 php53-fileinfo-5.3.17-0.15.1 php53-ftp-5.3.17-0.15.1 php53-gd-5.3.17-0.15.1 php53-gettext-5.3.17-0.15.1 php53-gmp-5.3.17-0.15.1 php53-iconv-5.3.17-0.15.1 php53-intl-5.3.17-0.15.1 php53-json-5.3.17-0.15.1 php53-ldap-5.3.17-0.15.1 php53-mbstring-5.3.17-0.15.1 php53-mcrypt-5.3.17-0.15.1 php53-mysql-5.3.17-0.15.1 php53-odbc-5.3.17-0.15.1 php53-openssl-5.3.17-0.15.1 php53-pcntl-5.3.17-0.15.1 php53-pdo-5.3.17-0.15.1 php53-pear-5.3.17-0.15.1 php53-pgsql-5.3.17-0.15.1 php53-pspell-5.3.17-0.15.1 php53-shmop-5.3.17-0.15.1 php53-snmp-5.3.17-0.15.1 php53-soap-5.3.17-0.15.1 php53-suhosin-5.3.17-0.15.1 php53-sysvmsg-5.3.17-0.15.1 php53-sysvsem-5.3.17-0.15.1 php53-sysvshm-5.3.17-0.15.1 php53-tokenizer-5.3.17-0.15.1 php53-wddx-5.3.17-0.15.1 php53-xmlreader-5.3.17-0.15.1 php53-xmlrpc-5.3.17-0.15.1 php53-xmlwriter-5.3.17-0.15.1 php53-xsl-5.3.17-0.15.1 php53-zip-5.3.17-0.15.1 php53-zlib-5.3.17-0.15.1 References: http://support.novell.com/security/cve/CVE-2013-4113.html http://support.novell.com/security/cve/CVE-2013-4635.html https://bugzilla.novell.com/828020 https://bugzilla.novell.com/829207 http://download.novell.com/patch/finder/?keywords=b35f4744a67f955b03d2752b14164d9a From sle-security-updates at lists.suse.com Fri Aug 9 15:04:14 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Aug 2013 23:04:14 +0200 (CEST) Subject: SUSE-SU-2013:1285-2: important: Security update for PHP5 Message-ID: <20130809210414.928233236F@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1285-2 Rating: important References: #807707 #828020 #829207 Cross-References: CVE-2013-1635 CVE-2013-1643 CVE-2013-4113 CVE-2013-4635 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The following security issues have been fixed: * CVE-2013-4635 (bnc#828020): o Integer overflow in SdnToJewish() * CVE-2013-1635 and CVE-2013-1643 (bnc#807707): o reading system files via untrusted SOAP input o soap.wsdl_cache_dir function did not honour PHP open_basedir * CVE-2013-4113 (bnc#829207): o heap corruption due to badly formed xml Security Issue references: * CVE-2013-4113 * CVE-2013-4635 * CVE-2013-1635 * CVE-2013-1643 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-mod_php53-8087 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-apache2-mod_php53-8087 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-apache2-mod_php53-8087 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.8-0.41.1 php53-imap-5.3.8-0.41.1 php53-posix-5.3.8-0.41.1 php53-readline-5.3.8-0.41.1 php53-sockets-5.3.8-0.41.1 php53-sqlite-5.3.8-0.41.1 php53-tidy-5.3.8-0.41.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): apache2-mod_php53-5.3.8-0.41.1 php53-5.3.8-0.41.1 php53-bcmath-5.3.8-0.41.1 php53-bz2-5.3.8-0.41.1 php53-calendar-5.3.8-0.41.1 php53-ctype-5.3.8-0.41.1 php53-curl-5.3.8-0.41.1 php53-dba-5.3.8-0.41.1 php53-dom-5.3.8-0.41.1 php53-exif-5.3.8-0.41.1 php53-fastcgi-5.3.8-0.41.1 php53-fileinfo-5.3.8-0.41.1 php53-ftp-5.3.8-0.41.1 php53-gd-5.3.8-0.41.1 php53-gettext-5.3.8-0.41.1 php53-gmp-5.3.8-0.41.1 php53-iconv-5.3.8-0.41.1 php53-intl-5.3.8-0.41.1 php53-json-5.3.8-0.41.1 php53-ldap-5.3.8-0.41.1 php53-mbstring-5.3.8-0.41.1 php53-mcrypt-5.3.8-0.41.1 php53-mysql-5.3.8-0.41.1 php53-odbc-5.3.8-0.41.1 php53-openssl-5.3.8-0.41.1 php53-pcntl-5.3.8-0.41.1 php53-pdo-5.3.8-0.41.1 php53-pear-5.3.8-0.41.1 php53-pgsql-5.3.8-0.41.1 php53-pspell-5.3.8-0.41.1 php53-shmop-5.3.8-0.41.1 php53-snmp-5.3.8-0.41.1 php53-soap-5.3.8-0.41.1 php53-suhosin-5.3.8-0.41.1 php53-sysvmsg-5.3.8-0.41.1 php53-sysvsem-5.3.8-0.41.1 php53-sysvshm-5.3.8-0.41.1 php53-tokenizer-5.3.8-0.41.1 php53-wddx-5.3.8-0.41.1 php53-xmlreader-5.3.8-0.41.1 php53-xmlrpc-5.3.8-0.41.1 php53-xmlwriter-5.3.8-0.41.1 php53-xsl-5.3.8-0.41.1 php53-zip-5.3.8-0.41.1 php53-zlib-5.3.8-0.41.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.8-0.41.1 php53-5.3.8-0.41.1 php53-bcmath-5.3.8-0.41.1 php53-bz2-5.3.8-0.41.1 php53-calendar-5.3.8-0.41.1 php53-ctype-5.3.8-0.41.1 php53-curl-5.3.8-0.41.1 php53-dba-5.3.8-0.41.1 php53-dom-5.3.8-0.41.1 php53-exif-5.3.8-0.41.1 php53-fastcgi-5.3.8-0.41.1 php53-fileinfo-5.3.8-0.41.1 php53-ftp-5.3.8-0.41.1 php53-gd-5.3.8-0.41.1 php53-gettext-5.3.8-0.41.1 php53-gmp-5.3.8-0.41.1 php53-iconv-5.3.8-0.41.1 php53-intl-5.3.8-0.41.1 php53-json-5.3.8-0.41.1 php53-ldap-5.3.8-0.41.1 php53-mbstring-5.3.8-0.41.1 php53-mcrypt-5.3.8-0.41.1 php53-mysql-5.3.8-0.41.1 php53-odbc-5.3.8-0.41.1 php53-openssl-5.3.8-0.41.1 php53-pcntl-5.3.8-0.41.1 php53-pdo-5.3.8-0.41.1 php53-pear-5.3.8-0.41.1 php53-pgsql-5.3.8-0.41.1 php53-pspell-5.3.8-0.41.1 php53-shmop-5.3.8-0.41.1 php53-snmp-5.3.8-0.41.1 php53-soap-5.3.8-0.41.1 php53-suhosin-5.3.8-0.41.1 php53-sysvmsg-5.3.8-0.41.1 php53-sysvsem-5.3.8-0.41.1 php53-sysvshm-5.3.8-0.41.1 php53-tokenizer-5.3.8-0.41.1 php53-wddx-5.3.8-0.41.1 php53-xmlreader-5.3.8-0.41.1 php53-xmlrpc-5.3.8-0.41.1 php53-xmlwriter-5.3.8-0.41.1 php53-xsl-5.3.8-0.41.1 php53-zip-5.3.8-0.41.1 php53-zlib-5.3.8-0.41.1 References: http://support.novell.com/security/cve/CVE-2013-1635.html http://support.novell.com/security/cve/CVE-2013-1643.html http://support.novell.com/security/cve/CVE-2013-4113.html http://support.novell.com/security/cve/CVE-2013-4635.html https://bugzilla.novell.com/807707 https://bugzilla.novell.com/828020 https://bugzilla.novell.com/829207 http://download.novell.com/patch/finder/?keywords=ad593aac1cfc93b29edc0ea5b036ed90 From sle-security-updates at lists.suse.com Fri Aug 9 15:04:18 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Aug 2013 23:04:18 +0200 (CEST) Subject: SUSE-SU-2013:1317-1: important: Security update for PHP5 Message-ID: <20130809210418.4A3E73236F@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1317-1 Rating: important References: #783239 #807707 #828020 #829207 Cross-References: CVE-2013-1635 CVE-2013-1643 CVE-2013-4113 CVE-2013-4635 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The following security issues have been fixed: * CVE-2013-4635 (bnc#828020): o Integer overflow in SdnToJewish() * CVE-2013-1635 and CVE-2013-1643 (bnc#807707): o reading system files via untrusted SOAP input o soap.wsdl_cache_dir function did not honour PHP open_basedir * CVE-2013-4113 (bnc#829207): o heap corruption due to badly formed xml Security Issues: * CVE-2013-4635 * CVE-2013-4113 * CVE-2013-1635 * CVE-2013-1643 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-mod_php5-8086 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-apache2-mod_php5-8086 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-apache2-mod_php5-8086 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): php5-devel-5.2.14-0.7.30.48.1 php5-imap-5.2.14-0.7.30.48.1 php5-ncurses-5.2.14-0.7.30.48.1 php5-posix-5.2.14-0.7.30.48.1 php5-readline-5.2.14-0.7.30.48.1 php5-sockets-5.2.14-0.7.30.48.1 php5-sqlite-5.2.14-0.7.30.48.1 php5-tidy-5.2.14-0.7.30.48.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): apache2-mod_php5-5.2.14-0.7.30.48.1 php5-5.2.14-0.7.30.48.1 php5-bcmath-5.2.14-0.7.30.48.1 php5-bz2-5.2.14-0.7.30.48.1 php5-calendar-5.2.14-0.7.30.48.1 php5-ctype-5.2.14-0.7.30.48.1 php5-curl-5.2.14-0.7.30.48.1 php5-dba-5.2.14-0.7.30.48.1 php5-dbase-5.2.14-0.7.30.48.1 php5-dom-5.2.14-0.7.30.48.1 php5-exif-5.2.14-0.7.30.48.1 php5-fastcgi-5.2.14-0.7.30.48.1 php5-ftp-5.2.14-0.7.30.48.1 php5-gd-5.2.14-0.7.30.48.1 php5-gettext-5.2.14-0.7.30.48.1 php5-gmp-5.2.14-0.7.30.48.1 php5-hash-5.2.14-0.7.30.48.1 php5-iconv-5.2.14-0.7.30.48.1 php5-json-5.2.14-0.7.30.48.1 php5-ldap-5.2.14-0.7.30.48.1 php5-mbstring-5.2.14-0.7.30.48.1 php5-mcrypt-5.2.14-0.7.30.48.1 php5-mysql-5.2.14-0.7.30.48.1 php5-odbc-5.2.14-0.7.30.48.1 php5-openssl-5.2.14-0.7.30.48.1 php5-pcntl-5.2.14-0.7.30.48.1 php5-pdo-5.2.14-0.7.30.48.1 php5-pear-5.2.14-0.7.30.48.1 php5-pgsql-5.2.14-0.7.30.48.1 php5-pspell-5.2.14-0.7.30.48.1 php5-shmop-5.2.14-0.7.30.48.1 php5-snmp-5.2.14-0.7.30.48.1 php5-soap-5.2.14-0.7.30.48.1 php5-suhosin-5.2.14-0.7.30.48.1 php5-sysvmsg-5.2.14-0.7.30.48.1 php5-sysvsem-5.2.14-0.7.30.48.1 php5-sysvshm-5.2.14-0.7.30.48.1 php5-tokenizer-5.2.14-0.7.30.48.1 php5-wddx-5.2.14-0.7.30.48.1 php5-xmlreader-5.2.14-0.7.30.48.1 php5-xmlrpc-5.2.14-0.7.30.48.1 php5-xmlwriter-5.2.14-0.7.30.48.1 php5-xsl-5.2.14-0.7.30.48.1 php5-zip-5.2.14-0.7.30.48.1 php5-zlib-5.2.14-0.7.30.48.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): apache2-mod_php5-5.2.14-0.7.30.48.1 php5-5.2.14-0.7.30.48.1 php5-bcmath-5.2.14-0.7.30.48.1 php5-bz2-5.2.14-0.7.30.48.1 php5-calendar-5.2.14-0.7.30.48.1 php5-ctype-5.2.14-0.7.30.48.1 php5-curl-5.2.14-0.7.30.48.1 php5-dba-5.2.14-0.7.30.48.1 php5-dbase-5.2.14-0.7.30.48.1 php5-dom-5.2.14-0.7.30.48.1 php5-exif-5.2.14-0.7.30.48.1 php5-fastcgi-5.2.14-0.7.30.48.1 php5-ftp-5.2.14-0.7.30.48.1 php5-gd-5.2.14-0.7.30.48.1 php5-gettext-5.2.14-0.7.30.48.1 php5-gmp-5.2.14-0.7.30.48.1 php5-hash-5.2.14-0.7.30.48.1 php5-iconv-5.2.14-0.7.30.48.1 php5-json-5.2.14-0.7.30.48.1 php5-ldap-5.2.14-0.7.30.48.1 php5-mbstring-5.2.14-0.7.30.48.1 php5-mcrypt-5.2.14-0.7.30.48.1 php5-mysql-5.2.14-0.7.30.48.1 php5-odbc-5.2.14-0.7.30.48.1 php5-openssl-5.2.14-0.7.30.48.1 php5-pcntl-5.2.14-0.7.30.48.1 php5-pdo-5.2.14-0.7.30.48.1 php5-pear-5.2.14-0.7.30.48.1 php5-pgsql-5.2.14-0.7.30.48.1 php5-pspell-5.2.14-0.7.30.48.1 php5-shmop-5.2.14-0.7.30.48.1 php5-snmp-5.2.14-0.7.30.48.1 php5-soap-5.2.14-0.7.30.48.1 php5-suhosin-5.2.14-0.7.30.48.1 php5-sysvmsg-5.2.14-0.7.30.48.1 php5-sysvsem-5.2.14-0.7.30.48.1 php5-sysvshm-5.2.14-0.7.30.48.1 php5-tokenizer-5.2.14-0.7.30.48.1 php5-wddx-5.2.14-0.7.30.48.1 php5-xmlreader-5.2.14-0.7.30.48.1 php5-xmlrpc-5.2.14-0.7.30.48.1 php5-xmlwriter-5.2.14-0.7.30.48.1 php5-xsl-5.2.14-0.7.30.48.1 php5-zip-5.2.14-0.7.30.48.1 php5-zlib-5.2.14-0.7.30.48.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php5-5.2.14-0.7.30.48.1 php5-5.2.14-0.7.30.48.1 php5-bcmath-5.2.14-0.7.30.48.1 php5-bz2-5.2.14-0.7.30.48.1 php5-calendar-5.2.14-0.7.30.48.1 php5-ctype-5.2.14-0.7.30.48.1 php5-curl-5.2.14-0.7.30.48.1 php5-dba-5.2.14-0.7.30.48.1 php5-dbase-5.2.14-0.7.30.48.1 php5-dom-5.2.14-0.7.30.48.1 php5-exif-5.2.14-0.7.30.48.1 php5-fastcgi-5.2.14-0.7.30.48.1 php5-ftp-5.2.14-0.7.30.48.1 php5-gd-5.2.14-0.7.30.48.1 php5-gettext-5.2.14-0.7.30.48.1 php5-gmp-5.2.14-0.7.30.48.1 php5-hash-5.2.14-0.7.30.48.1 php5-iconv-5.2.14-0.7.30.48.1 php5-json-5.2.14-0.7.30.48.1 php5-ldap-5.2.14-0.7.30.48.1 php5-mbstring-5.2.14-0.7.30.48.1 php5-mcrypt-5.2.14-0.7.30.48.1 php5-mysql-5.2.14-0.7.30.48.1 php5-odbc-5.2.14-0.7.30.48.1 php5-openssl-5.2.14-0.7.30.48.1 php5-pcntl-5.2.14-0.7.30.48.1 php5-pdo-5.2.14-0.7.30.48.1 php5-pear-5.2.14-0.7.30.48.1 php5-pgsql-5.2.14-0.7.30.48.1 php5-pspell-5.2.14-0.7.30.48.1 php5-shmop-5.2.14-0.7.30.48.1 php5-snmp-5.2.14-0.7.30.48.1 php5-soap-5.2.14-0.7.30.48.1 php5-suhosin-5.2.14-0.7.30.48.1 php5-sysvmsg-5.2.14-0.7.30.48.1 php5-sysvsem-5.2.14-0.7.30.48.1 php5-sysvshm-5.2.14-0.7.30.48.1 php5-tokenizer-5.2.14-0.7.30.48.1 php5-wddx-5.2.14-0.7.30.48.1 php5-xmlreader-5.2.14-0.7.30.48.1 php5-xmlrpc-5.2.14-0.7.30.48.1 php5-xmlwriter-5.2.14-0.7.30.48.1 php5-xsl-5.2.14-0.7.30.48.1 php5-zip-5.2.14-0.7.30.48.1 php5-zlib-5.2.14-0.7.30.48.1 References: http://support.novell.com/security/cve/CVE-2013-1635.html http://support.novell.com/security/cve/CVE-2013-1643.html http://support.novell.com/security/cve/CVE-2013-4113.html http://support.novell.com/security/cve/CVE-2013-4635.html https://bugzilla.novell.com/783239 https://bugzilla.novell.com/807707 https://bugzilla.novell.com/828020 https://bugzilla.novell.com/829207 http://download.novell.com/patch/finder/?keywords=983afe97da999c3ed9c81daa3863571b From sle-security-updates at lists.suse.com Tue Aug 13 16:04:12 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Aug 2013 00:04:12 +0200 (CEST) Subject: SUSE-SU-2013:1325-1: important: Security update for Mozilla Firefox Message-ID: <20130813220412.D62BB32374@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1325-1 Rating: important References: #833389 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: This update to Firefox 17.0.8esr (bnc#833389) addresses: * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 (bmo#855331, bmo#844088, bmo#858060, bmo#870200, bmo#874974, bmo#861530, bmo#854157, bmo#893684, bmo#878703, bmo#862185, bmo#879139, bmo#888107, bmo#880734) Miscellaneous memory safety hazards have been fixed (rv:23.0 / rv:17.0.8): * MFSA 2013-66/CVE-2013-1706/CVE-2013-1707 (bmo#888314, bmo#888361) Buffer overflow in Mozilla Maintenance Service and Mozilla Updater * MFSA 2013-68/CVE-2013-1709 (bmo#848253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-71/CVE-2013-1712 (bmo#859072) Further Privilege escalation through Mozilla Updater * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541) Local Java applets may read contents of local file system Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-MozillaFirefox-8191 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-MozillaFirefox-8191 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-MozillaFirefox-8191 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-MozillaFirefox-8187 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-MozillaFirefox-8187 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-MozillaFirefox-8191 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-MozillaFirefox-8187 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-17.0.8esr-0.7.2 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.7.2 MozillaFirefox-translations-17.0.8esr-0.7.2 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.7.2 MozillaFirefox-translations-17.0.8esr-0.7.2 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.4.2.1 MozillaFirefox-translations-17.0.8esr-0.4.2.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.4.2.1 MozillaFirefox-translations-17.0.8esr-0.4.2.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.7.2 MozillaFirefox-translations-17.0.8esr-0.7.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.4.2.1 MozillaFirefox-translations-17.0.8esr-0.4.2.1 References: https://bugzilla.novell.com/833389 http://download.novell.com/patch/finder/?keywords=0cfcf5031e62c63bd502567283c781f9 http://download.novell.com/patch/finder/?keywords=5d16f58a1649e09775bbc460079ceeda From sle-security-updates at lists.suse.com Tue Aug 13 17:04:13 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Aug 2013 01:04:13 +0200 (CEST) Subject: SUSE-SU-2013:1328-1: moderate: Security update for python-httplib2 Message-ID: <20130813230413.25FB532371@maintenance.suse.de> SUSE Security Update: Security update for python-httplib2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1328-1 Rating: moderate References: #818100 Cross-References: CVE-2013-2037 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This patch fixes a SSL certificate verification issue in python-httplib2, where remote server certificates would not have validated against the known good root certificates. Security Issue reference: * CVE-2013-2037 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-python-httplib2-8126 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-python-httplib2-8125 - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-python-httplib2-8125 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): python-httplib2-0.7.4-0.7.8.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.7.4]: python-httplib2-0.7.4-0.7.8.1 - SUSE Cloud 1.0 (x86_64): python-httplib2-0.7.4-0.7.8.1 References: http://support.novell.com/security/cve/CVE-2013-2037.html https://bugzilla.novell.com/818100 http://download.novell.com/patch/finder/?keywords=b51ccf9876436044e5fd3d5ea26dd208 http://download.novell.com/patch/finder/?keywords=fb368653920b3983833fccebdcd862e1 From sle-security-updates at lists.suse.com Tue Aug 13 17:04:17 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Aug 2013 01:04:17 +0200 (CEST) Subject: SUSE-SU-2013:1329-1: Security update for automake Message-ID: <20130813230417.765E632371@maintenance.suse.de> SUSE Security Update: Security update for automake ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1329-1 Rating: low References: #559815 #770618 Cross-References: CVE-2012-3386 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update of automake fixes a race condition in "distcheck". (CVE-2012-3386) Also a bug where world writeable tarballs were generated during "make dist" has been fixed (CVE-2009-4029). Security Issue references: * CVE-2012-3386 * CVE-2009-4029 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-automake-8197 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-automake-8196 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-automake-8197 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-automake-8197 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-automake-8196 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-automake-8196 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): automake-1.10.1-4.131.9.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): automake-1.10.1-4.131.9.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): automake-1.10.1-4.131.9.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): automake-1.10.1-4.131.9.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): automake-1.10.1-4.131.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): automake-1.10.1-4.131.9.1 References: http://support.novell.com/security/cve/CVE-2012-3386.html https://bugzilla.novell.com/559815 https://bugzilla.novell.com/770618 http://download.novell.com/patch/finder/?keywords=0d23c7bc183c768d0e0f9b34d192b755 http://download.novell.com/patch/finder/?keywords=c330be8dc6ec3936c86b84317dc3203d From sle-security-updates at lists.suse.com Wed Aug 14 12:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Aug 2013 20:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1345-1: Security update for OpenSSH Message-ID: <20130814180409.E247232378@maintenance.suse.de> SUSE Security Update: Security update for OpenSSH ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1345-1 Rating: low References: #755505 #802639 #821039 #826906 Cross-References: CVE-2010-5107 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for OpenSSH provides the following fixes: * Implement remote denial of service hardening. (bnc#802639, CVE-2010-5107) * Use only FIPS 140-2 approved algorithms when FIPS mode is detected. (bnc#755505, bnc#821039) * Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) Security Issue reference: * CVE-2010-5107 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-openssh-8078 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-openssh-8078 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-openssh-8078 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): openssh-5.1p1-41.57.1 openssh-askpass-5.1p1-41.57.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): openssh-5.1p1-41.57.1 openssh-askpass-5.1p1-41.57.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): openssh-5.1p1-41.57.1 openssh-askpass-5.1p1-41.57.1 References: http://support.novell.com/security/cve/CVE-2010-5107.html https://bugzilla.novell.com/755505 https://bugzilla.novell.com/802639 https://bugzilla.novell.com/821039 https://bugzilla.novell.com/826906 http://download.novell.com/patch/finder/?keywords=dd7be5574ffe3cd03de79a99d3b6b9f0 From sle-security-updates at lists.suse.com Fri Aug 16 13:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Aug 2013 21:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1351-1: important: Security update for PHP5 Message-ID: <20130816190410.5CD5E3237A@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1351-1 Rating: important References: #699711 #709549 #713652 #728671 #733590 #735613 #736169 #738221 #741520 #741859 #742273 #742806 #743308 #744966 #746661 #749111 #752030 #753778 #760536 #761631 #772580 #772582 #775852 #778003 #783239 #807707 #828020 #829207 Cross-References: CVE-2011-1072 CVE-2011-1398 CVE-2011-1466 CVE-2011-2202 CVE-2011-3182 CVE-2011-4153 CVE-2011-4388 CVE-2011-4566 CVE-2011-4885 CVE-2012-0057 CVE-2012-0781 CVE-2012-0788 CVE-2012-0789 CVE-2012-0807 CVE-2012-0830 CVE-2012-0831 CVE-2012-1172 CVE-2012-1823 CVE-2012-2311 CVE-2012-2335 CVE-2012-2336 CVE-2012-2688 CVE-2012-3365 CVE-2013-1635 CVE-2013-1643 CVE-2013-4113 CVE-2013-4635 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves 27 vulnerabilities and has one errata is now available. It includes one version update. Description: php5 has been updated to roll up all pending security fixes for Long Term Service Pack Support. The Following security issues have been fixed: * CVE-2013-4635: Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP allowed context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. * CVE-2013-1635: ext/soap/soap.c in PHP did not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allowed remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. * CVE-2013-1643: The SOAP parser in PHP allowed remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. * CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. * CVE-2011-1398 / CVE-2012-4388: The sapi_header_op function in main/SAPI.c in PHP did not check for %0D sequences (aka carriage return characters), which allowed remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. * CVE-2012-2688: An unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP had unknown impact and remote attack vectors, related to an "overflow." * CVE-2012-3365: The SQLite functionality in PHP before 5.3.15 allowed remote attackers to bypass the open_basedir protection mechanism via unspecified vectors. * CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), did not properly handle query strings that lack an = (equals sign) character, which allowed remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. * CVE-2012-2335: php-wrapper.fcgi did not properly handle command-line arguments, which allowed remote attackers to bypass a protection mechanism in PHP and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. * CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), did not properly handle query strings that lack an = (equals sign) character, which allowed remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. * CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. * CVE-2012-1172: The file-upload implementation in rfc1867.c in PHP did not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions. * CVE-2012-0830: The php_register_variable_ex function in php_variables.c in PHP allowed remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885. * CVE-2012-0807: Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might have allowed remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header. * CVE-2012-0057: PHP had improper libxslt security settings, which allowed remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension. * CVE-2012-0831: PHP did not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which made it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. * CVE-2011-4153: PHP did not always check the return value of the zend_strndup function, which might have allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c. * CVE-2012-0781: The tidy_diagnose function in PHP might have allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153. * CVE-2012-0788: The PDORow implementation in PHP did not properly interact with the session feature, which allowed remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server. * CVE-2012-0789: Memory leak in the timezone functionality in PHP allowed remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which were not properly handled by the php_date_parse_tzfile cache. * CVE-2011-4885: PHP computed hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allowed remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. We added a max_input_vars directive to prevent attacks based on hash collisions. * CVE-2011-4566: Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP allowed remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708. * CVE-2011-3182: PHP did not properly check the return values of the malloc, calloc, and realloc library functions, which allowed context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. * CVE-2011-1466: Integer overflow in the SdnToJulian function in the Calendar extension in PHP allowed context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function. * CVE-2011-1072: The installer in PEAR allowed local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. * CVE-2011-2202: The rfc1867_post_handler function in main/rfc1867.c in PHP did not properly restrict filenames in multipart/form-data POST requests, which allowed remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability." Bugfixes: * fixed php bug #43200 (Interface implementation / inheritence not possible in abstract classes) [bnc#783239] * use FilesMatch with 'SetHandler' rather than 'AddHandler' [bnc#775852] * fixed unpredictable unpack()/pack() behaviour [bnc#753778] * memory corruption in parse_ini_string() [bnc#742806] * amend README.SUSE to discourage using apache module with apache2-worker [bnc#728671] * allow uploading files bigger than 2GB for 64bit systems [bnc#709549] Security Issue references: * CVE-2011-1072 * CVE-2011-1398 * CVE-2011-1466 * CVE-2011-2202 * CVE-2011-3182 * CVE-2011-4153 * CVE-2011-4388 * CVE-2011-4566 * CVE-2011-4885 * CVE-2012-0057 * CVE-2012-0781 * CVE-2012-0788 * CVE-2012-0789 * CVE-2012-0807 * CVE-2012-0830 * CVE-2012-0831 * CVE-2012-1172 * CVE-2012-1823 * CVE-2012-2311 * CVE-2012-2335 * CVE-2012-2336 * CVE-2012-2688 * CVE-2012-3365 * CVE-2013-1635 * CVE-2013-1643 * CVE-2013-4113 * CVE-2013-4635 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 5.2.14]: apache2-mod_php5-5.2.14-0.42.1 php5-5.2.14-0.42.1 php5-bcmath-5.2.14-0.42.1 php5-bz2-5.2.14-0.42.1 php5-calendar-5.2.14-0.42.1 php5-ctype-5.2.14-0.42.1 php5-curl-5.2.14-0.42.1 php5-dba-5.2.14-0.42.1 php5-dbase-5.2.14-0.42.1 php5-devel-5.2.14-0.42.1 php5-dom-5.2.14-0.42.1 php5-exif-5.2.14-0.42.1 php5-fastcgi-5.2.14-0.42.1 php5-ftp-5.2.14-0.42.1 php5-gd-5.2.14-0.42.1 php5-gettext-5.2.14-0.42.1 php5-gmp-5.2.14-0.42.1 php5-hash-5.2.14-0.42.1 php5-iconv-5.2.14-0.42.1 php5-imap-5.2.14-0.42.1 php5-json-5.2.14-0.42.1 php5-ldap-5.2.14-0.42.1 php5-mbstring-5.2.14-0.42.1 php5-mcrypt-5.2.14-0.42.1 php5-mhash-5.2.14-0.42.1 php5-mysql-5.2.14-0.42.1 php5-ncurses-5.2.14-0.42.1 php5-odbc-5.2.14-0.42.1 php5-openssl-5.2.14-0.42.1 php5-pcntl-5.2.14-0.42.1 php5-pdo-5.2.14-0.42.1 php5-pear-5.2.14-0.42.1 php5-pgsql-5.2.14-0.42.1 php5-posix-5.2.14-0.42.1 php5-pspell-5.2.14-0.42.1 php5-shmop-5.2.14-0.42.1 php5-snmp-5.2.14-0.42.1 php5-soap-5.2.14-0.42.1 php5-sockets-5.2.14-0.42.1 php5-sqlite-5.2.14-0.42.1 php5-suhosin-5.2.14-0.42.1 php5-sysvmsg-5.2.14-0.42.1 php5-sysvsem-5.2.14-0.42.1 php5-sysvshm-5.2.14-0.42.1 php5-tokenizer-5.2.14-0.42.1 php5-wddx-5.2.14-0.42.1 php5-xmlreader-5.2.14-0.42.1 php5-xmlrpc-5.2.14-0.42.1 php5-xsl-5.2.14-0.42.1 php5-zlib-5.2.14-0.42.1 References: http://support.novell.com/security/cve/CVE-2011-1072.html http://support.novell.com/security/cve/CVE-2011-1398.html http://support.novell.com/security/cve/CVE-2011-1466.html http://support.novell.com/security/cve/CVE-2011-2202.html http://support.novell.com/security/cve/CVE-2011-3182.html http://support.novell.com/security/cve/CVE-2011-4153.html http://support.novell.com/security/cve/CVE-2011-4388.html http://support.novell.com/security/cve/CVE-2011-4566.html http://support.novell.com/security/cve/CVE-2011-4885.html http://support.novell.com/security/cve/CVE-2012-0057.html http://support.novell.com/security/cve/CVE-2012-0781.html http://support.novell.com/security/cve/CVE-2012-0788.html http://support.novell.com/security/cve/CVE-2012-0789.html http://support.novell.com/security/cve/CVE-2012-0807.html http://support.novell.com/security/cve/CVE-2012-0830.html http://support.novell.com/security/cve/CVE-2012-0831.html http://support.novell.com/security/cve/CVE-2012-1172.html http://support.novell.com/security/cve/CVE-2012-1823.html http://support.novell.com/security/cve/CVE-2012-2311.html http://support.novell.com/security/cve/CVE-2012-2335.html http://support.novell.com/security/cve/CVE-2012-2336.html http://support.novell.com/security/cve/CVE-2012-2688.html http://support.novell.com/security/cve/CVE-2012-3365.html http://support.novell.com/security/cve/CVE-2013-1635.html http://support.novell.com/security/cve/CVE-2013-1643.html http://support.novell.com/security/cve/CVE-2013-4113.html http://support.novell.com/security/cve/CVE-2013-4635.html https://bugzilla.novell.com/699711 https://bugzilla.novell.com/709549 https://bugzilla.novell.com/713652 https://bugzilla.novell.com/728671 https://bugzilla.novell.com/733590 https://bugzilla.novell.com/735613 https://bugzilla.novell.com/736169 https://bugzilla.novell.com/738221 https://bugzilla.novell.com/741520 https://bugzilla.novell.com/741859 https://bugzilla.novell.com/742273 https://bugzilla.novell.com/742806 https://bugzilla.novell.com/743308 https://bugzilla.novell.com/744966 https://bugzilla.novell.com/746661 https://bugzilla.novell.com/749111 https://bugzilla.novell.com/752030 https://bugzilla.novell.com/753778 https://bugzilla.novell.com/760536 https://bugzilla.novell.com/761631 https://bugzilla.novell.com/772580 https://bugzilla.novell.com/772582 https://bugzilla.novell.com/775852 https://bugzilla.novell.com/778003 https://bugzilla.novell.com/783239 https://bugzilla.novell.com/807707 https://bugzilla.novell.com/828020 https://bugzilla.novell.com/829207 http://download.novell.com/patch/finder/?keywords=052a65bd8d851aef0dd6767bb9f288d8 From sle-security-updates at lists.suse.com Fri Aug 16 13:04:13 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Aug 2013 21:04:13 +0200 (CEST) Subject: SUSE-SU-2013:1352-1: moderate: Security update for libgcrypt Message-ID: <20130816190413.6B8B93237A@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1352-1 Rating: moderate References: #831359 Cross-References: CVE-2013-4242 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of libgcrypt mitigates the Yarom/Falkner flush+reload side-channel attack on RSA secret keys (CVE-2013-4242). Security Issue reference: * CVE-2013-4242 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libgcrypt-8201 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libgcrypt-8202 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libgcrypt-8201 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libgcrypt-8201 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libgcrypt-8202 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libgcrypt-8202 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libgcrypt-8201 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libgcrypt-8202 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgcrypt-devel-1.5.0-0.15.2 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libgcrypt-devel-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libgcrypt-devel-1.5.0-0.15.2 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libgcrypt-devel-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libgcrypt11-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libgcrypt11-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgcrypt11-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libgcrypt11-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP3 (ia64): libgcrypt11-x86-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libgcrypt11-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libgcrypt11-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libgcrypt11-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libgcrypt11-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Server 11 SP2 (ia64): libgcrypt11-x86-1.5.0-0.15.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libgcrypt11-1.5.0-0.15.2 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libgcrypt11-32bit-1.5.0-0.15.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libgcrypt11-1.5.0-0.15.2 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libgcrypt11-32bit-1.5.0-0.15.2 References: http://support.novell.com/security/cve/CVE-2013-4242.html https://bugzilla.novell.com/831359 http://download.novell.com/patch/finder/?keywords=2b7095211b1ed27d726389d7ecb5c95d http://download.novell.com/patch/finder/?keywords=bd2d0f6f2e8a3076df72f872b6ae9697 From sle-security-updates at lists.suse.com Tue Aug 20 14:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Aug 2013 22:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1364-1: moderate: Security update for telepathy-idle Message-ID: <20130820200410.0368532277@maintenance.suse.de> SUSE Security Update: Security update for telepathy-idle ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1364-1 Rating: moderate References: #817120 Cross-References: CVE-2007-6746 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Telepathy-idle did not check SSL certificates. CVE-2007-6746 was assigned to this issue. Security Issue reference: * CVE-2007-6746 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-telepathy-idle-8216 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-telepathy-idle-8215 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): telepathy-idle-0.1.5-1.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): telepathy-idle-0.1.5-1.5.1 References: http://support.novell.com/security/cve/CVE-2007-6746.html https://bugzilla.novell.com/817120 http://download.novell.com/patch/finder/?keywords=56f3ca0e41170514d59d122cc53ecddd http://download.novell.com/patch/finder/?keywords=5d515619372a90a2b07cccc067e6ec87 From sle-security-updates at lists.suse.com Thu Aug 22 20:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Aug 2013 04:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1373-1: moderate: Security update for libpixman Message-ID: <20130823020409.360CF321A1@maintenance.suse.de> SUSE Security Update: Security update for libpixman ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1373-1 Rating: moderate References: #815064 Cross-References: CVE-2013-1591 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A stack based buffer overflow in the pixman library has been fixed. (CVE-2013-1591) Security Issue reference: * CVE-2013-1591 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libpixman-1-0-8119 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libpixman-1-0-8119 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libpixman-1-0-8119 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libpixman-1-0-8119 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libpixman-1-0-devel-0.24.4-0.13.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libpixman-1-0-0.24.4-0.13.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libpixman-1-0-32bit-0.24.4-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libpixman-1-0-0.24.4-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libpixman-1-0-32bit-0.24.4-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libpixman-1-0-x86-0.24.4-0.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libpixman-1-0-0.24.4-0.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libpixman-1-0-32bit-0.24.4-0.13.1 References: http://support.novell.com/security/cve/CVE-2013-1591.html https://bugzilla.novell.com/815064 http://download.novell.com/patch/finder/?keywords=78320be449e78c2de4f0552d848c2c92 From sle-security-updates at lists.suse.com Thu Aug 22 20:04:13 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Aug 2013 04:04:13 +0200 (CEST) Subject: SUSE-SU-2013:1374-1: moderate: Security update for tomcat6 Message-ID: <20130823020413.1814A321A1@maintenance.suse.de> SUSE Security Update: Security update for tomcat6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1374-1 Rating: moderate References: #768772 #804992 #818948 #822177 #831119 Cross-References: CVE-2012-0022 CVE-2012-3544 CVE-2013-1976 Affected Products: SUSE Manager 1.2 for SLE 11 SP1 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update of tomcat6 fixes: * apache-tomcat-CVE-2012-3544.patch (bnc#831119) * use chown --no-dereference to prevent symlink attacks on log (bnc#822177#c7/prevents CVE-2013-1976) * Fix tomcat init scripts generating malformed classpath ( http://youtrack.jetbrains.com/issue/JT-18545 ) bnc#804992 (patch from m407) * fix a typo in initscript (bnc#768772 ) * copy all shell scripts (bnc#818948) Security Issue references: * CVE-2012-3544 * CVE-2013-1976 * CVE-2012-0022 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-tomcat6-8154 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-tomcat6-8156 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-tomcat6-8156 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-tomcat6-8155 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-tomcat6-8155 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.2 for SLE 11 SP1 (noarch): tomcat6-6.0.18-20.35.42.1 tomcat6-jsp-2_1-api-6.0.18-20.35.42.1 tomcat6-lib-6.0.18-20.35.42.1 tomcat6-servlet-2_5-api-6.0.18-20.35.42.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): tomcat6-6.0.18-20.35.42.1 tomcat6-admin-webapps-6.0.18-20.35.42.1 tomcat6-docs-webapp-6.0.18-20.35.42.1 tomcat6-javadoc-6.0.18-20.35.42.1 tomcat6-jsp-2_1-api-6.0.18-20.35.42.1 tomcat6-lib-6.0.18-20.35.42.1 tomcat6-servlet-2_5-api-6.0.18-20.35.42.1 tomcat6-webapps-6.0.18-20.35.42.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): tomcat6-6.0.18-20.35.42.1 tomcat6-admin-webapps-6.0.18-20.35.42.1 tomcat6-docs-webapp-6.0.18-20.35.42.1 tomcat6-javadoc-6.0.18-20.35.42.1 tomcat6-jsp-2_1-api-6.0.18-20.35.42.1 tomcat6-lib-6.0.18-20.35.42.1 tomcat6-servlet-2_5-api-6.0.18-20.35.42.1 tomcat6-webapps-6.0.18-20.35.42.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (noarch): tomcat6-6.0.18-20.35.42.1 tomcat6-admin-webapps-6.0.18-20.35.42.1 tomcat6-docs-webapp-6.0.18-20.35.42.1 tomcat6-javadoc-6.0.18-20.35.42.1 tomcat6-jsp-2_1-api-6.0.18-20.35.42.1 tomcat6-lib-6.0.18-20.35.42.1 tomcat6-servlet-2_5-api-6.0.18-20.35.42.1 tomcat6-webapps-6.0.18-20.35.42.1 - SUSE Linux Enterprise Server 11 SP2 (noarch): tomcat6-6.0.18-20.35.42.1 tomcat6-admin-webapps-6.0.18-20.35.42.1 tomcat6-docs-webapp-6.0.18-20.35.42.1 tomcat6-javadoc-6.0.18-20.35.42.1 tomcat6-jsp-2_1-api-6.0.18-20.35.42.1 tomcat6-lib-6.0.18-20.35.42.1 tomcat6-servlet-2_5-api-6.0.18-20.35.42.1 tomcat6-webapps-6.0.18-20.35.42.1 References: http://support.novell.com/security/cve/CVE-2012-0022.html http://support.novell.com/security/cve/CVE-2012-3544.html http://support.novell.com/security/cve/CVE-2013-1976.html https://bugzilla.novell.com/768772 https://bugzilla.novell.com/804992 https://bugzilla.novell.com/818948 https://bugzilla.novell.com/822177 https://bugzilla.novell.com/831119 http://download.novell.com/patch/finder/?keywords=12b24e7d9af803f495821f7913c74791 http://download.novell.com/patch/finder/?keywords=a5246128c8e50844e60161cb307cf899 http://download.novell.com/patch/finder/?keywords=ba897d3a71e20b3c4589c544b8b8a1f2 From sle-security-updates at lists.suse.com Thu Aug 22 21:04:09 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Aug 2013 05:04:09 +0200 (CEST) Subject: SUSE-SU-2013:1325-2: important: Security update for Mozilla Firefox Message-ID: <20130823030409.04AD3321A1@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1325-2 Rating: important References: #833389 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes four new package versions. Description: This update to Firefox 17.0.8esr (bnc#833389) addresses the following issues: * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 (bmo#855331, bmo#844088, bmo#858060, bmo#870200, bmo#874974, bmo#861530, bmo#854157, bmo#893684, bmo#878703, bmo#862185, bmo#879139, bmo#888107, bmo#880734) Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) * MFSA 2013-66/CVE-2013-1706/CVE-2013-1707 (bmo#888314, bmo#888361) Buffer overflow in Mozilla Maintenance Service and Mozilla Updater * MFSA 2013-68/CVE-2013-1709 (bmo#848253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-71/CVE-2013-1712 (bmo#859072) Further Privilege escalation through Mozilla Updater * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541) Local Java applets may read contents of local file system Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-MozillaFirefox-8188 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-MozillaFirefox-8188 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.4.2.1 MozillaFirefox-translations-17.0.8esr-0.4.2.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.4.2.1 MozillaFirefox-translations-17.0.8esr-0.4.2.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-4.9.6-0.5.7 mozilla-nspr-devel-4.9.6-0.5.7 mozilla-nss-3.14.3-0.5.7 mozilla-nss-devel-3.14.3-0.5.7 mozilla-nss-tools-3.14.3-0.5.7 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.14.3 and 4.9.6]: mozilla-nspr-32bit-4.9.6-0.5.7 mozilla-nss-32bit-3.14.3-0.5.7 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x) [New Version: 17.0.8esr and 7]: MozillaFirefox-17.0.8esr-0.5.3 MozillaFirefox-branding-SLED-7-0.10.34 MozillaFirefox-translations-17.0.8esr-0.5.3 References: https://bugzilla.novell.com/833389 http://download.novell.com/patch/finder/?keywords=27187876975cda4d472350efca85775a http://download.novell.com/patch/finder/?keywords=6795b3750d821e23eeba3d00c98c91e6 From sle-security-updates at lists.suse.com Mon Aug 26 09:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Aug 2013 17:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1381-1: moderate: Security update for Apache2 Message-ID: <20130826150410.99BB932372@maintenance.suse.de> SUSE Security Update: Security update for Apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1381-1 Rating: moderate References: #791794 #815621 #829056 #829057 Cross-References: CVE-2013-1862 CVE-2013-1896 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This collective update for Apache provides the following fixes: * Make sure that input that has already arrived on the socket is not discarded during a non-blocking read (read(2) returns 0 and errno is set to -EAGAIN). (bnc#815621) * Close the connection just before an attempted re-negotiation if data has been read with pipelining. This is done by resetting the keepalive status. (bnc#815621) * Reset the renegotiation status of a client<->server connection to RENEG_INIT to prevent falsely assumed status. (bnc#791794) * "OPTIONS *" internal requests are intercepted by a dummy filter that kicks in for the OPTIONS method. Apple iPrint uses "OPTIONS *" to upgrade the connection to TLS/1.0 following RFC 2817. For compatibility, check if an Upgrade request header is present and skip the filter if yes. (bnc#791794) * Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. (bnc#829056, CVE-2013-1896) * Client data written to the RewriteLog must have terminal escape sequences escaped. (bnc#829057, CVE-2013-1862) Security Issue references: * CVE-2013-1896 * CVE-2013-1862 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-apache2-8138 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-8137 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-apache2-8138 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-apache2-8138 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-apache2-8137 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-apache2-8137 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-devel-2.2.12-1.40.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): apache2-2.2.12-1.40.1 apache2-doc-2.2.12-1.40.1 apache2-example-pages-2.2.12-1.40.1 apache2-prefork-2.2.12-1.40.1 apache2-utils-2.2.12-1.40.1 apache2-worker-2.2.12-1.40.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-devel-2.2.12-1.40.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): apache2-2.2.12-1.40.1 apache2-doc-2.2.12-1.40.1 apache2-example-pages-2.2.12-1.40.1 apache2-prefork-2.2.12-1.40.1 apache2-utils-2.2.12-1.40.1 apache2-worker-2.2.12-1.40.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): apache2-2.2.12-1.40.1 apache2-doc-2.2.12-1.40.1 apache2-example-pages-2.2.12-1.40.1 apache2-prefork-2.2.12-1.40.1 apache2-utils-2.2.12-1.40.1 apache2-worker-2.2.12-1.40.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-2.2.12-1.40.1 apache2-doc-2.2.12-1.40.1 apache2-example-pages-2.2.12-1.40.1 apache2-prefork-2.2.12-1.40.1 apache2-utils-2.2.12-1.40.1 apache2-worker-2.2.12-1.40.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): apache2-2.2.12-1.40.1 apache2-doc-2.2.12-1.40.1 apache2-example-pages-2.2.12-1.40.1 apache2-prefork-2.2.12-1.40.1 apache2-utils-2.2.12-1.40.1 apache2-worker-2.2.12-1.40.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-2.2.12-1.40.1 apache2-doc-2.2.12-1.40.1 apache2-example-pages-2.2.12-1.40.1 apache2-prefork-2.2.12-1.40.1 apache2-utils-2.2.12-1.40.1 apache2-worker-2.2.12-1.40.1 References: http://support.novell.com/security/cve/CVE-2013-1862.html http://support.novell.com/security/cve/CVE-2013-1896.html https://bugzilla.novell.com/791794 https://bugzilla.novell.com/815621 https://bugzilla.novell.com/829056 https://bugzilla.novell.com/829057 http://download.novell.com/patch/finder/?keywords=106ec7308fc7232703cf87a5a41c5c46 http://download.novell.com/patch/finder/?keywords=a26f350e03bfdb5e4f778c3a5f45a1ad From sle-security-updates at lists.suse.com Tue Aug 27 00:04:08 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Aug 2013 08:04:08 +0200 (CEST) Subject: SUSE-SU-2013:1382-1: important: Security update for Mozilla Firefox Message-ID: <20130827060408.881EB32372@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1382-1 Rating: important References: #833389 Cross-References: CVE-2013-1701 CVE-2013-1702 CVE-2013-1706 CVE-2013-1707 CVE-2013-1709 CVE-2013-1710 CVE-2013-1712 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. It includes one version update. Description: Update to Firefox 17.0.8esr (bnc#833389) to address: * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 (bmo#855331, bmo#844088, bmo#858060, bmo#870200, bmo#874974, bmo#861530, bmo#854157, bmo#893684, bmo#878703, bmo#862185, bmo#879139, bmo#888107, bmo#880734) Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) * MFSA 2013-66/CVE-2013-1706/CVE-2013-1707 (bmo#888314, bmo#888361) Buffer overflow in Mozilla Maintenance Service and Mozilla Updater * MFSA 2013-68/CVE-2013-1709 (bmo#848253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-71/CVE-2013-1712 (bmo#859072) Further Privilege escalation through Mozilla Updater * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541) Local Java applets may read contents of local file system Security Issue references: * CVE-2013-1701 * CVE-2013-1702 * CVE-2013-1706 * CVE-2013-1707 * CVE-2013-1709 * CVE-2013-1710 * CVE-2013-1712 * CVE-2013-1713 * CVE-2013-1714 * CVE-2013-1717 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x) [New Version: 17.0.8esr]: MozillaFirefox-17.0.8esr-0.5.1 MozillaFirefox-translations-17.0.8esr-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-1701.html http://support.novell.com/security/cve/CVE-2013-1702.html http://support.novell.com/security/cve/CVE-2013-1706.html http://support.novell.com/security/cve/CVE-2013-1707.html http://support.novell.com/security/cve/CVE-2013-1709.html http://support.novell.com/security/cve/CVE-2013-1710.html http://support.novell.com/security/cve/CVE-2013-1712.html http://support.novell.com/security/cve/CVE-2013-1713.html http://support.novell.com/security/cve/CVE-2013-1714.html http://support.novell.com/security/cve/CVE-2013-1717.html https://bugzilla.novell.com/833389 http://download.novell.com/patch/finder/?keywords=4ec72487a7980101b353c16bf1aff155 From sle-security-updates at lists.suse.com Wed Aug 28 06:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Aug 2013 14:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1386-1: moderate: Security update for OpenSSL Message-ID: <20130828120410.1887F320B8@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1386-1 Rating: moderate References: #739719 #758060 #802648 #802746 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: OpenSSL on SUSE Linux Enterprise Server 9 LTSS has been updated to receive a roll up of security fixes from the last year. The following issues have been fixed: * CVE-2013-0169: The TLS protocol and the DTLS protocol, as used in OpenSSL and other products, did not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allowed remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. * CVE-2013-0166: OpenSSL did not properly perform signature verification for OCSP responses, which allowed remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. * CVE-2012-2110 CVE-2012-2131: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL did not properly interpret integer data, which allowed remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. * CVE-2011-4576: The SSL 3.0 implementation in OpenSSL did not properly initialize data structures for block cipher padding, which might have allowed remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. * CVE-2011-4619: The Server Gated Cryptography (SGC) implementation in OpenSSL did not properly handle handshake restarts, which allowed remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): openssl-0.9.7d-15.48 openssl-devel-0.9.7d-15.48 openssl-doc-0.9.7d-15.48 - SUSE CORE 9 (x86_64): openssl-32bit-9-201308121627 openssl-devel-32bit-9-201308121627 - SUSE CORE 9 (s390x): openssl-32bit-9-201308121642 openssl-devel-32bit-9-201308121642 References: https://bugzilla.novell.com/739719 https://bugzilla.novell.com/758060 https://bugzilla.novell.com/802648 https://bugzilla.novell.com/802746 http://download.novell.com/patch/finder/?keywords=bea1b3ef15108e5f9d7fc35575cbb857 From sle-security-updates at lists.suse.com Thu Aug 29 16:04:10 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Aug 2013 00:04:10 +0200 (CEST) Subject: SUSE-SU-2013:1390-1: important: Security update for MySQL Message-ID: <20130829220410.9DA7B32232@maintenance.suse.de> SUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1390-1 Rating: important References: #734436 #768832 #780019 #789263 #791863 #803040 #830086 #834028 #834967 Cross-References: CVE-2013-1861 CVE-2013-3783 CVE-2013-3793 CVE-2013-3794 CVE-2013-3795 CVE-2013-3796 CVE-2013-3798 CVE-2013-3801 CVE-2013-3802 CVE-2013-3804 CVE-2013-3805 CVE-2013-3806 CVE-2013-3807 CVE-2013-3808 CVE-2013-3809 CVE-2013-3810 CVE-2013-3811 CVE-2013-3812 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. It includes one version update. Description: This version upgrade of mysql to 5.5.32 fixes multiple security issues: CVE-2013-1861, CVE-2013-3783, CVE-2013-3793, CVE-2013-3794, CVE-2013-3795, CVE-2013-3796, CVE-2013-3798, CVE-2013-3801, CVE-2013-3802, CVE-2013-3804, CVE-2013-3805, CVE-2013-3806, CVE-2013-3807, CVE-2013-3808, CVE-2013-3809, CVE-2013-3810, CVE-2013-3811, CVE-2013-3812 Additionally, it contains numerous bug fixes and improvements.: * making mysqldump work with MySQL 5.0 (bnc#768832) * fixed log rights (bnc#789263 and bnc#803040) * binlog disabled in default configuration (bnc#791863) * fixed dependencies for client package (bnc#780019) * minor polishing of spec/installation * avoiding file conflicts with mytop * better fix for hardcoded libdir issue * fix hardcoded plugin paths (bnc#834028) * Use chown --no-dereference instead of chown to improve security (bnc#834967) * Adjust to spell !includedir correctly in /etc/my.cnf (bnc#734436) Security Issue references: * CVE-2013-1861 * CVE-2013-3783 * CVE-2013-3793 * CVE-2013-3794 * CVE-2013-3795 * CVE-2013-3796 * CVE-2013-3798 * CVE-2013-3801 * CVE-2013-3802 * CVE-2013-3804 * CVE-2013-3805 * CVE-2013-3806 * CVE-2013-3807 * CVE-2013-3808 * CVE-2013-3809 * CVE-2013-3810 * CVE-2013-3811 * CVE-2013-3812 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libmysql55client18-8217 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libmysql55client18-8217 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libmysql55client18-8217 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libmysql55client18-8217 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.32-0.9.1 libmysqlclient_r15-32bit-5.0.96-0.6.9 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64): libmysql55client_r18-x86-5.5.32-0.9.1 libmysqlclient_r15-x86-5.0.96-0.6.9 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 5.5.32]: libmysql55client18-5.5.32-0.9.1 libmysql55client_r18-5.5.32-0.9.1 libmysqlclient15-5.0.96-0.6.9 libmysqlclient_r15-5.0.96-0.6.9 mysql-5.5.32-0.9.1 mysql-client-5.5.32-0.9.1 mysql-tools-5.5.32-0.9.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 5.5.32]: libmysql55client18-32bit-5.5.32-0.9.1 libmysqlclient15-32bit-5.0.96-0.6.9 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.5.32]: libmysql55client18-5.5.32-0.9.1 libmysql55client_r18-5.5.32-0.9.1 libmysqlclient15-5.0.96-0.6.9 libmysqlclient_r15-5.0.96-0.6.9 mysql-5.5.32-0.9.1 mysql-client-5.5.32-0.9.1 mysql-tools-5.5.32-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 5.5.32]: libmysql55client18-32bit-5.5.32-0.9.1 libmysqlclient15-32bit-5.0.96-0.6.9 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 5.5.32]: libmysql55client18-x86-5.5.32-0.9.1 libmysqlclient15-x86-5.0.96-0.6.9 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 5.5.32]: libmysql55client18-5.5.32-0.9.1 libmysql55client_r18-5.5.32-0.9.1 libmysqlclient15-5.0.96-0.6.9 libmysqlclient_r15-5.0.96-0.6.9 mysql-5.5.32-0.9.1 mysql-client-5.5.32-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 5.5.32]: libmysql55client18-32bit-5.5.32-0.9.1 libmysql55client_r18-32bit-5.5.32-0.9.1 libmysqlclient15-32bit-5.0.96-0.6.9 libmysqlclient_r15-32bit-5.0.96-0.6.9 References: http://support.novell.com/security/cve/CVE-2013-1861.html http://support.novell.com/security/cve/CVE-2013-3783.html http://support.novell.com/security/cve/CVE-2013-3793.html http://support.novell.com/security/cve/CVE-2013-3794.html http://support.novell.com/security/cve/CVE-2013-3795.html http://support.novell.com/security/cve/CVE-2013-3796.html http://support.novell.com/security/cve/CVE-2013-3798.html http://support.novell.com/security/cve/CVE-2013-3801.html http://support.novell.com/security/cve/CVE-2013-3802.html http://support.novell.com/security/cve/CVE-2013-3804.html http://support.novell.com/security/cve/CVE-2013-3805.html http://support.novell.com/security/cve/CVE-2013-3806.html http://support.novell.com/security/cve/CVE-2013-3807.html http://support.novell.com/security/cve/CVE-2013-3808.html http://support.novell.com/security/cve/CVE-2013-3809.html http://support.novell.com/security/cve/CVE-2013-3810.html http://support.novell.com/security/cve/CVE-2013-3811.html http://support.novell.com/security/cve/CVE-2013-3812.html https://bugzilla.novell.com/734436 https://bugzilla.novell.com/768832 https://bugzilla.novell.com/780019 https://bugzilla.novell.com/789263 https://bugzilla.novell.com/791863 https://bugzilla.novell.com/803040 https://bugzilla.novell.com/830086 https://bugzilla.novell.com/834028 https://bugzilla.novell.com/834967 http://download.novell.com/patch/finder/?keywords=ee1853a305dde831618306e6f92a3e78