From sle-security-updates at lists.suse.com Mon Sep 1 17:04:18 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Sep 2014 01:04:18 +0200 (CEST) Subject: SUSE-SU-2014:1077-1: moderate: Security update for libgcrypt Message-ID: <20140901230418.3B14F3218E@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1077-1 Rating: moderate References: #892464 Cross-References: CVE-2014-5270 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This libgcrypt update fixes the following security issue: * bnc#892464: Side-channel attack on Elgamal encryption subkeys. (CVE-2014-5270) Security Issues: * CVE-2014-5270 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libgcrypt-devel-9646 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libgcrypt-devel-9646 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libgcrypt-devel-9646 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libgcrypt-devel-9646 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgcrypt-devel-1.5.0-0.17.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libgcrypt-devel-32bit-1.5.0-0.17.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libgcrypt11-1.5.0-0.17.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libgcrypt11-32bit-1.5.0-0.17.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgcrypt11-1.5.0-0.17.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libgcrypt11-32bit-1.5.0-0.17.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libgcrypt11-x86-1.5.0-0.17.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libgcrypt11-1.5.0-0.17.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libgcrypt11-32bit-1.5.0-0.17.1 References: http://support.novell.com/security/cve/CVE-2014-5270.html https://bugzilla.novell.com/892464 http://download.suse.com/patch/finder/?keywords=119a6a0acfc8bd9d2623992ba4005b5e From sle-security-updates at lists.suse.com Tue Sep 2 11:04:17 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Sep 2014 19:04:17 +0200 (CEST) Subject: SUSE-SU-2014:1080-1: important: Security update for apache2 Message-ID: <20140902170417.13EB8321C7@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1080-1 Rating: important References: #859916 #869105 #869106 #887765 #887768 Cross-References: CVE-2013-6438 CVE-2014-0098 CVE-2014-0226 CVE-2014-0231 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This apache2 update fixes the following security and non security issues: * mod_cgid denial of service (CVE-2014-0231, bnc#887768) * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765) * mod_dav denial of service (CVE-2013-6438, bnc#869105) * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098, bnc#869106) * Support ECDH in Apache2 (bnc#859916) Security Issues: * CVE-2014-0098 * CVE-2013-6438 * CVE-2014-0226 * CVE-2014-0231 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-apache2-9620 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): apache2-2.2.12-1.48.1 apache2-doc-2.2.12-1.48.1 apache2-example-pages-2.2.12-1.48.1 apache2-prefork-2.2.12-1.48.1 apache2-utils-2.2.12-1.48.1 apache2-worker-2.2.12-1.48.1 References: http://support.novell.com/security/cve/CVE-2013-6438.html http://support.novell.com/security/cve/CVE-2014-0098.html http://support.novell.com/security/cve/CVE-2014-0226.html http://support.novell.com/security/cve/CVE-2014-0231.html https://bugzilla.novell.com/859916 https://bugzilla.novell.com/869105 https://bugzilla.novell.com/869106 https://bugzilla.novell.com/887765 https://bugzilla.novell.com/887768 http://download.suse.com/patch/finder/?keywords=9a43c85d7b1016ad740a0769515661cb From sle-security-updates at lists.suse.com Tue Sep 2 12:04:20 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Sep 2014 20:04:20 +0200 (CEST) Subject: SUSE-SU-2014:1081-1: important: Security update for apache2 Message-ID: <20140902180420.64CC4321C9@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1081-1 Rating: important References: #852401 #859916 #869105 #869106 #887765 #887768 Cross-References: CVE-2013-6438 CVE-2014-0098 CVE-2014-0226 CVE-2014-0231 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. It includes one version update. Description: This apache2 update fixes the following security and non-security issues: * mod_cgid denial of service (CVE-2014-0231, bnc#887768) * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765) * mod_dav denial of service (CVE-2013-6438, bnc#869105) * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098, bnc#869106) * Support ECDH in Apache2 (bnc#859916) * apache fails to start with SSL on Xen kernel at boot time (bnc#852401) Security Issues: * CVE-2014-0098 * CVE-2013-6438 * CVE-2014-0226 * CVE-2014-0231 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-apache2-9619 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.2.12]: apache2-2.2.12-1.48.1 apache2-doc-2.2.12-1.48.1 apache2-example-pages-2.2.12-1.48.1 apache2-prefork-2.2.12-1.48.1 apache2-utils-2.2.12-1.48.1 apache2-worker-2.2.12-1.48.1 References: http://support.novell.com/security/cve/CVE-2013-6438.html http://support.novell.com/security/cve/CVE-2014-0098.html http://support.novell.com/security/cve/CVE-2014-0226.html http://support.novell.com/security/cve/CVE-2014-0231.html https://bugzilla.novell.com/852401 https://bugzilla.novell.com/859916 https://bugzilla.novell.com/869105 https://bugzilla.novell.com/869106 https://bugzilla.novell.com/887765 https://bugzilla.novell.com/887768 http://download.suse.com/patch/finder/?keywords=9c5ea88101bc5060dd62e74ff4f50214 From sle-security-updates at lists.suse.com Tue Sep 2 13:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Sep 2014 21:04:14 +0200 (CEST) Subject: SUSE-SU-2014:1082-1: important: Security update for apache2 Message-ID: <20140902190414.75D1D321CC@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1082-1 Rating: important References: #829056 #829057 #869105 #869106 #887765 #887768 Cross-References: CVE-2013-1862 CVE-2013-1896 CVE-2013-6438 CVE-2014-0098 CVE-2014-0226 CVE-2014-0231 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This apache2 update fixes the following security issues: * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098, bnc#869106) * mod_dav denial of service (CVE-2013-6438, bnc#869105) * mod_cgid denial of service (CVE-2014-0231, bnc#887768) * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765) * mod_rewrite: escape logdata to avoid terminal escapes (CVE-2013-1862, bnc#829057) * mod_dav: segfault in merge request (CVE-2013-1896, bnc#829056) Security Issues: * CVE-2014-0098 * CVE-2013-6438 * CVE-2014-0226 * CVE-2014-0231 * CVE-2013-1862 * CVE-2013-1896 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): apache2-2.2.3-16.50.1 apache2-devel-2.2.3-16.50.1 apache2-doc-2.2.3-16.50.1 apache2-example-pages-2.2.3-16.50.1 apache2-prefork-2.2.3-16.50.1 apache2-worker-2.2.3-16.50.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): apache2-2.2.3-16.32.51.2 apache2-devel-2.2.3-16.32.51.2 apache2-doc-2.2.3-16.32.51.2 apache2-example-pages-2.2.3-16.32.51.2 apache2-prefork-2.2.3-16.32.51.2 apache2-worker-2.2.3-16.32.51.2 References: http://support.novell.com/security/cve/CVE-2013-1862.html http://support.novell.com/security/cve/CVE-2013-1896.html http://support.novell.com/security/cve/CVE-2013-6438.html http://support.novell.com/security/cve/CVE-2014-0098.html http://support.novell.com/security/cve/CVE-2014-0226.html http://support.novell.com/security/cve/CVE-2014-0231.html https://bugzilla.novell.com/829056 https://bugzilla.novell.com/829057 https://bugzilla.novell.com/869105 https://bugzilla.novell.com/869106 https://bugzilla.novell.com/887765 https://bugzilla.novell.com/887768 http://download.suse.com/patch/finder/?keywords=0593c1f59d8a810c00150b05cea3af2f http://download.suse.com/patch/finder/?keywords=0ddc907bde6fcbad1e94944d867f60dd From sle-security-updates at lists.suse.com Wed Sep 3 15:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Sep 2014 23:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1088-1: moderate: Security update for ppp Message-ID: <20140903210413.AF005321B7@maintenance.suse.de> SUSE Security Update: Security update for ppp ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1088-1 Rating: moderate References: #891489 Cross-References: CVE-2014-3158 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This ppp update fixes a potential security issue that an unprivileged attacker could access privileged options: * integer overflow in option parsing (CVE-2014-3158, bnc#891489) Security Issues: * CVE-2014-3158 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-ppp-9648 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-ppp-9648 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-ppp-9648 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-ppp-9648 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): ppp-devel-2.4.5.git-2.29.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): ppp-2.4.5.git-2.29.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): ppp-2.4.5.git-2.29.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): ppp-2.4.5.git-2.29.1 References: http://support.novell.com/security/cve/CVE-2014-3158.html https://bugzilla.novell.com/891489 http://download.suse.com/patch/finder/?keywords=41cfc05536de649d32c42d05143bcdca From sle-security-updates at lists.suse.com Tue Sep 9 11:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Sep 2014 19:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0994-3: moderate: Security update for rubygem-activerecord-3_2 Message-ID: <20140909170414.3563A321E6@maintenance.suse.de> SUSE Security Update: Security update for rubygem-activerecord-3_2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0994-3 Rating: moderate References: #885636 Cross-References: CVE-2014-3482 Affected Products: WebYaST 1.3 SUSE Studio Onsite 1.3 SUSE Lifecycle Management Server 1.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This update for rubygem-activerecord-3_2 fixes the following security issue: * The PostgreSQL adapter for Active Record in Ruby on Rails 3.x allowed remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. (CVE-2014-3482) Security Issues: * CVE-2014-3482 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.3: zypper in -t patch slewyst13-rubygem-activerecord-3_2-9530 - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-rubygem-activerecord-3_2-9530 - SUSE Lifecycle Management Server 1.3: zypper in -t patch sleslms13-rubygem-activerecord-3_2-9530 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.2.12]: rubygem-activerecord-3_2-3.2.12-0.11.1 - SUSE Studio Onsite 1.3 (x86_64) [New Version: 3.2.12]: rubygem-activerecord-3_2-3.2.12-0.11.1 - SUSE Lifecycle Management Server 1.3 (x86_64) [New Version: 3.2.12]: rubygem-activerecord-3_2-3.2.12-0.11.1 References: http://support.novell.com/security/cve/CVE-2014-3482.html https://bugzilla.novell.com/885636 http://download.suse.com/patch/finder/?keywords=256ebe9fc155d7b36f29288418784eff From sle-security-updates at lists.suse.com Tue Sep 9 17:05:20 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Sep 2014 01:05:20 +0200 (CEST) Subject: SUSE-SU-2014:1103-1: Security update for openstack-heat Message-ID: <20140909230520.DB283321DA@maintenance.suse.de> SUSE Security Update: Security update for openstack-heat ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1103-1 Rating: low References: #871199 #879062 Cross-References: CVE-2014-3801 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: This update for openstack-heat fixes the following security issue: * When creating the stack for a template using a provider template, OpenStack Heat could allow remote authenticated users to obtain the provider template URL via the resource-type-list. (CVE-2014-3801) Additionally, the following non-security issues have been fixed: * Ensure routing key is specified in the address for a direct producer. * Fix loguserdata.py's lost header in the package. (bnc#871199) * Add check to prevent introducing regression. (bnc#871199) * Raise the default max header to accommodate large tokens. * Don't raise MySQL 2013 'Lost connection' errors. Security Issues: * CVE-2014-3801 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-openstack-heat-9566 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64) [New Version: 2013.2.4.dev3.g6f91215]: openstack-heat-2013.2.4.dev3.g6f91215-0.11.2 openstack-heat-api-2013.2.4.dev3.g6f91215-0.11.2 openstack-heat-api-cfn-2013.2.4.dev3.g6f91215-0.11.2 openstack-heat-api-cloudwatch-2013.2.4.dev3.g6f91215-0.11.2 openstack-heat-engine-2013.2.4.dev3.g6f91215-0.11.2 python-heat-2013.2.4.dev3.g6f91215-0.11.2 - SUSE Cloud 3 (noarch) [New Version: 2013.2.4.dev3.g6f91215]: openstack-heat-doc-2013.2.4.dev3.g6f91215-0.11.1 References: http://support.novell.com/security/cve/CVE-2014-3801.html https://bugzilla.novell.com/871199 https://bugzilla.novell.com/879062 http://download.suse.com/patch/finder/?keywords=bc14e31a2176fa537468974bc2a1a4ee From sle-security-updates at lists.suse.com Tue Sep 9 17:05:52 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Sep 2014 01:05:52 +0200 (CEST) Subject: SUSE-SU-2014:1104-1: moderate: Security update for OpenSSL Message-ID: <20140909230552.41A9C321DA@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1104-1 Rating: moderate References: #890764 #890767 #890768 #890769 #890770 Cross-References: CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508 CVE-2014-3510 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. It includes one version update. Description: This OpenSSL update fixes the following security issues: * bnc#890764: Information leak in pretty printing functions. (CVE-2014-3508) * bnc#890767: Double Free when processing DTLS packets. (CVE-2014-3505) * bnc#890768: DTLS memory exhaustion. (CVE-2014-3506) * bnc#890769: DTLS memory leak from zero-length fragments. (CVE-2014-3507) * bnc#890770: DTLS anonymous EC(DH) denial of service. (CVE-2014-3510) Security Issues: * CVE-2014-3508 * CVE-2014-3505 * CVE-2014-3506 * CVE-2014-3507 * CVE-2014-3510 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-libopenssl-devel-9662 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libopenssl-devel-9663 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): libopenssl0_9_8-0.9.8j-0.62.3 libopenssl0_9_8-hmac-0.9.8j-0.62.3 openssl-0.9.8j-0.62.3 openssl-doc-0.9.8j-0.62.3 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.62.3 libopenssl0_9_8-hmac-32bit-0.9.8j-0.62.3 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.62.3 libopenssl0_9_8-hmac-0.9.8j-0.62.3 openssl-0.9.8j-0.62.3 openssl-doc-0.9.8j-0.62.3 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.62.3 libopenssl0_9_8-hmac-32bit-0.9.8j-0.62.3 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.84.5 openssl-devel-0.9.8a-18.84.5 openssl-doc-0.9.8a-18.84.5 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.84.5 openssl-devel-32bit-0.9.8a-18.84.5 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.45.79.3 openssl-devel-0.9.8a-18.45.79.3 openssl-doc-0.9.8a-18.45.79.3 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.45.79.3 openssl-devel-32bit-0.9.8a-18.45.79.3 References: http://support.novell.com/security/cve/CVE-2014-3505.html http://support.novell.com/security/cve/CVE-2014-3506.html http://support.novell.com/security/cve/CVE-2014-3507.html http://support.novell.com/security/cve/CVE-2014-3508.html http://support.novell.com/security/cve/CVE-2014-3510.html https://bugzilla.novell.com/890764 https://bugzilla.novell.com/890767 https://bugzilla.novell.com/890768 https://bugzilla.novell.com/890769 https://bugzilla.novell.com/890770 http://download.suse.com/patch/finder/?keywords=99670be4c48bf7d4b638d26f459ded32 http://download.suse.com/patch/finder/?keywords=9b67b5e9df54ba01bdf516a4768dfc90 http://download.suse.com/patch/finder/?keywords=a13af464a610cda0eae18606907ad3af http://download.suse.com/patch/finder/?keywords=d131eebfce5c601b41e006539b73bcb9 From sle-security-updates at lists.suse.com Tue Sep 9 17:06:56 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Sep 2014 01:06:56 +0200 (CEST) Subject: SUSE-SU-2014:1105-1: moderate: Security update for the Linux Kernel Message-ID: <20140909230656.756EC321DA@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1105-1 Rating: moderate References: #846404 #864464 #866911 #870173 #870576 #871676 #871797 #871854 #872634 #873374 #876590 #877257 #877775 #878115 #878509 #879921 #880484 #881051 #882804 #883724 #883795 #885422 #885725 #886474 #889173 #889324 Cross-References: CVE-2013-4299 CVE-2014-0055 CVE-2014-0077 CVE-2014-1739 CVE-2014-2706 CVE-2014-2851 CVE-2014-3144 CVE-2014-3145 CVE-2014-3917 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-4699 CVE-2014-5077 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 18 vulnerabilities and has 8 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP2 LTSS received a roll up update to fix several security and non-security issues. The following security issues have been fixed: * CVE-2014-0055: The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (bnc#870173) * CVE-2014-0077: drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (bnc#870576) * CVE-2014-1739: The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. (bnc#882804) * CVE-2014-2706: Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. (bnc#871797) * CVE-2014-2851: Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. (bnc#873374) * CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. (bnc#877257) * CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. (bnc#877257) * CVE-2014-3917: kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. (bnc#880484) * CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724) * CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) * CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) * CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795) * CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795) * CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795) * CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422) * CVE-2014-4699: The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. (bnc#885725) * CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173) * CVE-2013-4299: Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. (bnc#846404) The following bugs have been fixed: * pagecachelimit: reduce lru_lock contention for heavy parallel reclaim (bnc#878509, bnc#864464). * pagecachelimit: reduce lru_lock contention for heavy parallel reclaim kabi fixup (bnc#878509, bnc#864464). * ACPI / PAD: call schedule() when need_resched() is true (bnc#866911). * kabi: Fix breakage due to addition of user_ctl_lock (bnc#883795). * cpuset: Fix memory allocator deadlock (bnc#876590). * tcp: allow to disable cwnd moderation in TCP_CA_Loss state (bnc#879921). * tcp: adapt selected parts of RFC 5682 and PRR logic (bnc#879921). * vlan: more careful checksum features handling (bnc#872634). * bonding: fix vlan_features computing (bnc#872634). * NFSv4: Minor cleanups for nfs4_handle_exception and nfs4_async_handle_error (bnc#889324). * NFS: Do not lose sockets when nfsd shutdown races with connection timeout (bnc#871854). * reiserfs: call truncate_setsize under tailpack mutex (bnc#878115). * reiserfs: drop vmtruncate (bnc#878115). * megaraid_sas: mask off flags in ioctl path (bnc#886474). * block: fix race between request completion and timeout handling (bnc#881051). * drivers/rtc/interface.c: fix infinite loop in initializing the alarm (bnc#871676). * xfrm: check peer pointer for null before calling inet_putpeer() (bnc#877775). * supported.conf: Add firewire/nosy as supported. This driver is the replacement for the ieee1394/pcilynx driver, which was supported. Security Issues: * CVE-2013-4299 * CVE-2014-0055 * CVE-2014-0077 * CVE-2014-1739 * CVE-2014-2706 * CVE-2014-2851 * CVE-2014-3144 * CVE-2014-3145 * CVE-2014-3917 * CVE-2014-4508 * CVE-2014-4652 * CVE-2014-4653 * CVE-2014-4654 * CVE-2014-4655 * CVE-2014-4656 * CVE-2014-4667 * CVE-2014-4699 * CVE-2014-5077 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-kernel-9630 slessp2-kernel-9631 slessp2-kernel-9632 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.7.23.1 kernel-default-base-3.0.101-0.7.23.1 kernel-default-devel-3.0.101-0.7.23.1 kernel-source-3.0.101-0.7.23.1 kernel-syms-3.0.101-0.7.23.1 kernel-trace-3.0.101-0.7.23.1 kernel-trace-base-3.0.101-0.7.23.1 kernel-trace-devel-3.0.101-0.7.23.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64) [New Version: 3.0.101]: kernel-ec2-3.0.101-0.7.23.1 kernel-ec2-base-3.0.101-0.7.23.1 kernel-ec2-devel-3.0.101-0.7.23.1 kernel-xen-3.0.101-0.7.23.1 kernel-xen-base-3.0.101-0.7.23.1 kernel-xen-devel-3.0.101-0.7.23.1 xen-kmp-default-4.1.6_06_3.0.101_0.7.23-0.5.30 xen-kmp-trace-4.1.6_06_3.0.101_0.7.23-0.5.30 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x) [New Version: 3.0.101]: kernel-default-man-3.0.101-0.7.23.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.7.23.1 kernel-pae-base-3.0.101-0.7.23.1 kernel-pae-devel-3.0.101-0.7.23.1 xen-kmp-pae-4.1.6_06_3.0.101_0.7.23-0.5.30 - SLE 11 SERVER Unsupported Extras (i586 s390x x86_64): kernel-default-extra-3.0.101-0.7.23.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-3.0.101-0.7.23.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-3.0.101-0.7.23.1 References: http://support.novell.com/security/cve/CVE-2013-4299.html http://support.novell.com/security/cve/CVE-2014-0055.html http://support.novell.com/security/cve/CVE-2014-0077.html http://support.novell.com/security/cve/CVE-2014-1739.html http://support.novell.com/security/cve/CVE-2014-2706.html http://support.novell.com/security/cve/CVE-2014-2851.html http://support.novell.com/security/cve/CVE-2014-3144.html http://support.novell.com/security/cve/CVE-2014-3145.html http://support.novell.com/security/cve/CVE-2014-3917.html http://support.novell.com/security/cve/CVE-2014-4508.html http://support.novell.com/security/cve/CVE-2014-4652.html http://support.novell.com/security/cve/CVE-2014-4653.html http://support.novell.com/security/cve/CVE-2014-4654.html http://support.novell.com/security/cve/CVE-2014-4655.html http://support.novell.com/security/cve/CVE-2014-4656.html http://support.novell.com/security/cve/CVE-2014-4667.html http://support.novell.com/security/cve/CVE-2014-4699.html http://support.novell.com/security/cve/CVE-2014-5077.html https://bugzilla.novell.com/846404 https://bugzilla.novell.com/864464 https://bugzilla.novell.com/866911 https://bugzilla.novell.com/870173 https://bugzilla.novell.com/870576 https://bugzilla.novell.com/871676 https://bugzilla.novell.com/871797 https://bugzilla.novell.com/871854 https://bugzilla.novell.com/872634 https://bugzilla.novell.com/873374 https://bugzilla.novell.com/876590 https://bugzilla.novell.com/877257 https://bugzilla.novell.com/877775 https://bugzilla.novell.com/878115 https://bugzilla.novell.com/878509 https://bugzilla.novell.com/879921 https://bugzilla.novell.com/880484 https://bugzilla.novell.com/881051 https://bugzilla.novell.com/882804 https://bugzilla.novell.com/883724 https://bugzilla.novell.com/883795 https://bugzilla.novell.com/885422 https://bugzilla.novell.com/885725 https://bugzilla.novell.com/886474 https://bugzilla.novell.com/889173 https://bugzilla.novell.com/889324 http://download.suse.com/patch/finder/?keywords=1bdb6880fea42253a50653414920422e http://download.suse.com/patch/finder/?keywords=218ba78474014b91211cb482f9ce7a3a http://download.suse.com/patch/finder/?keywords=3fe24f0ad52cbb8be44e129fa1f0497a http://download.suse.com/patch/finder/?keywords=41c4d735ff2c6886df2aa7dfcce0107b http://download.suse.com/patch/finder/?keywords=4d4557738b3fb3592211aa4ebb60e887 http://download.suse.com/patch/finder/?keywords=4de705ad690dac2ee164aea48d16db9a From sle-security-updates at lists.suse.com Tue Sep 9 19:04:20 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Sep 2014 03:04:20 +0200 (CEST) Subject: SUSE-SU-2014:1106-1: moderate: Security update for net-snmp Message-ID: <20140910010420.49463321DA@maintenance.suse.de> SUSE Security Update: Security update for net-snmp ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1106-1 Rating: moderate References: #865222 #894361 Cross-References: CVE-2014-3565 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for net-snmp fixes a remote denial of service problem inside snmptrapd when it is started with the "-OQ" option. (CVE-2014-3565, bnc#894361) Additionally, a timeout issue during SNMP MIB walk on OID 1.3.6.1.2.1.4.24 when using newer (v5.5+) versions of snmpwalk has been fixed. (bnc#865222) Security Issues: * CVE-2014-3565 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libsnmp15-9679 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libsnmp15-9679 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libsnmp15-9679 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libsnmp15-9679 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): net-snmp-devel-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64): libsnmp15-32bit-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64): net-snmp-devel-32bit-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libsnmp15-5.4.2.1-8.12.22.1 net-snmp-5.4.2.1-8.12.22.1 perl-SNMP-5.4.2.1-8.12.22.1 snmp-mibs-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libsnmp15-32bit-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libsnmp15-5.4.2.1-8.12.22.1 net-snmp-5.4.2.1-8.12.22.1 perl-SNMP-5.4.2.1-8.12.22.1 snmp-mibs-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libsnmp15-32bit-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libsnmp15-x86-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libsnmp15-5.4.2.1-8.12.22.1 net-snmp-5.4.2.1-8.12.22.1 perl-SNMP-5.4.2.1-8.12.22.1 snmp-mibs-5.4.2.1-8.12.22.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libsnmp15-32bit-5.4.2.1-8.12.22.1 References: http://support.novell.com/security/cve/CVE-2014-3565.html https://bugzilla.novell.com/865222 https://bugzilla.novell.com/894361 http://download.suse.com/patch/finder/?keywords=a3129963b7293565b8abdd32cd25c3f4 From sle-security-updates at lists.suse.com Tue Sep 9 21:04:18 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Sep 2014 05:04:18 +0200 (CEST) Subject: SUSE-SU-2014:1107-1: important: Security update for MozillaFirefox Message-ID: <20140910030418.87AA2321DA@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1107-1 Rating: important References: #894370 Cross-References: CVE-2014-1562 CVE-2014-1567 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes three new package versions. Description: Mozilla Firefox was updated to the 24.8.0ESR release, fixing security issues and bugs. Only some of the published security advisories affect the Mozilla Firefox 24ESR codestream: * MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. * MFSA 2014-67: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562) More information is referenced on: https://www.mozilla.org/security/announce/ . Security Issues: * CVE-2014-1562 * CVE-2014-1567 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox-201409-9687 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox-201409-9687 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox-201409-9687 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox-201409-9687 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.16.4 and 4.10.7]: MozillaFirefox-devel-24.8.0esr-0.8.1 mozilla-nspr-devel-4.10.7-0.3.1 mozilla-nss-devel-3.16.4-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.8.0esr,3.16.4 and 4.10.7]: MozillaFirefox-24.8.0esr-0.8.1 MozillaFirefox-translations-24.8.0esr-0.8.1 libfreebl3-3.16.4-0.8.1 libsoftokn3-3.16.4-0.8.1 mozilla-nspr-4.10.7-0.3.1 mozilla-nss-3.16.4-0.8.1 mozilla-nss-tools-3.16.4-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.16.4 and 4.10.7]: libfreebl3-32bit-3.16.4-0.8.1 libsoftokn3-32bit-3.16.4-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.1 mozilla-nss-32bit-3.16.4-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.8.0esr,3.16.4 and 4.10.7]: MozillaFirefox-24.8.0esr-0.8.1 MozillaFirefox-translations-24.8.0esr-0.8.1 libfreebl3-3.16.4-0.8.1 libsoftokn3-3.16.4-0.8.1 mozilla-nspr-4.10.7-0.3.1 mozilla-nss-3.16.4-0.8.1 mozilla-nss-tools-3.16.4-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.16.4 and 4.10.7]: libfreebl3-32bit-3.16.4-0.8.1 libsoftokn3-32bit-3.16.4-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.1 mozilla-nss-32bit-3.16.4-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.16.4 and 4.10.7]: libfreebl3-x86-3.16.4-0.8.1 libsoftokn3-x86-3.16.4-0.8.1 mozilla-nspr-x86-4.10.7-0.3.1 mozilla-nss-x86-3.16.4-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.8.0esr,3.16.4 and 4.10.7]: MozillaFirefox-24.8.0esr-0.8.1 MozillaFirefox-translations-24.8.0esr-0.8.1 libfreebl3-3.16.4-0.8.1 libsoftokn3-3.16.4-0.8.1 mozilla-nspr-4.10.7-0.3.1 mozilla-nss-3.16.4-0.8.1 mozilla-nss-tools-3.16.4-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.16.4 and 4.10.7]: libfreebl3-32bit-3.16.4-0.8.1 libsoftokn3-32bit-3.16.4-0.8.1 mozilla-nspr-32bit-4.10.7-0.3.1 mozilla-nss-32bit-3.16.4-0.8.1 References: http://support.novell.com/security/cve/CVE-2014-1562.html http://support.novell.com/security/cve/CVE-2014-1567.html https://bugzilla.novell.com/894370 http://download.suse.com/patch/finder/?keywords=873315fb280696995d2133ee7817926f From sle-security-updates at lists.suse.com Wed Sep 10 12:04:19 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Sep 2014 20:04:19 +0200 (CEST) Subject: SUSE-SU-2014:1111-1: moderate: Security update for openstack-dashboard Message-ID: <20140910180419.CA01C321E9@maintenance.suse.de> SUSE Security Update: Security update for openstack-dashboard ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1111-1 Rating: moderate References: #891815 Cross-References: CVE-2014-3475 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This update for openstack-dashboard fixes a cross-site scripting issue on the unordered_list filter. (bnc#891815, CVE-2014-3594) Security Issues: * CVE-2014-3475 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-openstack-dashboard-9670 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64) [New Version: 2014.1.3.dev4.ge53cc81]: openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1 python-horizon-2014.1.3.dev4.ge53cc81-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-3475.html https://bugzilla.novell.com/891815 http://download.suse.com/patch/finder/?keywords=a466b12b7e2a4016ab19580255d5a796 From sle-security-updates at lists.suse.com Wed Sep 10 16:04:15 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Sep 2014 00:04:15 +0200 (CEST) Subject: SUSE-SU-2014:1112-1: important: Security update for MozillaFirefox Message-ID: <20140910220415.263B4321E9@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1112-1 Rating: important References: #894370 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes three new package versions. Description: Mozilla Firefox was updated to the 24.8.0ESR release, fixing security issues and bugs. Only some of the published security advisories affect the Mozilla Firefox 24ESR codestream: * MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. * MFSA 2014-67: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562) More information is referenced on: https://www.mozilla.org/security/announce/ . Security Issues: * CVE-2014-1562 * CVE-2014-1567 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-firefox-201409-9682 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 24.8.0esr,3.16.4 and 4.10.7]: MozillaFirefox-24.8.0esr-0.3.1 MozillaFirefox-translations-24.8.0esr-0.3.1 libfreebl3-3.16.4-0.3.1 mozilla-nspr-4.10.7-0.3.1 mozilla-nspr-devel-4.10.7-0.3.1 mozilla-nss-3.16.4-0.3.1 mozilla-nss-devel-3.16.4-0.3.1 mozilla-nss-tools-3.16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.16.4 and 4.10.7]: libfreebl3-32bit-3.16.4-0.3.1 mozilla-nspr-32bit-4.10.7-0.3.1 mozilla-nss-32bit-3.16.4-0.3.1 References: https://bugzilla.novell.com/894370 http://download.suse.com/patch/finder/?keywords=e1c935e0f16e49f1e16fa6831a476bb8 From sle-security-updates at lists.suse.com Thu Sep 11 07:04:11 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Sep 2014 15:04:11 +0200 (CEST) Subject: SUSE-SU-2014:1116-1: important: Security update for LibreOffice Message-ID: <20140911130411.94CD6321E9@maintenance.suse.de> SUSE Security Update: Security update for LibreOffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1116-1 Rating: important References: #382137 #593612 #654230 #753460 #757432 #779620 #779642 #780044 #783433 #802888 #816593 #817956 #819614 #819822 #819865 #820077 #820273 #820503 #820504 #820509 #820788 #820800 #820819 #820836 #821567 #821795 #822908 #823626 #823651 #823655 #823675 #823935 #825305 #825891 #825976 #828390 #828598 #829017 #830205 #831457 #831578 #834035 #834705 #834720 #834722 #835985 #837302 #839727 #862510 #863021 #864396 #870234 #878854 #893141 Cross-References: CVE-2013-4156 CVE-2014-3575 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has 52 fixes is now available. It includes one version update. Description: LibreOffice was updated to version 4.0.3.3.26. (SUSE 4.0-patch26, tag suse-4.0-26, based on upstream 4.0.3.3). Two security issues have been fixed: * DOCM memory corruption vulnerability. (CVE-2013-4156, bnc#831578) * Data exposure using crafted OLE objects. (CVE-2014-3575, bnc#893141) The following non-security issues have been fixed: * chart shown flipped (bnc#834722) * chart missing dataset (bnc#839727) * import new line in text (bnc#828390) * lines running off screens (bnc#819614) * add set-all language menu (bnc#863021) * text rotation (bnc#783433, bnc#862510) * page border shadow testcase (bnc#817956) * one more clickable field fix (bnc#802888) * multilevel labels are rotated (bnc#820273) * incorrect nested table margins (bnc#816593) * use BitmapURL only if its valid (bnc#821567) * import gradfill for text colors (bnc#870234) * fix undo of paragraph attributes (bnc#828598) * stop-gap solution to avoid crash (bnc#830205) * import images with duotone filter (bnc#820077) * missing drop downs for autofilter (bnc#834705) * typos in first page style creation (bnc#820836) * labels wrongly interpreted as dates (bnc#834720) * RTF import of fFilled shape property (bnc#825305) * placeholders text size is not correct (bnc#831457) * cells value formatted with wrong output (bnc#821795) * RTF import of freeform shape coordinates (bnc#823655) * styles (rename &) copy to different decks (bnc#757432) * XLSX Chart import with internal data table (bnc#819822) * handle M.d.yyyy date format in DOCX import (bnc#820509) * paragraph style in empty first page header (bnc#823651) * copying slides having same master page name (bnc#753460) * printing handouts using the default, 'Order' (bnc#835985) * wrap polygon was based on dest size of picture (bnc#820800) * added common flags support for SEQ field import (bnc#825976) * hyperlinks of illustration index in DOCX export (bnc#834035) * allow insertion of redlines with an empty author (bnc#837302) * handle drawinglayer rectangle inset in VML import (bnc#779642) * don't apply complex font size to non-complex font (bnc#820819) * issue with negative seeks in win32 shell extension (bnc#829017) * slide appears quite garbled when imported from PPTX (bnc#593612) * initial MCE support in writerfilter ooxml tokenizer (bnc#820503) * MSWord uses \xb for linebreaks in DB fields, take 2 (bnc#878854) * try harder to convert floating tables to text frames (bnc#779620) * itemstate in parent style incorrectly reported as set (bnc#819865) * default color hidden by Default style in writerfilter (bnc#820504) * DOCX document crashes when using internal OOXML filter (bnc#382137) * ugly workaround for external leading with symbol fonts (bnc#823626) * followup fix for exported xlsx causes errors for mso2007 (bnc#823935) * we only support simple labels in the InternalDataProvider (bnc#864396) * RTF import: fix import of numbering bullet associated font (bnc#823675) * page specific footer extended to every pages in DOCX export (bnc#654230) * v:textbox mso-fit-shape-to-text style property in VML import (bnc#820788) * w:spacing in a paragraph should also apply to as-char objects (bnc#780044) * compatibility setting for MS Word wrapping text in less space (bnc#822908) * fix SwWrtShell::SelAll() to work with empty table at doc start (bnc#825891) Security Issues: * CVE-2014-3575 * CVE-2013-4156 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libreoffice-201409-9677 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libreoffice-201409-9677 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 4.0.3.3.26]: libreoffice-4.0.3.3.26-0.6.2 libreoffice-base-4.0.3.3.26-0.6.2 libreoffice-base-drivers-postgresql-4.0.3.3.26-0.6.2 libreoffice-base-extensions-4.0.3.3.26-0.6.2 libreoffice-calc-4.0.3.3.26-0.6.2 libreoffice-calc-extensions-4.0.3.3.26-0.6.2 libreoffice-draw-4.0.3.3.26-0.6.2 libreoffice-draw-extensions-4.0.3.3.26-0.6.2 libreoffice-filters-optional-4.0.3.3.26-0.6.2 libreoffice-gnome-4.0.3.3.26-0.6.2 libreoffice-impress-4.0.3.3.26-0.6.2 libreoffice-impress-extensions-4.0.3.3.26-0.6.2 libreoffice-kde-4.0.3.3.26-0.6.2 libreoffice-kde4-4.0.3.3.26-0.6.2 libreoffice-l10n-prebuilt-4.0.3.3.26-0.6.2 libreoffice-mailmerge-4.0.3.3.26-0.6.2 libreoffice-math-4.0.3.3.26-0.6.2 libreoffice-mono-4.0.3.3.26-0.6.2 libreoffice-officebean-4.0.3.3.26-0.6.2 libreoffice-pyuno-4.0.3.3.26-0.6.2 libreoffice-sdk-4.0.3.3.26-0.6.2 libreoffice-writer-4.0.3.3.26-0.6.2 libreoffice-writer-extensions-4.0.3.3.26-0.6.2 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch) [New Version: 4.0.3.3.26]: libreoffice-branding-upstream-4.0.3.3.26-0.6.1 libreoffice-help-cs-4.0.3.3.26-0.6.1 libreoffice-help-da-4.0.3.3.26-0.6.1 libreoffice-help-de-4.0.3.3.26-0.6.1 libreoffice-help-en-GB-4.0.3.3.26-0.6.1 libreoffice-help-en-US-4.0.3.3.26-0.6.1 libreoffice-help-es-4.0.3.3.26-0.6.1 libreoffice-help-fr-4.0.3.3.26-0.6.1 libreoffice-help-gu-IN-4.0.3.3.26-0.6.1 libreoffice-help-hi-IN-4.0.3.3.26-0.6.1 libreoffice-help-hu-4.0.3.3.26-0.6.1 libreoffice-help-it-4.0.3.3.26-0.6.1 libreoffice-help-ja-4.0.3.3.26-0.6.1 libreoffice-help-ko-4.0.3.3.26-0.6.1 libreoffice-help-nl-4.0.3.3.26-0.6.1 libreoffice-help-pl-4.0.3.3.26-0.6.1 libreoffice-help-pt-4.0.3.3.26-0.6.1 libreoffice-help-pt-BR-4.0.3.3.26-0.6.1 libreoffice-help-ru-4.0.3.3.26-0.6.1 libreoffice-help-sv-4.0.3.3.26-0.6.1 libreoffice-help-zh-CN-4.0.3.3.26-0.6.1 libreoffice-help-zh-TW-4.0.3.3.26-0.6.1 libreoffice-icon-themes-4.0.3.3.26-0.6.2 libreoffice-l10n-af-4.0.3.3.26-0.6.2 libreoffice-l10n-ar-4.0.3.3.26-0.6.2 libreoffice-l10n-ca-4.0.3.3.26-0.6.2 libreoffice-l10n-cs-4.0.3.3.26-0.6.2 libreoffice-l10n-da-4.0.3.3.26-0.6.2 libreoffice-l10n-de-4.0.3.3.26-0.6.2 libreoffice-l10n-el-4.0.3.3.26-0.6.2 libreoffice-l10n-en-GB-4.0.3.3.26-0.6.2 libreoffice-l10n-es-4.0.3.3.26-0.6.2 libreoffice-l10n-fi-4.0.3.3.26-0.6.2 libreoffice-l10n-fr-4.0.3.3.26-0.6.2 libreoffice-l10n-gu-IN-4.0.3.3.26-0.6.2 libreoffice-l10n-hi-IN-4.0.3.3.26-0.6.2 libreoffice-l10n-hu-4.0.3.3.26-0.6.2 libreoffice-l10n-it-4.0.3.3.26-0.6.2 libreoffice-l10n-ja-4.0.3.3.26-0.6.2 libreoffice-l10n-ko-4.0.3.3.26-0.6.2 libreoffice-l10n-nb-4.0.3.3.26-0.6.2 libreoffice-l10n-nl-4.0.3.3.26-0.6.2 libreoffice-l10n-nn-4.0.3.3.26-0.6.2 libreoffice-l10n-pl-4.0.3.3.26-0.6.2 libreoffice-l10n-pt-4.0.3.3.26-0.6.2 libreoffice-l10n-pt-BR-4.0.3.3.26-0.6.2 libreoffice-l10n-ru-4.0.3.3.26-0.6.2 libreoffice-l10n-sk-4.0.3.3.26-0.6.2 libreoffice-l10n-sv-4.0.3.3.26-0.6.2 libreoffice-l10n-xh-4.0.3.3.26-0.6.2 libreoffice-l10n-zh-CN-4.0.3.3.26-0.6.2 libreoffice-l10n-zh-TW-4.0.3.3.26-0.6.2 libreoffice-l10n-zu-4.0.3.3.26-0.6.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 4.0.3.3.26]: libreoffice-4.0.3.3.26-0.6.2 libreoffice-base-4.0.3.3.26-0.6.2 libreoffice-base-drivers-postgresql-4.0.3.3.26-0.6.2 libreoffice-base-extensions-4.0.3.3.26-0.6.2 libreoffice-calc-4.0.3.3.26-0.6.2 libreoffice-calc-extensions-4.0.3.3.26-0.6.2 libreoffice-draw-4.0.3.3.26-0.6.2 libreoffice-draw-extensions-4.0.3.3.26-0.6.2 libreoffice-filters-optional-4.0.3.3.26-0.6.2 libreoffice-gnome-4.0.3.3.26-0.6.2 libreoffice-impress-4.0.3.3.26-0.6.2 libreoffice-impress-extensions-4.0.3.3.26-0.6.2 libreoffice-kde-4.0.3.3.26-0.6.2 libreoffice-kde4-4.0.3.3.26-0.6.2 libreoffice-mailmerge-4.0.3.3.26-0.6.2 libreoffice-math-4.0.3.3.26-0.6.2 libreoffice-mono-4.0.3.3.26-0.6.2 libreoffice-officebean-4.0.3.3.26-0.6.2 libreoffice-pyuno-4.0.3.3.26-0.6.2 libreoffice-writer-4.0.3.3.26-0.6.2 libreoffice-writer-extensions-4.0.3.3.26-0.6.2 - SUSE Linux Enterprise Desktop 11 SP3 (noarch) [New Version: 4.0.3.3.26]: libreoffice-help-cs-4.0.3.3.26-0.6.1 libreoffice-help-da-4.0.3.3.26-0.6.1 libreoffice-help-de-4.0.3.3.26-0.6.1 libreoffice-help-en-GB-4.0.3.3.26-0.6.1 libreoffice-help-en-US-4.0.3.3.26-0.6.1 libreoffice-help-es-4.0.3.3.26-0.6.1 libreoffice-help-fr-4.0.3.3.26-0.6.1 libreoffice-help-gu-IN-4.0.3.3.26-0.6.1 libreoffice-help-hi-IN-4.0.3.3.26-0.6.1 libreoffice-help-hu-4.0.3.3.26-0.6.1 libreoffice-help-it-4.0.3.3.26-0.6.1 libreoffice-help-ja-4.0.3.3.26-0.6.1 libreoffice-help-ko-4.0.3.3.26-0.6.1 libreoffice-help-nl-4.0.3.3.26-0.6.1 libreoffice-help-pl-4.0.3.3.26-0.6.1 libreoffice-help-pt-4.0.3.3.26-0.6.1 libreoffice-help-pt-BR-4.0.3.3.26-0.6.1 libreoffice-help-ru-4.0.3.3.26-0.6.1 libreoffice-help-sv-4.0.3.3.26-0.6.1 libreoffice-help-zh-CN-4.0.3.3.26-0.6.1 libreoffice-help-zh-TW-4.0.3.3.26-0.6.1 libreoffice-icon-themes-4.0.3.3.26-0.6.2 libreoffice-l10n-af-4.0.3.3.26-0.6.2 libreoffice-l10n-ar-4.0.3.3.26-0.6.2 libreoffice-l10n-ca-4.0.3.3.26-0.6.2 libreoffice-l10n-cs-4.0.3.3.26-0.6.2 libreoffice-l10n-da-4.0.3.3.26-0.6.2 libreoffice-l10n-de-4.0.3.3.26-0.6.2 libreoffice-l10n-en-GB-4.0.3.3.26-0.6.2 libreoffice-l10n-es-4.0.3.3.26-0.6.2 libreoffice-l10n-fi-4.0.3.3.26-0.6.2 libreoffice-l10n-fr-4.0.3.3.26-0.6.2 libreoffice-l10n-gu-IN-4.0.3.3.26-0.6.2 libreoffice-l10n-hi-IN-4.0.3.3.26-0.6.2 libreoffice-l10n-hu-4.0.3.3.26-0.6.2 libreoffice-l10n-it-4.0.3.3.26-0.6.2 libreoffice-l10n-ja-4.0.3.3.26-0.6.2 libreoffice-l10n-ko-4.0.3.3.26-0.6.2 libreoffice-l10n-nb-4.0.3.3.26-0.6.2 libreoffice-l10n-nl-4.0.3.3.26-0.6.2 libreoffice-l10n-nn-4.0.3.3.26-0.6.2 libreoffice-l10n-pl-4.0.3.3.26-0.6.2 libreoffice-l10n-pt-4.0.3.3.26-0.6.2 libreoffice-l10n-pt-BR-4.0.3.3.26-0.6.2 libreoffice-l10n-ru-4.0.3.3.26-0.6.2 libreoffice-l10n-sk-4.0.3.3.26-0.6.2 libreoffice-l10n-sv-4.0.3.3.26-0.6.2 libreoffice-l10n-xh-4.0.3.3.26-0.6.2 libreoffice-l10n-zh-CN-4.0.3.3.26-0.6.2 libreoffice-l10n-zh-TW-4.0.3.3.26-0.6.2 libreoffice-l10n-zu-4.0.3.3.26-0.6.2 References: http://support.novell.com/security/cve/CVE-2013-4156.html http://support.novell.com/security/cve/CVE-2014-3575.html https://bugzilla.novell.com/382137 https://bugzilla.novell.com/593612 https://bugzilla.novell.com/654230 https://bugzilla.novell.com/753460 https://bugzilla.novell.com/757432 https://bugzilla.novell.com/779620 https://bugzilla.novell.com/779642 https://bugzilla.novell.com/780044 https://bugzilla.novell.com/783433 https://bugzilla.novell.com/802888 https://bugzilla.novell.com/816593 https://bugzilla.novell.com/817956 https://bugzilla.novell.com/819614 https://bugzilla.novell.com/819822 https://bugzilla.novell.com/819865 https://bugzilla.novell.com/820077 https://bugzilla.novell.com/820273 https://bugzilla.novell.com/820503 https://bugzilla.novell.com/820504 https://bugzilla.novell.com/820509 https://bugzilla.novell.com/820788 https://bugzilla.novell.com/820800 https://bugzilla.novell.com/820819 https://bugzilla.novell.com/820836 https://bugzilla.novell.com/821567 https://bugzilla.novell.com/821795 https://bugzilla.novell.com/822908 https://bugzilla.novell.com/823626 https://bugzilla.novell.com/823651 https://bugzilla.novell.com/823655 https://bugzilla.novell.com/823675 https://bugzilla.novell.com/823935 https://bugzilla.novell.com/825305 https://bugzilla.novell.com/825891 https://bugzilla.novell.com/825976 https://bugzilla.novell.com/828390 https://bugzilla.novell.com/828598 https://bugzilla.novell.com/829017 https://bugzilla.novell.com/830205 https://bugzilla.novell.com/831457 https://bugzilla.novell.com/831578 https://bugzilla.novell.com/834035 https://bugzilla.novell.com/834705 https://bugzilla.novell.com/834720 https://bugzilla.novell.com/834722 https://bugzilla.novell.com/835985 https://bugzilla.novell.com/837302 https://bugzilla.novell.com/839727 https://bugzilla.novell.com/862510 https://bugzilla.novell.com/863021 https://bugzilla.novell.com/864396 https://bugzilla.novell.com/870234 https://bugzilla.novell.com/878854 https://bugzilla.novell.com/893141 http://download.suse.com/patch/finder/?keywords=d2e2531d51923f3c40bbd114b7e6c32e From sle-security-updates at lists.suse.com Thu Sep 11 18:04:20 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 02:04:20 +0200 (CEST) Subject: SUSE-SU-2014:1119-1: important: Security update for glibc Message-ID: <20140912000420.32AAE321E6@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1119-1 Rating: important References: #772242 #779320 #818630 #828235 #828637 #834594 #892073 Cross-References: CVE-2012-4412 CVE-2013-4237 CVE-2014-5119 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves three vulnerabilities and has four fixes is now available. Description: This glibc update fixes a critical privilege escalation problem and the following security and non security issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#772242: Replace scope handing with master state * bnc#779320: Fix buffer overflow in strcoll (CVE-2012-4412) * bnc#818630: Fall back to localhost if no nameserver defined * bnc#828235: Fix missing character in IBM-943 charset * bnc#828637: Fix use of alloca in gaih_inet * bnc#834594: Fix readdir_r with long file names (CVE-2013-4237) Security Issues: * CVE-2014-5119 * CVE-2013-4237 * CVE-2012-4412 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 i686 s390x x86_64): glibc-2.4-31.111.1 glibc-devel-2.4-31.111.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): glibc-html-2.4-31.111.1 glibc-i18ndata-2.4-31.111.1 glibc-info-2.4-31.111.1 glibc-locale-2.4-31.111.1 glibc-profile-2.4-31.111.1 nscd-2.4-31.111.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): glibc-32bit-2.4-31.111.1 glibc-devel-32bit-2.4-31.111.1 glibc-locale-32bit-2.4-31.111.1 glibc-profile-32bit-2.4-31.111.1 References: http://support.novell.com/security/cve/CVE-2012-4412.html http://support.novell.com/security/cve/CVE-2013-4237.html http://support.novell.com/security/cve/CVE-2014-5119.html https://bugzilla.novell.com/772242 https://bugzilla.novell.com/779320 https://bugzilla.novell.com/818630 https://bugzilla.novell.com/828235 https://bugzilla.novell.com/828637 https://bugzilla.novell.com/834594 https://bugzilla.novell.com/892073 http://download.suse.com/patch/finder/?keywords=767429925ce018c15cbe14c33d6a0f11 From sle-security-updates at lists.suse.com Thu Sep 11 18:06:21 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 02:06:21 +0200 (CEST) Subject: SUSE-SU-2014:1120-1: important: Security update for MozillaFirefox Message-ID: <20140912000621.82D3B321E6@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1120-1 Rating: important References: #882881 #894370 Cross-References: CVE-2014-1562 CVE-2014-1567 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes two new package versions. Description: Mozilla Firefox was updated to the 24.8.0ESR release, fixing security issues and bugs. Only some of the published security advisories affect the Mozilla Firefox 24ESR codestream: * MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. * MFSA 2014-67: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562) More information is referenced on: https://www.mozilla.org/security/announce/ . Security Issues: * CVE-2014-1567 * CVE-2014-1562 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.16.4 and 4.10.7]: firefox-gtk2-2.18.9-0.11.1 firefox-gtk2-lang-2.18.9-0.11.1 mozilla-nspr-4.10.7-0.5.1 mozilla-nspr-devel-4.10.7-0.5.1 mozilla-nss-3.16.4-0.5.2 mozilla-nss-devel-3.16.4-0.5.2 mozilla-nss-tools-3.16.4-0.5.2 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.16.4 and 4.10.7]: firefox-gtk2-32bit-2.18.9-0.11.1 mozilla-nspr-32bit-4.10.7-0.5.1 mozilla-nss-32bit-3.16.4-0.5.2 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x): MozillaFirefox-24.8.0esr-0.5.1 MozillaFirefox-translations-24.8.0esr-0.5.1 References: http://support.novell.com/security/cve/CVE-2014-1562.html http://support.novell.com/security/cve/CVE-2014-1567.html https://bugzilla.novell.com/882881 https://bugzilla.novell.com/894370 http://download.suse.com/patch/finder/?keywords=401ac4583a90138bdc8c41d347a7be85 From sle-security-updates at lists.suse.com Thu Sep 11 21:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 05:04:14 +0200 (CEST) Subject: SUSE-SU-2014:1121-1: Security update for libqt4 Message-ID: <20140912030414.01FDE321E9@maintenance.suse.de> SUSE Security Update: Security update for libqt4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1121-1 Rating: low References: #865241 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update of the QT4 QSSL interface makes it select a set of default ciphers that is recommended for current usage. This update is needed for Konqueror to restrict its cipher set when using https. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libqt4-20140902-9683 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libqt4-20140902-9683 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libqt4-20140902-9683 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libqt4-20140902-9683 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libQtWebKit-devel-4.6.3-5.32.1 libqt4-devel-4.6.3-5.32.1 libqt4-devel-doc-4.6.3-5.32.1 libqt4-sql-postgresql-4.6.3-5.32.1 libqt4-sql-unixODBC-4.6.3-5.32.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.32.1 libqt4-sql-mysql-32bit-4.6.3-5.32.1 libqt4-sql-postgresql-32bit-4.6.3-5.32.1 libqt4-sql-sqlite-32bit-4.6.3-5.32.1 libqt4-sql-unixODBC-32bit-4.6.3-5.32.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): libqt4-devel-doc-data-4.6.3-5.32.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64): libQtWebKit4-x86-4.6.3-5.32.1 libqt4-sql-mysql-x86-4.6.3-5.32.1 libqt4-sql-postgresql-x86-4.6.3-5.32.1 libqt4-sql-sqlite-x86-4.6.3-5.32.1 libqt4-sql-unixODBC-x86-4.6.3-5.32.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libQtWebKit4-4.6.3-5.32.1 libqt4-4.6.3-5.32.1 libqt4-qt3support-4.6.3-5.32.1 libqt4-sql-4.6.3-5.32.1 libqt4-sql-mysql-4.6.3-5.32.1 libqt4-sql-sqlite-4.6.3-5.32.1 libqt4-x11-4.6.3-5.32.1 qt4-x11-tools-4.6.3-5.32.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libQtWebKit4-32bit-4.6.3-5.32.1 libqt4-32bit-4.6.3-5.32.1 libqt4-qt3support-32bit-4.6.3-5.32.1 libqt4-sql-32bit-4.6.3-5.32.1 libqt4-x11-32bit-4.6.3-5.32.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libQtWebKit4-4.6.3-5.32.1 libqt4-4.6.3-5.32.1 libqt4-qt3support-4.6.3-5.32.1 libqt4-sql-4.6.3-5.32.1 libqt4-sql-mysql-4.6.3-5.32.1 libqt4-sql-sqlite-4.6.3-5.32.1 libqt4-x11-4.6.3-5.32.1 qt4-x11-tools-4.6.3-5.32.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.32.1 libqt4-32bit-4.6.3-5.32.1 libqt4-qt3support-32bit-4.6.3-5.32.1 libqt4-sql-32bit-4.6.3-5.32.1 libqt4-x11-32bit-4.6.3-5.32.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libQtWebKit4-x86-4.6.3-5.32.1 libqt4-qt3support-x86-4.6.3-5.32.1 libqt4-sql-x86-4.6.3-5.32.1 libqt4-x11-x86-4.6.3-5.32.1 libqt4-x86-4.6.3-5.32.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libQtWebKit4-4.6.3-5.32.1 libqt4-4.6.3-5.32.1 libqt4-qt3support-4.6.3-5.32.1 libqt4-sql-4.6.3-5.32.1 libqt4-sql-mysql-4.6.3-5.32.1 libqt4-sql-postgresql-4.6.3-5.32.1 libqt4-sql-sqlite-4.6.3-5.32.1 libqt4-sql-unixODBC-4.6.3-5.32.1 libqt4-x11-4.6.3-5.32.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libQtWebKit4-32bit-4.6.3-5.32.1 libqt4-32bit-4.6.3-5.32.1 libqt4-qt3support-32bit-4.6.3-5.32.1 libqt4-sql-32bit-4.6.3-5.32.1 libqt4-sql-mysql-32bit-4.6.3-5.32.1 libqt4-sql-postgresql-32bit-4.6.3-5.32.1 libqt4-sql-sqlite-32bit-4.6.3-5.32.1 libqt4-sql-unixODBC-32bit-4.6.3-5.32.1 libqt4-x11-32bit-4.6.3-5.32.1 References: https://bugzilla.novell.com/865241 http://download.suse.com/patch/finder/?keywords=5693b41f94ae5236c03286138fcee56a From sle-security-updates at lists.suse.com Thu Sep 11 22:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 06:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1122-1: important: Security update for glibc Message-ID: <20140912040413.3FCDD321E7@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1122-1 Rating: important References: #750741 #779320 #801246 #830268 #834594 #836746 #839870 #843735 #864081 #882600 #883022 #886416 #892073 Cross-References: CVE-2012-4412 CVE-2013-0242 CVE-2013-4237 CVE-2013-4332 CVE-2013-4788 CVE-2014-4043 CVE-2014-5119 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 6 fixes is now available. Description: This glibc update fixes a critical privilege escalation vulnerability and the following security and non-security issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#886416: Avoid redundant shift character in iconv output at block boundary. * bnc#883022: Initialize errcode in sysdeps/unix/opendir.c. * bnc#882600: Copy filename argument in posix_spawn_file_actions_addopen. (CVE-2014-4043) * bnc#864081: Take lock in pthread_cond_wait cleanup handler only when needed. * bnc#843735: Don't crash on unresolved weak symbol reference. * bnc#839870: Fix integer overflows in malloc. (CVE-2013-4332) * bnc#836746: Avoid race between {,__de}allocate_stack and __reclaim_stacks during fork. * bnc#834594: Fix readdir_r with long file names. (CVE-2013-4237) * bnc#830268: Initialize pointer guard also in static executables. (CVE-2013-4788) * bnc#801246: Fix buffer overrun in regexp matcher. (CVE-2013-0242) * bnc#779320: Fix buffer overflow in strcoll. (CVE-2012-4412) * bnc#750741: Use absolute timeout in x86 pthread_cond_timedwait. Security Issues: * CVE-2014-5119 * CVE-2014-4043 * CVE-2012-4412 * CVE-2013-0242 * CVE-2013-4788 * CVE-2013-4237 * CVE-2013-4332 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-glibc-9664 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 i686 s390x x86_64): glibc-2.11.1-0.58.1 glibc-devel-2.11.1-0.58.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): glibc-html-2.11.1-0.58.1 glibc-i18ndata-2.11.1-0.58.1 glibc-info-2.11.1-0.58.1 glibc-locale-2.11.1-0.58.1 glibc-profile-2.11.1-0.58.1 nscd-2.11.1-0.58.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): glibc-32bit-2.11.1-0.58.1 glibc-devel-32bit-2.11.1-0.58.1 glibc-locale-32bit-2.11.1-0.58.1 glibc-profile-32bit-2.11.1-0.58.1 References: http://support.novell.com/security/cve/CVE-2012-4412.html http://support.novell.com/security/cve/CVE-2013-0242.html http://support.novell.com/security/cve/CVE-2013-4237.html http://support.novell.com/security/cve/CVE-2013-4332.html http://support.novell.com/security/cve/CVE-2013-4788.html http://support.novell.com/security/cve/CVE-2014-4043.html http://support.novell.com/security/cve/CVE-2014-5119.html https://bugzilla.novell.com/750741 https://bugzilla.novell.com/779320 https://bugzilla.novell.com/801246 https://bugzilla.novell.com/830268 https://bugzilla.novell.com/834594 https://bugzilla.novell.com/836746 https://bugzilla.novell.com/839870 https://bugzilla.novell.com/843735 https://bugzilla.novell.com/864081 https://bugzilla.novell.com/882600 https://bugzilla.novell.com/883022 https://bugzilla.novell.com/886416 https://bugzilla.novell.com/892073 http://download.suse.com/patch/finder/?keywords=8ba147c0ad19c1883fe7425b33e0ea15 From sle-security-updates at lists.suse.com Thu Sep 11 22:07:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 06:07:12 +0200 (CEST) Subject: SUSE-SU-2014:1120-2: important: Security update for MozillaFirefox Message-ID: <20140912040712.B98B8321E9@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1120-2 Rating: important References: #882881 #894370 Cross-References: CVE-2014-1562 CVE-2014-1567 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes two new package versions. Description: Mozilla Firefox was updated to the 24.8.0ESR release, fixing security issues and bugs. Only some of the published security advisories affect the Mozilla Firefox 24ESR codestream: * MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. * MFSA 2014-67: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562) More information is referenced on: https://www.mozilla.org/security/announce/ . Security Issues: * CVE-2014-1567 * CVE-2014-1562 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 3.16.4 and 4.10.7]: firefox-gtk2-2.18.9-0.11.1 firefox-gtk2-lang-2.18.9-0.11.1 mozilla-nspr-4.10.7-0.5.1 mozilla-nspr-devel-4.10.7-0.5.1 mozilla-nss-3.16.4-0.5.2 mozilla-nss-devel-3.16.4-0.5.2 mozilla-nss-tools-3.16.4-0.5.2 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64) [New Version: 3.16.4 and 4.10.7]: firefox-gtk2-32bit-2.18.9-0.11.1 mozilla-nspr-32bit-4.10.7-0.5.1 mozilla-nss-32bit-3.16.4-0.5.2 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x): MozillaFirefox-24.8.0esr-0.5.1 MozillaFirefox-translations-24.8.0esr-0.5.1 References: http://support.novell.com/security/cve/CVE-2014-1562.html http://support.novell.com/security/cve/CVE-2014-1567.html https://bugzilla.novell.com/882881 https://bugzilla.novell.com/894370 http://download.suse.com/patch/finder/?keywords=24d0f20857a99b68fbd08945af76c27a From sle-security-updates at lists.suse.com Fri Sep 12 11:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 19:04:12 +0200 (CEST) Subject: SUSE-SU-2014:1112-2: important: Security update for MozillaFirefox Message-ID: <20140912170412.AA0DC321EC@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1112-2 Rating: important References: #894370 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes three new package versions. Description: Mozilla Firefox was updated to the 24.8.0ESR release, fixing security issues and bugs. Only some of the published security advisories affect the Mozilla Firefox 24ESR codestream: * MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. * MFSA 2014-67: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562) More information is referenced on: https://www.mozilla.org/security/announce/ . Security Issues: * CVE-2014-1562 * CVE-2014-1567 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-firefox-201409-9681 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 24.8.0esr,3.16.4 and 4.10.7]: MozillaFirefox-24.8.0esr-0.3.1 MozillaFirefox-translations-24.8.0esr-0.3.1 libfreebl3-3.16.4-0.3.1 mozilla-nspr-4.10.7-0.3.1 mozilla-nss-3.16.4-0.3.1 mozilla-nss-tools-3.16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.16.4 and 4.10.7]: libfreebl3-32bit-3.16.4-0.3.1 mozilla-nspr-32bit-4.10.7-0.3.1 mozilla-nss-32bit-3.16.4-0.3.1 References: https://bugzilla.novell.com/894370 http://download.suse.com/patch/finder/?keywords=163464dc8eaa4994ed25dd8ac41a3b4e From sle-security-updates at lists.suse.com Fri Sep 12 15:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Sep 2014 23:04:12 +0200 (CEST) Subject: SUSE-SU-2014:1121-2: Security update for kdelibs4 Message-ID: <20140912210412.C6180321EC@maintenance.suse.de> SUSE Security Update: Security update for kdelibs4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1121-2 Rating: low References: #865241 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update of the kdelibs4 KSSL interface makes it select a set of default ciphers that is recommended for current usage. This update is needed for Konqueror to restrict its cipher set when using https. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-kdelibs4-9676 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-kdelibs4-9676 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kdelibs4-9676 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kdelibs4-9676 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): kdelibs4-doc-4.3.5-0.14.1 libkde4-devel-4.3.5-0.14.1 libkdecore4-devel-4.3.5-0.14.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64): libkde4-32bit-4.3.5-0.14.1 libkdecore4-32bit-4.3.5-0.14.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): kdelibs4-4.3.5-0.14.1 kdelibs4-core-4.3.5-0.14.1 kdelibs4-doc-4.3.5-0.14.1 libkde4-4.3.5-0.14.1 libkdecore4-4.3.5-0.14.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libkde4-32bit-4.3.5-0.14.1 libkdecore4-32bit-4.3.5-0.14.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): kdelibs4-4.3.5-0.14.1 kdelibs4-core-4.3.5-0.14.1 kdelibs4-doc-4.3.5-0.14.1 libkde4-4.3.5-0.14.1 libkdecore4-4.3.5-0.14.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libkde4-32bit-4.3.5-0.14.1 libkdecore4-32bit-4.3.5-0.14.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libkde4-x86-4.3.5-0.14.1 libkdecore4-x86-4.3.5-0.14.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): kdelibs4-4.3.5-0.14.1 kdelibs4-core-4.3.5-0.14.1 libkde4-4.3.5-0.14.1 libkdecore4-4.3.5-0.14.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libkde4-32bit-4.3.5-0.14.1 libkdecore4-32bit-4.3.5-0.14.1 References: https://bugzilla.novell.com/865241 http://download.suse.com/patch/finder/?keywords=4f8706278a1e76233f67163bb601296d From sle-security-updates at lists.suse.com Fri Sep 12 17:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 13 Sep 2014 01:04:14 +0200 (CEST) Subject: SUSE-SU-2014:1124-1: important: Security update for flash-player Message-ID: <20140912230414.DB155321DE@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1124-1 Rating: important References: #895856 Cross-References: CVE-2014-0547 CVE-2014-0548 CVE-2014-0549 CVE-2014-0550 CVE-2014-0551 CVE-2014-0552 CVE-2014-0553 CVE-2014-0554 CVE-2014-0555 CVE-2014-0556 CVE-2014-0557 CVE-2014-0559 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player has been updated to 11.2.202.406 which fixes various security issues. These updates: * resolve a memory leakage vulnerability that could have been used to bypass memory address randomization (CVE-2014-0557). * resolve a security bypass vulnerability (CVE-2014-0554). * resolve a use-after-free vulnerability that could have lead to code execution (CVE-2014-0553). * resolve memory corruption vulnerabilities that could have lead to code execution (CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0555). * resolve a vulnerability that could have been used to bypass the same origin policy (CVE-2014-0548). * resolve a heap buffer overflow vulnerability that could have lead to code execution (CVE-2014-0556, CVE-2014-0559). More information can be found on http://helpx.adobe.com/security/products/flash-player/apsb14-21.html Security Issues: * CVE-2014-0547 * CVE-2014-0548 * CVE-2014-0549 * CVE-2014-0550 * CVE-2014-0551 * CVE-2014-0552 * CVE-2014-0553 * CVE-2014-0554 * CVE-2014-0555 * CVE-2014-0556 * CVE-2014-0557 * CVE-2014-0559 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player-9704 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.406]: flash-player-11.2.202.406-0.3.1 flash-player-gnome-11.2.202.406-0.3.1 flash-player-kde4-11.2.202.406-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-0547.html http://support.novell.com/security/cve/CVE-2014-0548.html http://support.novell.com/security/cve/CVE-2014-0549.html http://support.novell.com/security/cve/CVE-2014-0550.html http://support.novell.com/security/cve/CVE-2014-0551.html http://support.novell.com/security/cve/CVE-2014-0552.html http://support.novell.com/security/cve/CVE-2014-0553.html http://support.novell.com/security/cve/CVE-2014-0554.html http://support.novell.com/security/cve/CVE-2014-0555.html http://support.novell.com/security/cve/CVE-2014-0556.html http://support.novell.com/security/cve/CVE-2014-0557.html http://support.novell.com/security/cve/CVE-2014-0559.html https://bugzilla.novell.com/895856 http://download.suse.com/patch/finder/?keywords=3bb66ba5895adc6dc1e2753dafc4a3e3 From sle-security-updates at lists.suse.com Fri Sep 12 19:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 13 Sep 2014 03:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1125-1: important: Security update for glibc Message-ID: <20140913010413.380EA321E7@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1125-1 Rating: important References: #888347 #892065 #892073 Cross-References: CVE-2014-5119 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This glibc update fixes a critical privilege escalation problem and two non-security issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#892065: setenv-alloca.patch: Avoid unbound alloca in setenv. * bnc#888347: printf-multibyte-format.patch: Don't parse %s format argument as multi-byte string. Security Issues: * CVE-2014-5119 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-glibc-9669 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-glibc-9669 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-glibc-9669 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-glibc-9669 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): glibc-html-2.11.3-17.72.14 glibc-info-2.11.3-17.72.14 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): glibc-2.11.3-17.72.14 glibc-devel-2.11.3-17.72.14 glibc-html-2.11.3-17.72.14 glibc-i18ndata-2.11.3-17.72.14 glibc-info-2.11.3-17.72.14 glibc-locale-2.11.3-17.72.14 glibc-profile-2.11.3-17.72.14 nscd-2.11.3-17.72.14 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): glibc-32bit-2.11.3-17.72.14 glibc-devel-32bit-2.11.3-17.72.14 glibc-locale-32bit-2.11.3-17.72.14 glibc-profile-32bit-2.11.3-17.72.14 - SUSE Linux Enterprise Server 11 SP3 (i586 i686 ia64 ppc64 s390x x86_64): glibc-2.11.3-17.72.14 glibc-devel-2.11.3-17.72.14 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): glibc-html-2.11.3-17.72.14 glibc-i18ndata-2.11.3-17.72.14 glibc-info-2.11.3-17.72.14 glibc-locale-2.11.3-17.72.14 glibc-profile-2.11.3-17.72.14 nscd-2.11.3-17.72.14 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): glibc-32bit-2.11.3-17.72.14 glibc-devel-32bit-2.11.3-17.72.14 glibc-locale-32bit-2.11.3-17.72.14 glibc-profile-32bit-2.11.3-17.72.14 - SUSE Linux Enterprise Server 11 SP3 (ia64): glibc-locale-x86-2.11.3-17.72.14 glibc-profile-x86-2.11.3-17.72.14 glibc-x86-2.11.3-17.72.14 - SUSE Linux Enterprise Desktop 11 SP3 (i586 i686 x86_64): glibc-2.11.3-17.72.14 glibc-devel-2.11.3-17.72.14 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): glibc-i18ndata-2.11.3-17.72.14 glibc-locale-2.11.3-17.72.14 nscd-2.11.3-17.72.14 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): glibc-32bit-2.11.3-17.72.14 glibc-devel-32bit-2.11.3-17.72.14 glibc-locale-32bit-2.11.3-17.72.14 References: http://support.novell.com/security/cve/CVE-2014-5119.html https://bugzilla.novell.com/888347 https://bugzilla.novell.com/892065 https://bugzilla.novell.com/892073 http://download.suse.com/patch/finder/?keywords=b84219db4b55e263e5f4c158906891f0 From sle-security-updates at lists.suse.com Mon Sep 15 11:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 15 Sep 2014 19:04:14 +0200 (CEST) Subject: SUSE-SU-2014:1128-1: important: Security update for glibc Message-ID: <20140915170414.D1F02321EC@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1128-1 Rating: important References: #779320 #801246 #824639 #834594 #839870 #842291 #860501 #882600 #892073 #894553 #894556 Cross-References: CVE-2012-4412 CVE-2013-0242 CVE-2013-4237 CVE-2013-4332 CVE-2014-4043 CVE-2014-5119 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 5 fixes is now available. Description: This glibc update fixes a critical privilege escalation problem and the following security and non-security issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#882600: Copy filename argument in posix_spawn_file_actions_addopen. (CVE-2014-4043) * bnc#860501: Use O_LARGEFILE for utmp file. * bnc#842291: Fix typo in glibc-2.5-dlopen-lookup-race.diff. * bnc#839870: Fix integer overflows in malloc. (CVE-2013-4332) * bnc#834594: Fix readdir_r with long file names. (CVE-2013-4237) * bnc#824639: Drop lock before calling malloc_printerr. * bnc#801246: Fix buffer overrun in regexp matcher. (CVE-2013-0242) * bnc#779320: Fix buffer overflow in strcoll. (CVE-2012-4412) * bnc#894556 / bnc#894553: Fix crashes on invalid input in IBM gconv modules. (CVE-2014-6040, CVE-2012-6656, bnc#894553, bnc#894556, BZ#17325, BZ#14134) Security Issues: * CVE-2014-5119 * CVE-2014-4043 * CVE-2013-4332 * CVE-2013-4237 * CVE-2013-0242 * CVE-2012-4412 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 i686 s390x x86_64): glibc-2.4-31.77.112.1 glibc-devel-2.4-31.77.112.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): glibc-html-2.4-31.77.112.1 glibc-i18ndata-2.4-31.77.112.1 glibc-info-2.4-31.77.112.1 glibc-locale-2.4-31.77.112.1 glibc-profile-2.4-31.77.112.1 nscd-2.4-31.77.112.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): glibc-32bit-2.4-31.77.112.1 glibc-devel-32bit-2.4-31.77.112.1 glibc-locale-32bit-2.4-31.77.112.1 glibc-profile-32bit-2.4-31.77.112.1 References: http://support.novell.com/security/cve/CVE-2012-4412.html http://support.novell.com/security/cve/CVE-2013-0242.html http://support.novell.com/security/cve/CVE-2013-4237.html http://support.novell.com/security/cve/CVE-2013-4332.html http://support.novell.com/security/cve/CVE-2014-4043.html http://support.novell.com/security/cve/CVE-2014-5119.html https://bugzilla.novell.com/779320 https://bugzilla.novell.com/801246 https://bugzilla.novell.com/824639 https://bugzilla.novell.com/834594 https://bugzilla.novell.com/839870 https://bugzilla.novell.com/842291 https://bugzilla.novell.com/860501 https://bugzilla.novell.com/882600 https://bugzilla.novell.com/892073 https://bugzilla.novell.com/894553 https://bugzilla.novell.com/894556 http://download.suse.com/patch/finder/?keywords=190862be14e3ed91b361e0b0a66e292a From sle-security-updates at lists.suse.com Mon Sep 15 11:06:37 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 15 Sep 2014 19:06:37 +0200 (CEST) Subject: SUSE-SU-2014:1129-1: important: Security update for glibc Message-ID: <20140915170637.E213F321EC@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1129-1 Rating: important References: #836746 #844309 #892073 #894553 #894556 Cross-References: CVE-2012-6656 CVE-2013-4357 CVE-2014-5119 CVE-2014-6040 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This glibc update fixes a critical privilege escalation problem and two additional issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#836746: Avoid race between {, __de}allocate_stack and __reclaim_stacks during fork. * bnc#844309: Fixed various overflows, reading large /etc/hosts or long names. (CVE-2013-4357) * bnc#894553, bnc#894556: Fixed various crashes on invalid input in IBM gconv modules. (CVE-2014-6040, CVE-2012-6656) Security Issues: * CVE-2012-6656 * CVE-2013-4357 * CVE-2014-5119 * CVE-2014-6040 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-glibc-9721 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 i686 s390x x86_64): glibc-2.11.3-17.45.53.1 glibc-devel-2.11.3-17.45.53.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): glibc-html-2.11.3-17.45.53.1 glibc-i18ndata-2.11.3-17.45.53.1 glibc-info-2.11.3-17.45.53.1 glibc-locale-2.11.3-17.45.53.1 glibc-profile-2.11.3-17.45.53.1 nscd-2.11.3-17.45.53.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): glibc-32bit-2.11.3-17.45.53.1 glibc-devel-32bit-2.11.3-17.45.53.1 glibc-locale-32bit-2.11.3-17.45.53.1 glibc-profile-32bit-2.11.3-17.45.53.1 References: http://support.novell.com/security/cve/CVE-2012-6656.html http://support.novell.com/security/cve/CVE-2013-4357.html http://support.novell.com/security/cve/CVE-2014-5119.html http://support.novell.com/security/cve/CVE-2014-6040.html https://bugzilla.novell.com/836746 https://bugzilla.novell.com/844309 https://bugzilla.novell.com/892073 https://bugzilla.novell.com/894553 https://bugzilla.novell.com/894556 http://download.suse.com/patch/finder/?keywords=cd8403453563e9d5a949d2219d62a993 From sle-security-updates at lists.suse.com Tue Sep 16 10:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Sep 2014 18:04:14 +0200 (CEST) Subject: SUSE-SU-2014:1137-1: important: Security update for procmail Message-ID: <20140916160414.2ED9B321EC@maintenance.suse.de> SUSE Security Update: Security update for procmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1137-1 Rating: important References: #894999 Cross-References: CVE-2014-3618 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: procmail was updated to fix a security issue in its formail helper. * When formail processed specially crafted e-mail headers a heap corruption could be triggered, which would lead to a crash of formail. (CVE-2014-3618) Security Issues: * CVE-2014-3618 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-procmail-9689 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-procmail-9689 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-procmail-9689 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): procmail-3.22-240.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): procmail-3.22-240.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): procmail-3.22-240.8.1 References: http://support.novell.com/security/cve/CVE-2014-3618.html https://bugzilla.novell.com/894999 http://download.suse.com/patch/finder/?keywords=04c0ff20564be8dcec09a614771f2731 From sle-security-updates at lists.suse.com Tue Sep 16 11:04:17 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Sep 2014 19:04:17 +0200 (CEST) Subject: SUSE-SU-2014:1138-1: important: Security update for the Linux Kernel Message-ID: <20140916170417.A306D321EC@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1138-1 Rating: important References: #794824 #806431 #831058 #854722 #856756 #871797 #877257 #879921 #880484 #881051 #882809 #883526 #883724 #883795 #884530 #885422 #885725 #887082 #889173 #892490 Cross-References: CVE-2013-1860 CVE-2013-4162 CVE-2013-7266 CVE-2013-7267 CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271 CVE-2014-0203 CVE-2014-3144 CVE-2014-3145 CVE-2014-3917 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-4699 CVE-2014-4943 CVE-2014-5077 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that fixes 22 vulnerabilities is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP1 LTSS received a roll up update to fix several security and non-security issues. The following security issues have been fixed: * CVE-2013-1860: Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device. (bnc#806431) * CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (bnc#831058) * CVE-2014-0203: The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call. (bnc#883526) * CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. (bnc#877257) * CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. (bnc#877257) * CVE-2014-3917: kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. (bnc#880484) * CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724) * CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) * CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) * CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795) * CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795) * CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795) * CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422) * CVE-2014-4699: The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. (bnc#885725) * CVE-2014-4943: The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. (bnc#887082) * CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173) * CVE-2013-7266: The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) * CVE-2013-7267: The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) * CVE-2013-7268: The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) * CVE-2013-7269: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) * CVE-2013-7270: The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) * CVE-2013-7271: The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) The following bugs have been fixed: * mac80211: Fix AP powersave TX vs. wakeup race (bnc#871797). * tcp: Allow to disable cwnd moderation in TCP_CA_Loss state (bnc#879921). * tcp: Adapt selected parts of RFC 5682 and PRR logic (bnc#879921). * flock: Fix allocation and BKL (bnc#882809). * sunrpc: Close a rare race in xs_tcp_setup_socket (bnc#794824, bnc#884530). * isofs: Fix unbounded recursion when processing relocated directories (bnc#892490). * bonding: Fix a race condition on cleanup in bond_send_unsolicited_na() (bnc#856756). * block: Fix race between request completion and timeout handling (bnc#881051). * Fix kABI breakage due to addition of user_ctl_lock (bnc#883795). Security Issues: * CVE-2013-1860 * CVE-2013-4162 * CVE-2013-7266 * CVE-2013-7267 * CVE-2013-7268 * CVE-2013-7269 * CVE-2013-7270 * CVE-2013-7271 * CVE-2014-0203 * CVE-2014-3144 * CVE-2014-3145 * CVE-2014-3917 * CVE-2014-4508 * CVE-2014-4652 * CVE-2014-4653 * CVE-2014-4654 * CVE-2014-4655 * CVE-2014-4656 * CVE-2014-4667 * CVE-2014-4699 * CVE-2014-4943 * CVE-2014-5077 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-kernel-9658 slessp1-kernel-9660 slessp1-kernel-9667 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.6.32.59]: kernel-default-2.6.32.59-0.15.2 kernel-default-base-2.6.32.59-0.15.2 kernel-default-devel-2.6.32.59-0.15.2 kernel-source-2.6.32.59-0.15.2 kernel-syms-2.6.32.59-0.15.2 kernel-trace-2.6.32.59-0.15.2 kernel-trace-base-2.6.32.59-0.15.2 kernel-trace-devel-2.6.32.59-0.15.2 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64) [New Version: 2.6.32.59]: kernel-ec2-2.6.32.59-0.15.2 kernel-ec2-base-2.6.32.59-0.15.2 kernel-ec2-devel-2.6.32.59-0.15.2 kernel-xen-2.6.32.59-0.15.2 kernel-xen-base-2.6.32.59-0.15.2 kernel-xen-devel-2.6.32.59-0.15.2 xen-kmp-default-4.0.3_21548_16_2.6.32.59_0.15-0.5.26 xen-kmp-trace-4.0.3_21548_16_2.6.32.59_0.15-0.5.26 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x) [New Version: 2.6.32.59]: kernel-default-man-2.6.32.59-0.15.2 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586) [New Version: 2.6.32.59]: kernel-pae-2.6.32.59-0.15.2 kernel-pae-base-2.6.32.59-0.15.2 kernel-pae-devel-2.6.32.59-0.15.2 xen-kmp-pae-4.0.3_21548_16_2.6.32.59_0.15-0.5.26 - SLE 11 SERVER Unsupported Extras (i586 s390x x86_64): kernel-default-extra-2.6.32.59-0.15.2 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-2.6.32.59-0.15.2 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-2.6.32.59-0.15.2 References: http://support.novell.com/security/cve/CVE-2013-1860.html http://support.novell.com/security/cve/CVE-2013-4162.html http://support.novell.com/security/cve/CVE-2013-7266.html http://support.novell.com/security/cve/CVE-2013-7267.html http://support.novell.com/security/cve/CVE-2013-7268.html http://support.novell.com/security/cve/CVE-2013-7269.html http://support.novell.com/security/cve/CVE-2013-7270.html http://support.novell.com/security/cve/CVE-2013-7271.html http://support.novell.com/security/cve/CVE-2014-0203.html http://support.novell.com/security/cve/CVE-2014-3144.html http://support.novell.com/security/cve/CVE-2014-3145.html http://support.novell.com/security/cve/CVE-2014-3917.html http://support.novell.com/security/cve/CVE-2014-4508.html http://support.novell.com/security/cve/CVE-2014-4652.html http://support.novell.com/security/cve/CVE-2014-4653.html http://support.novell.com/security/cve/CVE-2014-4654.html http://support.novell.com/security/cve/CVE-2014-4655.html http://support.novell.com/security/cve/CVE-2014-4656.html http://support.novell.com/security/cve/CVE-2014-4667.html http://support.novell.com/security/cve/CVE-2014-4699.html http://support.novell.com/security/cve/CVE-2014-4943.html http://support.novell.com/security/cve/CVE-2014-5077.html https://bugzilla.novell.com/794824 https://bugzilla.novell.com/806431 https://bugzilla.novell.com/831058 https://bugzilla.novell.com/854722 https://bugzilla.novell.com/856756 https://bugzilla.novell.com/871797 https://bugzilla.novell.com/877257 https://bugzilla.novell.com/879921 https://bugzilla.novell.com/880484 https://bugzilla.novell.com/881051 https://bugzilla.novell.com/882809 https://bugzilla.novell.com/883526 https://bugzilla.novell.com/883724 https://bugzilla.novell.com/883795 https://bugzilla.novell.com/884530 https://bugzilla.novell.com/885422 https://bugzilla.novell.com/885725 https://bugzilla.novell.com/887082 https://bugzilla.novell.com/889173 https://bugzilla.novell.com/892490 http://download.suse.com/patch/finder/?keywords=33223d7de0d6fcaf9f12c0175a720ae1 http://download.suse.com/patch/finder/?keywords=753dcd87154cfcee28dc062d0421697d http://download.suse.com/patch/finder/?keywords=ad20790f90bee656575f760123b63fe2 http://download.suse.com/patch/finder/?keywords=bb89429b2b6bbf8e51a9b446b5a9f825 http://download.suse.com/patch/finder/?keywords=cc2185e1b7bb5f72a49d967c7dcf07ee http://download.suse.com/patch/finder/?keywords=f3d32743e8c31acee5f4fb836923cc28 From sle-security-updates at lists.suse.com Wed Sep 17 16:05:22 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Sep 2014 00:05:22 +0200 (CEST) Subject: SUSE-SU-2014:1140-1: important: Security update for squid3 Message-ID: <20140917220522.CE8DB321F2@maintenance.suse.de> SUSE Security Update: Security update for squid3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1140-1 Rating: important References: #893649 Cross-References: CVE-2014-3609 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Squid3 was updated to fix a denial of service in Range Header processing, which would have allowed proxy users to crash the squid proxy process. (CVE-2014-3609) Security Issues: * CVE-2014-3609 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-squid3-9729 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-squid3-9729 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): squid3-3.1.12-8.16.20.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): squid3-3.1.12-8.16.20.1 References: http://support.novell.com/security/cve/CVE-2014-3609.html https://bugzilla.novell.com/893649 http://download.suse.com/patch/finder/?keywords=3bbd1bc6081bef0e6021f21703b952ea From sle-security-updates at lists.suse.com Wed Sep 17 17:04:18 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Sep 2014 01:04:18 +0200 (CEST) Subject: SUSE-SU-2014:1141-1: moderate: Security update for php53 Message-ID: <20140917230418.EF809321EE@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1141-1 Rating: moderate References: #893849 #893853 Cross-References: CVE-2014-4049 CVE-2014-5459 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This php53 update fixes the following security issues: * Insecure temporary file used for cache data was fixed by switching to a different root only directory /var/cache/php-pear. (CVE-2014-5459) * An incomplete fix for CVE-2014-4049. (CVE-2014-3597) Security Issues: * CVE-2014-5459 * CVE-2014-4049 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-apache2-mod_php53-9718 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-apache2-mod_php53-9718 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-apache2-mod_php53-9718 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-0.29.1 php53-imap-5.3.17-0.29.1 php53-posix-5.3.17-0.29.1 php53-readline-5.3.17-0.29.1 php53-sockets-5.3.17-0.29.1 php53-sqlite-5.3.17-0.29.1 php53-tidy-5.3.17-0.29.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): apache2-mod_php53-5.3.17-0.29.1 php53-5.3.17-0.29.1 php53-bcmath-5.3.17-0.29.1 php53-bz2-5.3.17-0.29.1 php53-calendar-5.3.17-0.29.1 php53-ctype-5.3.17-0.29.1 php53-curl-5.3.17-0.29.1 php53-dba-5.3.17-0.29.1 php53-dom-5.3.17-0.29.1 php53-exif-5.3.17-0.29.1 php53-fastcgi-5.3.17-0.29.1 php53-fileinfo-5.3.17-0.29.1 php53-ftp-5.3.17-0.29.1 php53-gd-5.3.17-0.29.1 php53-gettext-5.3.17-0.29.1 php53-gmp-5.3.17-0.29.1 php53-iconv-5.3.17-0.29.1 php53-intl-5.3.17-0.29.1 php53-json-5.3.17-0.29.1 php53-ldap-5.3.17-0.29.1 php53-mbstring-5.3.17-0.29.1 php53-mcrypt-5.3.17-0.29.1 php53-mysql-5.3.17-0.29.1 php53-odbc-5.3.17-0.29.1 php53-openssl-5.3.17-0.29.1 php53-pcntl-5.3.17-0.29.1 php53-pdo-5.3.17-0.29.1 php53-pear-5.3.17-0.29.1 php53-pgsql-5.3.17-0.29.1 php53-pspell-5.3.17-0.29.1 php53-shmop-5.3.17-0.29.1 php53-snmp-5.3.17-0.29.1 php53-soap-5.3.17-0.29.1 php53-suhosin-5.3.17-0.29.1 php53-sysvmsg-5.3.17-0.29.1 php53-sysvsem-5.3.17-0.29.1 php53-sysvshm-5.3.17-0.29.1 php53-tokenizer-5.3.17-0.29.1 php53-wddx-5.3.17-0.29.1 php53-xmlreader-5.3.17-0.29.1 php53-xmlrpc-5.3.17-0.29.1 php53-xmlwriter-5.3.17-0.29.1 php53-xsl-5.3.17-0.29.1 php53-zip-5.3.17-0.29.1 php53-zlib-5.3.17-0.29.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-0.29.1 php53-5.3.17-0.29.1 php53-bcmath-5.3.17-0.29.1 php53-bz2-5.3.17-0.29.1 php53-calendar-5.3.17-0.29.1 php53-ctype-5.3.17-0.29.1 php53-curl-5.3.17-0.29.1 php53-dba-5.3.17-0.29.1 php53-dom-5.3.17-0.29.1 php53-exif-5.3.17-0.29.1 php53-fastcgi-5.3.17-0.29.1 php53-fileinfo-5.3.17-0.29.1 php53-ftp-5.3.17-0.29.1 php53-gd-5.3.17-0.29.1 php53-gettext-5.3.17-0.29.1 php53-gmp-5.3.17-0.29.1 php53-iconv-5.3.17-0.29.1 php53-intl-5.3.17-0.29.1 php53-json-5.3.17-0.29.1 php53-ldap-5.3.17-0.29.1 php53-mbstring-5.3.17-0.29.1 php53-mcrypt-5.3.17-0.29.1 php53-mysql-5.3.17-0.29.1 php53-odbc-5.3.17-0.29.1 php53-openssl-5.3.17-0.29.1 php53-pcntl-5.3.17-0.29.1 php53-pdo-5.3.17-0.29.1 php53-pear-5.3.17-0.29.1 php53-pgsql-5.3.17-0.29.1 php53-pspell-5.3.17-0.29.1 php53-shmop-5.3.17-0.29.1 php53-snmp-5.3.17-0.29.1 php53-soap-5.3.17-0.29.1 php53-suhosin-5.3.17-0.29.1 php53-sysvmsg-5.3.17-0.29.1 php53-sysvsem-5.3.17-0.29.1 php53-sysvshm-5.3.17-0.29.1 php53-tokenizer-5.3.17-0.29.1 php53-wddx-5.3.17-0.29.1 php53-xmlreader-5.3.17-0.29.1 php53-xmlrpc-5.3.17-0.29.1 php53-xmlwriter-5.3.17-0.29.1 php53-xsl-5.3.17-0.29.1 php53-zip-5.3.17-0.29.1 php53-zlib-5.3.17-0.29.1 References: http://support.novell.com/security/cve/CVE-2014-4049.html http://support.novell.com/security/cve/CVE-2014-5459.html https://bugzilla.novell.com/893849 https://bugzilla.novell.com/893853 http://download.suse.com/patch/finder/?keywords=621d50e26255ed12216a26f9f0d6e45c From sle-security-updates at lists.suse.com Fri Sep 19 15:04:45 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Sep 2014 23:04:45 +0200 (CEST) Subject: SUSE-SU-2014:1146-1: important: Security update for dbus-1 Message-ID: <20140919210445.F0AE432234@maintenance.suse.de> SUSE Security Update: Security update for dbus-1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1146-1 Rating: important References: #896453 Cross-References: CVE-2014-3638 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Various denial of service issues were fixed in the DBUS service. * CVE-2014-3638: dbus-daemon tracks whether method call messages expect a reply, so that unsolicited replies can be dropped. As currently implemented, if there are n parallel method calls in progress, each method reply takes O(n) CPU time. A malicious user could exploit this by opening the maximum allowed number of parallel connections and sending the maximum number of parallel method calls on each one, causing subsequent method calls to be unreasonably slow, a denial of service. * CVE-2014-3639: dbus-daemon allows a small number of "incomplete" connections (64 by default) whose identity has not yet been confirmed. When this limit has been reached, subsequent connections are dropped. Alban's testing indicates that one malicious process that makes repeated connection attempts, but never completes the authentication handshake and instead waits for dbus-daemon to time out and disconnect it, can cause the majority of legitimate connection attempts to fail. Security Issues: * CVE-2014-3638 * CVE-2014-3638 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-dbus-1-9733 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-dbus-1-9733 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-dbus-1-9733 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-dbus-1-9733 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): dbus-1-devel-1.2.10-3.31.1 dbus-1-devel-doc-1.2.10-3.31.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): dbus-1-1.2.10-3.31.1 dbus-1-x11-1.2.10-3.31.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): dbus-1-32bit-1.2.10-3.31.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): dbus-1-1.2.10-3.31.1 dbus-1-x11-1.2.10-3.31.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): dbus-1-32bit-1.2.10-3.31.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): dbus-1-x86-1.2.10-3.31.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): dbus-1-1.2.10-3.31.1 dbus-1-x11-1.2.10-3.31.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): dbus-1-32bit-1.2.10-3.31.1 References: http://support.novell.com/security/cve/CVE-2014-3638.html https://bugzilla.novell.com/896453 http://download.suse.com/patch/finder/?keywords=d849773a0381e2782725dff671102c86 From sle-security-updates at lists.suse.com Mon Sep 22 12:04:24 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 22 Sep 2014 20:04:24 +0200 (CEST) Subject: SUSE-SU-2014:1153-1: moderate: Security update for python-django Message-ID: <20140922180424.1BF763223D@maintenance.suse.de> SUSE Security Update: Security update for python-django ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1153-1 Rating: moderate References: #893087 #893088 #893089 #893090 Cross-References: CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 Affected Products: SUSE Cloud 4 SUSE Cloud 3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: python-django was updated to 1.5.10 fixing bugs and security issues: * Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks. (bnc#893087, CVE-2014-0480) * Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service. (bnc#893088, CVE-2014-0481) * Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking. (bnc#893089, CVE-2014-0482) * Prevented data leakage in contrib.admin via query string manipulation. (bnc#893090, CVE-2014-0483) Security Issues: * CVE-2014-0480 * CVE-2014-0481 * CVE-2014-0482 * CVE-2014-0483 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-python-django-9684 - SUSE Cloud 3: zypper in -t patch sleclo30sp3-python-django-9685 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64) [New Version: 1.5.10]: python-django-1.5.10-0.11.1 - SUSE Cloud 3 (x86_64) [New Version: 1.5.10]: python-django-1.5.10-0.8.1 References: http://support.novell.com/security/cve/CVE-2014-0480.html http://support.novell.com/security/cve/CVE-2014-0481.html http://support.novell.com/security/cve/CVE-2014-0482.html http://support.novell.com/security/cve/CVE-2014-0483.html https://bugzilla.suse.com/893087 https://bugzilla.suse.com/893088 https://bugzilla.suse.com/893089 https://bugzilla.suse.com/893090 http://download.suse.com/patch/finder/?keywords=24f89316c81f05accc59e0c3f834c0da http://download.suse.com/patch/finder/?keywords=d3ce4da1a86bd6fc9912ef1d22bc8d07 From sle-security-updates at lists.suse.com Tue Sep 23 08:52:25 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Sep 2014 16:52:25 +0200 (CEST) Subject: SUSE-SU-2014:1178-1: moderate: Update for update-test-security Message-ID: <20140923145225.4385F32242@maintenance.suse.de> SUSE Security Update: Update for update-test-security ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1178-1 Rating: moderate References: Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This is a security update to test the software update stack. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-53 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-53 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (noarch): update-test-security-0-11.2 - SUSE Linux Enterprise Desktop 12 (noarch): update-test-security-0-11.2 References: From meissner at suse.de Tue Sep 23 08:59:46 2014 From: meissner at suse.de (Marcus Meissner) Date: Tue, 23 Sep 2014 16:59:46 +0200 Subject: SUSE-SU-2014:1178-1: moderate: Update for update-test-security In-Reply-To: <20140923145225.4385F32242@maintenance.suse.de> References: <20140923145225.4385F32242@maintenance.suse.de> Message-ID: <20140923145945.GA28435@suse.de> Hi, This is a test of the system for SLE12, the debugging code apparently did not disable all emailing. Sorry for that, Marcus On Tue, Sep 23, 2014 at 04:52:25PM +0200, sle-security-updates at lists.suse.com wrote: > SUSE Security Update: Update for update-test-security > ______________________________________________________________________________ > > Announcement ID: SUSE-SU-2014:1178-1 > Rating: moderate > References: > Affected Products: > SUSE Linux Enterprise Server 12 > SUSE Linux Enterprise Desktop 12 > ______________________________________________________________________________ > > An update that contains security fixes can now be installed. > > Description: > > This is a security update to test the software update stack. > > > Patch Instructions: > > To install this SUSE Security Update use YaST online_update. > Alternatively you can run the command listed for your product: > > - SUSE Linux Enterprise Server 12: > > zypper in -t patch SUSE-SLE-SERVER-12-2014-53 > > - SUSE Linux Enterprise Desktop 12: > > zypper in -t patch SUSE-SLE-DESKTOP-12-2014-53 > > To bring your system up-to-date, use "zypper patch". > > > Package List: > > - SUSE Linux Enterprise Server 12 (noarch): > > update-test-security-0-11.2 > > - SUSE Linux Enterprise Desktop 12 (noarch): > > update-test-security-0-11.2 > > > References: > > > _______________________________________________ > sle-security-updates mailing list > sle-security-updates at lists.suse.com > http://lists.suse.com/mailman/listinfo/sle-security-updates > From sle-security-updates at lists.suse.com Tue Sep 23 17:04:17 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Sep 2014 01:04:17 +0200 (CEST) Subject: SUSE-SU-2014:1208-1: moderate: Security update for OpenSSL Message-ID: <20140923230417.9B24D32241@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1208-1 Rating: moderate References: #859228 #859924 #860332 #862181 #870192 #890764 #890767 #890768 #890769 #890770 Cross-References: CVE-2014-0076 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508 CVE-2014-3510 Affected Products: SUSE Studio Onsite 1.3 SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has one errata is now available. Description: This OpenSSL update fixes the following security issues: * SSL/TLS man-in-the-middle vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * Anonymous ECDH denial of service. (CVE-2014-3470) * Using the FLUSH+RELOAD Cache Side-channel Attack the nonces could have been recovered. (CVE-2014-0076) * Information leak in pretty printing functions. (CVE-2014-3508) * Double Free when processing DTLS packets. (CVE-2014-3505) * DTLS memory exhaustion. (CVE-2014-3506) * DTLS memory leak from zero-length fragments. (CVE-2014-3507) * DTLS anonymous EC(DH) denial of service. (CVE-2014-3510) Further information about these vulnerabilities can be found at http://www.openssl.org/news/secadv_20140605.txt and http://www.openssl.org/news/secadv_20140806.txt . Additionally, the following non-security fixes and enhancements have been included in this release: * Ensure that the stack is marked non-executable on x86 32bit. On other processor platforms it was already marked as non-executable before. (bnc#870192) * IPv6 support was added to the openssl s_client and s_server command line tool. (bnc#859228) * The openssl command line tool now checks certificates by default against /etc/ssl/certs (this can be changed via the -CApath option). (bnc#860332) * The Elliptic Curve Diffie-Hellman key exchange selector was enabled and can be selected by kECDHE, kECDH, ECDH tags in the SSL cipher string. (bnc#859924) * If an optional openssl1 command line tool is installed in parallel, c_rehash uses it to generate certificate hashes in both OpenSSL 0 and OpenSSL 1 style. This allows parallel usage of OpenSSL 0.9.8j and OpenSSL 1.x client libraries with a shared certificate store. (bnc#862181) Security Issues: * CVE-2014-3508 * CVE-2014-3505 * CVE-2014-3506 * CVE-2014-3507 * CVE-2014-3510 * CVE-2014-0224 * CVE-2014-0221 * CVE-2014-3470 * CVE-2014-0076 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-libopenssl-devel-9690 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-libopenssl-devel-9690 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libopenssl-devel-0.9.8j-0.62.3 - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): libopenssl0_9_8-0.9.8j-0.62.3 libopenssl0_9_8-32bit-0.9.8j-0.62.3 libopenssl0_9_8-hmac-0.9.8j-0.62.3 libopenssl0_9_8-hmac-32bit-0.9.8j-0.62.3 openssl-0.9.8j-0.62.3 openssl-doc-0.9.8j-0.62.3 References: http://support.novell.com/security/cve/CVE-2014-0076.html http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html http://support.novell.com/security/cve/CVE-2014-3505.html http://support.novell.com/security/cve/CVE-2014-3506.html http://support.novell.com/security/cve/CVE-2014-3507.html http://support.novell.com/security/cve/CVE-2014-3508.html http://support.novell.com/security/cve/CVE-2014-3510.html https://bugzilla.suse.com/859228 https://bugzilla.suse.com/859924 https://bugzilla.suse.com/860332 https://bugzilla.suse.com/862181 https://bugzilla.suse.com/870192 https://bugzilla.suse.com/890764 https://bugzilla.suse.com/890767 https://bugzilla.suse.com/890768 https://bugzilla.suse.com/890769 https://bugzilla.suse.com/890770 http://download.suse.com/patch/finder/?keywords=527469b04d2464c79388bf3792428d91 From sle-security-updates at lists.suse.com Wed Sep 24 15:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Sep 2014 23:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1211-1: moderate: Security update for powerpc-utils Message-ID: <20140924210413.844D932249@maintenance.suse.de> SUSE Security Update: Security update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1211-1 Rating: moderate References: #883174 Cross-References: CVE-2014-4040 Affected Products: SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The "snap" system information collection tool of the PowerPC Utils package collected fstab and yaboot.conf files which might contain passwords. (CVE-2014-4040) As these files are of interest, we now print a warning that the user of the "snap" tool should check if private passwords are in those files. Security Issues: * CVE-2014-4040 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-powerpc-utils-9727 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 (ppc64): powerpc-utils-1.2.16-0.13.1 References: http://support.novell.com/security/cve/CVE-2014-4040.html https://bugzilla.suse.com/883174 http://download.suse.com/patch/finder/?keywords=7454d90304ec215b2ef4a7c0690dc9ed From sle-security-updates at lists.suse.com Wed Sep 24 17:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Sep 2014 01:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1212-1: critical: Security update for bash Message-ID: <20140924230413.CE0E832247@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1212-1 Rating: critical References: #776694 #819783 #820149 #844550 #896776 Cross-References: CVE-2014-0475 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Additionally, the following bugs have been fixed: * Fix crash when expanding '$[' without matching ']'. (bnc#844550) * Do not restart the signal handler after a trap is reset. (bnc#820149) * Work around a crash in libreadline. (bnc#819783) * Make skeleton files configurations files. (bnc#776694) Security Issues: * CVE-2014-6271 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-bash-9738 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): bash-3.2-147.14.20.1 bash-doc-3.2-147.14.20.1 libreadline5-5.2-147.14.20.1 readline-doc-5.2-147.14.20.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.20.1 References: http://support.novell.com/security/cve/CVE-2014-0475.html https://bugzilla.suse.com/776694 https://bugzilla.suse.com/819783 https://bugzilla.suse.com/820149 https://bugzilla.suse.com/844550 https://bugzilla.suse.com/896776 http://download.suse.com/patch/finder/?keywords=55e9078b7e861e70ae3998e079b22c52 From sle-security-updates at lists.suse.com Wed Sep 24 17:05:25 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Sep 2014 01:05:25 +0200 (CEST) Subject: SUSE-SU-2014:1213-1: critical: Security update for bash Message-ID: <20140924230525.2865532247@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1213-1 Rating: critical References: #896776 Cross-References: CVE-2014-0475 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Security Issues: * CVE-2014-6271 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-bash-9740 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-bash-9740 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-bash-9740 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-bash-9736 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-bash-9740 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): readline-devel-5.2-147.20.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): readline-devel-32bit-5.2-147.20.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): libreadline5-5.2-147.20.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): bash-3.2-147.20.1 bash-doc-3.2-147.20.1 libreadline5-5.2-147.20.1 readline-doc-5.2-147.20.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libreadline5-32bit-5.2-147.20.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): bash-3.2-147.20.1 bash-doc-3.2-147.20.1 libreadline5-5.2-147.20.1 readline-doc-5.2-147.20.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libreadline5-32bit-5.2-147.20.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): bash-x86-3.2-147.20.1 libreadline5-x86-5.2-147.20.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): bash-3.2-147.14.20.1 bash-doc-3.2-147.14.20.1 libreadline5-5.2-147.14.20.1 readline-doc-5.2-147.14.20.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.20.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): bash-3.1-24.32.1 readline-5.1-24.32.1 readline-devel-5.1-24.32.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): readline-32bit-5.1-24.32.1 readline-devel-32bit-5.1-24.32.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): bash-3.2-147.20.1 bash-doc-3.2-147.20.1 libreadline5-5.2-147.20.1 readline-doc-5.2-147.20.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libreadline5-32bit-5.2-147.20.1 References: http://support.novell.com/security/cve/CVE-2014-0475.html https://bugzilla.suse.com/896776 http://download.suse.com/patch/finder/?keywords=083b250348bb7e8f6f3e4afc8a22fb86 http://download.suse.com/patch/finder/?keywords=5aa8890d421145a022bf2205e01b3c68 http://download.suse.com/patch/finder/?keywords=c0975ef449afcaa55a27dfd2df712a09 From sle-security-updates at lists.suse.com Wed Sep 24 17:05:37 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Sep 2014 01:05:37 +0200 (CEST) Subject: SUSE-SU-2014:1214-1: critical: Security update for bash Message-ID: <20140924230537.3890832247@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1214-1 Rating: critical References: #688469 #770795 #896776 Cross-References: CVE-2012-3410 CVE-2014-0475 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Additionally, the following bugs have been fixed: * Avoid possible buffer overflow when expanding the /dev/fd prefix with e.g. the test built-in. (CVE-2012-3410) * Enable workaround for changed behavior of sshd. (bnc#688469) Security Issues: * CVE-2014-6271 * CVE-2012-3410 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): bash-3.1-24.32.1 readline-5.1-24.32.1 readline-devel-5.1-24.32.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): readline-32bit-5.1-24.32.1 readline-devel-32bit-5.1-24.32.1 References: http://support.novell.com/security/cve/CVE-2012-3410.html http://support.novell.com/security/cve/CVE-2014-0475.html https://bugzilla.suse.com/688469 https://bugzilla.suse.com/770795 https://bugzilla.suse.com/896776 http://download.suse.com/patch/finder/?keywords=fd9fa24daf4d325c609035f0c778a723 From sle-security-updates at lists.suse.com Thu Sep 25 11:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Sep 2014 19:04:12 +0200 (CEST) Subject: SUSE-SU-2014:1218-1: important: Security update for spacewalk-java Message-ID: <20140925170412.4BC103224B@maintenance.suse.de> SUSE Security Update: Security update for spacewalk-java ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1218-1 Rating: important References: #889721 #896012 Cross-References: CVE-2014-3595 Affected Products: SUSE Manager Server ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The Spacewalk frontend displayed a logfile without escaping content, allowing remote attackers to inject cross site scripting (XSS) into the admin's session. (CVE-2014-3595) Additionally, the following bug was fixed: * Fixed package upgrade via SSM when using the Oracle DB as backend. (bnc#889721) Security Issues: * CVE-2014-3595 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-spacewalk-java-9719 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (noarch): spacewalk-java-2.1.165.6-0.11.1 spacewalk-java-config-2.1.165.6-0.11.1 spacewalk-java-lib-2.1.165.6-0.11.1 spacewalk-java-oracle-2.1.165.6-0.11.1 spacewalk-java-postgresql-2.1.165.6-0.11.1 spacewalk-taskomatic-2.1.165.6-0.11.1 References: http://support.novell.com/security/cve/CVE-2014-3595.html https://bugzilla.suse.com/889721 https://bugzilla.suse.com/896012 http://download.suse.com/patch/finder/?keywords=a50d8ce1310e48a468cc85ce6ed47e24 From sle-security-updates at lists.suse.com Fri Sep 26 13:04:10 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 26 Sep 2014 21:04:10 +0200 (CEST) Subject: SUSE-SU-2014:1219-1: moderate: Security update for openstack-keystone Message-ID: <20140926190410.6B00C3224B@maintenance.suse.de> SUSE Security Update: Security update for openstack-keystone ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1219-1 Rating: moderate References: #892095 #892097 #892099 Cross-References: CVE-2014-5251 CVE-2014-5252 CVE-2014-5253 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: This openstack-keystone update fixes the following security issues: * bnc#892095: Token expiration date stored incorrectly. (CVE-2014-5252) * bnc#892097: Revocation events are broken with MySQL. (CVE-2014-5251) * bnc#892099: Domain-scoped tokens don't get revoked. (CVE-2014-5253) Security Issues: * CVE-2014-5251 * CVE-2014-5252 * CVE-2014-5253 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-openstack-keystone-9636 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64) [New Version: 2014.1.3.dev3.gb812131]: openstack-keystone-2014.1.3.dev3.gb812131-0.7.1 python-keystone-2014.1.3.dev3.gb812131-0.7.1 - SUSE Cloud 4 (noarch) [New Version: 2014.1.3.dev3.gb812131]: openstack-keystone-doc-2014.1.3.dev3.gb812131-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-5251.html http://support.novell.com/security/cve/CVE-2014-5252.html http://support.novell.com/security/cve/CVE-2014-5253.html https://bugzilla.suse.com/892095 https://bugzilla.suse.com/892097 https://bugzilla.suse.com/892099 http://download.suse.com/patch/finder/?keywords=0e8fec5bb9d4da67df0f3484184b5fe3 From sle-security-updates at lists.suse.com Fri Sep 26 16:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 27 Sep 2014 00:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1220-1: important: Security update for mozilla-nss Message-ID: <20140926220413.5CA5E3224B@maintenance.suse.de> SUSE Security Update: Security update for mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1220-1 Rating: important References: #897890 Cross-References: CVE-2014-1568 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libfreebl3-9777 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libfreebl3-9777 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libfreebl3-9777 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libfreebl3-9777 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.16.5]: mozilla-nss-devel-3.16.5-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.7.1 libsoftokn3-3.16.5-0.7.1 mozilla-nss-3.16.5-0.7.1 mozilla-nss-tools-3.16.5-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.7.1 libsoftokn3-32bit-3.16.5-0.7.1 mozilla-nss-32bit-3.16.5-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.7.1 libsoftokn3-3.16.5-0.7.1 mozilla-nss-3.16.5-0.7.1 mozilla-nss-tools-3.16.5-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.7.1 libsoftokn3-32bit-3.16.5-0.7.1 mozilla-nss-32bit-3.16.5-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.16.5]: libfreebl3-x86-3.16.5-0.7.1 libsoftokn3-x86-3.16.5-0.7.1 mozilla-nss-x86-3.16.5-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.7.1 libsoftokn3-3.16.5-0.7.1 mozilla-nss-3.16.5-0.7.1 mozilla-nss-tools-3.16.5-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.7.1 libsoftokn3-32bit-3.16.5-0.7.1 mozilla-nss-32bit-3.16.5-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-1568.html https://bugzilla.suse.com/897890 http://download.suse.com/patch/finder/?keywords=9099e9b629979a0004c403f74aace0f2 From sle-security-updates at lists.suse.com Fri Sep 26 16:04:30 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 27 Sep 2014 00:04:30 +0200 (CEST) Subject: SUSE-SU-2014:1221-1: important: Security update for wireshark Message-ID: <20140926220430.9EAA732249@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1221-1 Rating: important References: #889854 #889899 #889900 #889901 #889906 #897055 Cross-References: CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. It includes one version update. Description: The wireshark package was upgraded to 1.10.10 from 1.8.x as 1.8 was discontinued. This update fixes vulnerabilities that could allow an attacker to crash Wireshark or make it become unresponsive by sending specific packets onto the network or have them loaded via a capture file while the dissectors are running. It also contains a number of other bug fixes. * RTP dissector crash. (wnpa-sec-2014-12 CVE-2014-6421 CVE-2014-6422) * MEGACO dissector infinite loop. (wnpa-sec-2014-13 CVE-2014-6423) * Netflow dissector crash. (wnpa-sec-2014-14 CVE-2014-6424) * RTSP dissector crash. (wnpa-sec-2014-17 CVE-2014-6427) * SES dissector crash. (wnpa-sec-2014-18 CVE-2014-6428) * Sniffer file parser crash. (wnpa-sec-2014-19 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432) * The Catapult DCT2000 and IrDA dissectors could underrun a buffer. (wnpa-sec-2014-08 CVE-2014-5161 CVE-2014-5162, bnc#889901) * The GSM Management dissector could crash. (wnpa-sec-2014-09 CVE-2014-5163, bnc#889906) * The RLC dissector could crash. (wnpa-sec-2014-10 CVE-2014-5164, bnc#889900) * The ASN.1 BER dissector could crash. (wnpa-sec-2014-11 CVE-2014-5165, bnc#889899) Further bug fixes as listed in: https://www.wireshark.org/docs/relnotes/wireshark-1.10.10.html and https://www.wireshark.org/docs/relnotes/wireshark-1.10.9.html . Security Issues: * CVE-2014-5161 * CVE-2014-5162 * CVE-2014-5163 * CVE-2014-5164 * CVE-2014-5165 * CVE-2014-6421 * CVE-2014-6422 * CVE-2014-6423 * CVE-2014-6424 * CVE-2014-6427 * CVE-2014-6428 * CVE-2014-6429 * CVE-2014-6430 * CVE-2014-6431 * CVE-2014-6432 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-wireshark-9745 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-wireshark-9745 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-wireshark-9745 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-wireshark-9745 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.10.10]: wireshark-devel-1.10.10-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 1.10.10]: wireshark-1.10.10-0.2.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 1.10.10]: wireshark-1.10.10-0.2.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.10.10]: wireshark-1.10.10-0.2.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.10.10]: wireshark-1.10.10-0.2.1 References: http://support.novell.com/security/cve/CVE-2014-6421.html http://support.novell.com/security/cve/CVE-2014-6422.html http://support.novell.com/security/cve/CVE-2014-6423.html http://support.novell.com/security/cve/CVE-2014-6424.html http://support.novell.com/security/cve/CVE-2014-6427.html http://support.novell.com/security/cve/CVE-2014-6428.html http://support.novell.com/security/cve/CVE-2014-6429.html http://support.novell.com/security/cve/CVE-2014-6430.html http://support.novell.com/security/cve/CVE-2014-6431.html http://support.novell.com/security/cve/CVE-2014-6432.html https://bugzilla.suse.com/889854 https://bugzilla.suse.com/889899 https://bugzilla.suse.com/889900 https://bugzilla.suse.com/889901 https://bugzilla.suse.com/889906 https://bugzilla.suse.com/897055 http://download.suse.com/patch/finder/?keywords=25a84c702b8b4fdaea63a171632f5a93 From sle-security-updates at lists.suse.com Fri Sep 26 17:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 27 Sep 2014 01:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1223-1: critical: Security update for bash Message-ID: <20140926230413.19BAC32249@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1223-1 Rating: critical References: #896776 Cross-References: CVE-2014-6271 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Security Issues: * CVE-2014-6271 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-bash-9764 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): bash-3.2-147.14.20.1 bash-doc-3.2-147.14.20.1 libreadline5-32bit-5.2-147.14.20.1 libreadline5-5.2-147.14.20.1 readline-doc-5.2-147.14.20.1 References: http://support.novell.com/security/cve/CVE-2014-6271.html https://bugzilla.suse.com/896776 http://download.suse.com/patch/finder/?keywords=634668818756ed213c0d0c593816875e From sle-security-updates at lists.suse.com Sun Sep 28 11:05:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sun, 28 Sep 2014 19:05:13 +0200 (CEST) Subject: SUSE-SU-2014:1247-1: important: Security update for bash Message-ID: <20140928170513.4BD3F3224E@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1247-1 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed: * CVE-2014-7186: Nested HERE documents could lead to a crash of bash. * CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Security Issues: * CVE-2014-7169 * CVE-2014-7186 * CVE-2014-7187 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-bash-9780 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-bash-9780 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-bash-9780 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-bash-9781 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-bash-9782 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-bash-9780 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): readline-devel-5.2-147.22.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): readline-devel-32bit-5.2-147.22.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): libreadline5-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): bash-3.2-147.22.1 bash-doc-3.2-147.22.1 libreadline5-5.2-147.22.1 readline-doc-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libreadline5-32bit-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): bash-3.2-147.22.1 bash-doc-3.2-147.22.1 libreadline5-5.2-147.22.1 readline-doc-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libreadline5-32bit-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): bash-x86-3.2-147.22.1 libreadline5-x86-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.22.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.22.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): bash-3.1-24.34.1 readline-5.1-24.34.1 readline-devel-5.1-24.34.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): readline-32bit-5.1-24.34.1 readline-devel-32bit-5.1-24.34.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): bash-3.1-24.34.1 readline-5.1-24.34.1 readline-devel-5.1-24.34.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): readline-32bit-5.1-24.34.1 readline-devel-32bit-5.1-24.34.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): bash-3.2-147.22.1 bash-doc-3.2-147.22.1 libreadline5-5.2-147.22.1 readline-doc-5.2-147.22.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libreadline5-32bit-5.2-147.22.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e84591918b9e http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba93df6f http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7a7f43 http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd7491f09f http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2ada90 From sle-security-updates at lists.suse.com Mon Sep 29 10:04:34 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 29 Sep 2014 18:04:34 +0200 (CEST) Subject: SUSE-SU-2014:1220-2: important: Security update for mozilla-nss Message-ID: <20140929160434.31DF13224C@maintenance.suse.de> SUSE Security Update: Security update for mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1220-2 Rating: important References: #897890 Cross-References: CVE-2014-1568 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: Mozilla NSS was updated to 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-libfreebl3-9774 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.4.2.1 mozilla-nss-3.16.5-0.4.2.1 mozilla-nss-devel-3.16.5-0.4.2.1 mozilla-nss-tools-3.16.5-0.4.2.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.4.2.1 mozilla-nss-32bit-3.16.5-0.4.2.1 References: http://support.novell.com/security/cve/CVE-2014-1568.html https://bugzilla.suse.com/show_bug.cgi?id=897890 http://download.suse.com/patch/finder/?keywords=d63b0bfb5e439b036b903e3aa94555ff From sle-security-updates at lists.suse.com Mon Sep 29 13:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 29 Sep 2014 21:04:13 +0200 (CEST) Subject: SUSE-SU-2014:1247-2: important: Security update for bash Message-ID: <20140929190413.169ED3224E@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1247-2 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed: * CVE-2014-7186: Nested HERE documents could lead to a crash of bash. * CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Security Issues: * CVE-2014-7169 * CVE-2014-7186 * CVE-2014-7187 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-bash-9779 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-32bit-5.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 http://download.suse.com/patch/finder/?keywords=991d0956c7a6a53ad424c0964c1cbb84 From sle-security-updates at lists.suse.com Mon Sep 29 17:04:16 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Sep 2014 01:04:16 +0200 (CEST) Subject: SUSE-SU-2014:1220-3: important: Security update for mozilla-nss Message-ID: <20140929230416.6A3103224B@maintenance.suse.de> SUSE Security Update: Security update for mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1220-3 Rating: important References: #897890 Cross-References: CVE-2014-1568 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libfreebl3-9775 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.4.2.1 mozilla-nss-3.16.5-0.4.2.1 mozilla-nss-tools-3.16.5-0.4.2.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.4.2.1 mozilla-nss-32bit-3.16.5-0.4.2.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.16.5]: mozilla-nss-3.16.5-0.5.1 mozilla-nss-devel-3.16.5-0.5.1 mozilla-nss-tools-3.16.5-0.5.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.16.5]: mozilla-nss-32bit-3.16.5-0.5.1 References: http://support.novell.com/security/cve/CVE-2014-1568.html https://bugzilla.suse.com/show_bug.cgi?id=897890 http://download.suse.com/patch/finder/?keywords=2ee24d8f2ff89770e348b8257c89f70f http://download.suse.com/patch/finder/?keywords=c6f6720a0652853ecb54d85b96a518b7 From sle-security-updates at lists.suse.com Mon Sep 29 17:04:23 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Sep 2014 01:04:23 +0200 (CEST) Subject: SUSE-SU-2014:1255-1: moderate: Security update for openstack-ceilometer Message-ID: <20140929230423.835013224B@maintenance.suse.de> SUSE Security Update: Security update for openstack-ceilometer ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1255-1 Rating: moderate References: #884535 #893770 Cross-References: CVE-2014-4615 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: This update for openstack-ceilometer fixes the following security issue: * CVE-2014-4615: An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. Additionally, the following non-security issues have been fixed: * Set Python hash seed to 0 in tox.ini. * Update ensure()/reconnect() to catch MessagingError. * Fixes Hyper-V metrics units. * Disable specifying alarm itself in combination rule. * Fixes Hyper-V Inspector network metrics values. * Sync RPC module from Oslo. * Ensure routing key is specified in the address for a direct producer. * Remove token from notifier middleware. Security Issues: * CVE-2014-4615 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-openstack-ceilometer-9672 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64) [New Version: 2013.2.4.dev21.g27a67f4]: openstack-ceilometer-2013.2.4.dev21.g27a67f4-0.7.1 openstack-ceilometer-agent-central-2013.2.4.dev21.g27a67f4-0.7.1 openstack-ceilometer-agent-compute-2013.2.4.dev21.g27a67f4-0.7.1 openstack-ceilometer-alarm-evaluator-2013.2.4.dev21.g27a67f4-0.7.1 openstack-ceilometer-alarm-notifier-2013.2.4.dev21.g27a67f4-0.7.1 openstack-ceilometer-api-2013.2.4.dev21.g27a67f4-0.7.1 openstack-ceilometer-collector-2013.2.4.dev21.g27a67f4-0.7.1 python-ceilometer-2013.2.4.dev21.g27a67f4-0.7.1 - SUSE Cloud 3 (noarch) [New Version: 2013.2.4.dev21.g27a67f4]: openstack-ceilometer-doc-2013.2.4.dev21.g27a67f4-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-4615.html https://bugzilla.suse.com/show_bug.cgi?id=884535 https://bugzilla.suse.com/show_bug.cgi?id=893770 http://download.suse.com/patch/finder/?keywords=80f3590b1a52df5fd7d61e9860e6abff From sle-security-updates at lists.suse.com Tue Sep 30 09:05:19 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Sep 2014 17:05:19 +0200 (CEST) Subject: SUSE-SU-2014:1259-1: important: bash Message-ID: <20140930150519.9573B32250@maintenance.suse.de> SUSE Security Update: bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1259-1 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-63 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-63 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63 - 12: zypper in -t patch SUSE-SLE-WE-12-2014-63 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): bash-debuginfo-4.2-81.1 bash-debugsource-4.2-81.1 bash-devel-4.2-81.1 readline-devel-6.2-81.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): bash-4.2-81.1 bash-debuginfo-4.2-81.1 bash-debugsource-4.2-81.1 libreadline6-6.2-81.1 libreadline6-debuginfo-6.2-81.1 - SUSE Linux Enterprise Server 12 (noarch): bash-doc-4.2-81.1 readline-doc-6.2-81.1 - SUSE Linux Enterprise Desktop 12 (x86_64): bash-4.2-81.1 bash-debuginfo-4.2-81.1 bash-debugsource-4.2-81.1 libreadline6-6.2-81.1 libreadline6-debuginfo-6.2-81.1 - SUSE Linux Enterprise Desktop 12 (noarch): bash-doc-4.2-81.1 bash-lang-4.2-81.1 readline-doc-6.2-81.1 - 12 (noarch): bash-lang-4.2-81.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 From sle-security-updates at lists.suse.com Tue Sep 30 09:06:24 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Sep 2014 17:06:24 +0200 (CEST) Subject: SUSE-SU-2014:1260-1: critical: bash Message-ID: <20140930150624.139523224E@maintenance.suse.de> SUSE Security Update: bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1260-1 Rating: critical References: #896776 Cross-References: CVE-2014-6271 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: bash was updated to fix unexpected code execution with environment variables (CVE-2014-6271). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-59 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-59 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-59 - 12: zypper in -t patch SUSE-SLE-WE-12-2014-59 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): bash-debuginfo-4.2-77.1 bash-debugsource-4.2-77.1 bash-devel-4.2-77.1 readline-devel-6.2-77.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): bash-4.2-77.1 bash-debuginfo-4.2-77.1 bash-debugsource-4.2-77.1 libreadline6-6.2-77.1 libreadline6-debuginfo-6.2-77.1 - SUSE Linux Enterprise Server 12 (noarch): bash-doc-4.2-77.1 readline-doc-6.2-77.1 - SUSE Linux Enterprise Desktop 12 (x86_64): bash-4.2-77.1 bash-debuginfo-4.2-77.1 bash-debugsource-4.2-77.1 libreadline6-6.2-77.1 libreadline6-debuginfo-6.2-77.1 - SUSE Linux Enterprise Desktop 12 (noarch): bash-doc-4.2-77.1 bash-lang-4.2-77.1 readline-doc-6.2-77.1 - 12 (noarch): bash-lang-4.2-77.1 References: http://support.novell.com/security/cve/CVE-2014-6271.html https://bugzilla.suse.com/show_bug.cgi?id=896776