From sle-security-updates at lists.suse.com Mon Jun 1 01:05:03 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Jun 2015 09:05:03 +0200 (CEST) Subject: SUSE-SU-2015:0974-1: moderate: Security update for apache2 Message-ID: <20150601070503.7A34532068@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0974-1 Rating: moderate References: #792309 #871310 #899836 #909715 #918352 #923090 Cross-References: CVE-2013-5704 CVE-2014-3581 CVE-2014-8109 CVE-2015-0228 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: Apache2 updated to fix four security issues and one non-security bug. The following vulnerabilities have been fixed: - mod_headers rules could be bypassed via chunked requests. Adds "MergeTrailers" directive to restore legacy behavior. (bsc#871310, CVE-2013-5704) - An empty value in Content-Type could lead to a crash through a null pointer dereference and a denial of service. (bsc#899836, CVE-2014-3581) - Remote attackers could bypass intended access restrictions in mod_lua LuaAuthzProvider when multiple Require directives with different arguments are used. (bsc#909715, CVE-2014-8109) - Remote attackers could cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. (bsc#918352, CVE-2015-0228) The following non-security issues have been fixed: - The Apache2 systemd service file was changed to fix situation where apache wouldn't start at boot when using an encrypted certificate because the user wasn't prompted for password during boot. (bsc#792309) Additionally, mod_imagemap is now included by default in the package. (bsc#923090) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-226=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-226=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): apache2-debuginfo-2.4.10-12.1 apache2-debugsource-2.4.10-12.1 apache2-devel-2.4.10-12.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): apache2-2.4.10-12.1 apache2-debuginfo-2.4.10-12.1 apache2-debugsource-2.4.10-12.1 apache2-example-pages-2.4.10-12.1 apache2-prefork-2.4.10-12.1 apache2-prefork-debuginfo-2.4.10-12.1 apache2-utils-2.4.10-12.1 apache2-utils-debuginfo-2.4.10-12.1 apache2-worker-2.4.10-12.1 apache2-worker-debuginfo-2.4.10-12.1 - SUSE Linux Enterprise Server 12 (noarch): apache2-doc-2.4.10-12.1 References: https://www.suse.com/security/cve/CVE-2013-5704.html https://www.suse.com/security/cve/CVE-2014-3581.html https://www.suse.com/security/cve/CVE-2014-8109.html https://www.suse.com/security/cve/CVE-2015-0228.html https://bugzilla.suse.com/792309 https://bugzilla.suse.com/871310 https://bugzilla.suse.com/899836 https://bugzilla.suse.com/909715 https://bugzilla.suse.com/918352 https://bugzilla.suse.com/923090 From sle-security-updates at lists.suse.com Mon Jun 1 07:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Jun 2015 15:04:57 +0200 (CEST) Subject: SUSE-SU-2015:0977-1: moderate: Security update for libqt4 Message-ID: <20150601130457.17FFB32068@maintenance.suse.de> SUSE Security Update: Security update for libqt4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0977-1 Rating: moderate References: #921999 #927806 #927807 #927808 Cross-References: CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 CVE-2015-1860 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The libqt4 library was updated to fix several security issues: * CVE-2015-0295: Division by zero when processing malformed BMP files. (bsc#921999) * CVE-2015-1858: Segmentation fault in BMP Qt Image Format Handling. (bsc#927806) * CVE-2015-1859: Segmentation fault in ICO Qt Image Format Handling. (bsc#927807) * CVE-2015-1860: Segmentation fault in GIF Qt Image Format Handling. (bsc#927808) Security Issues: * CVE-2015-1858 * CVE-2015-1859 * CVE-2015-1860 * CVE-2015-0295 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libqt4-201505=10690 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libqt4-201505=10690 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libqt4-201505=10690 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libqt4-201505=10690 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libQtWebKit-devel-4.6.3-5.34.2 libqt4-devel-4.6.3-5.34.2 libqt4-devel-doc-4.6.3-5.34.2 libqt4-sql-postgresql-4.6.3-5.34.2 libqt4-sql-unixODBC-4.6.3-5.34.2 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.34.2 libqt4-sql-mysql-32bit-4.6.3-5.34.2 libqt4-sql-postgresql-32bit-4.6.3-5.34.2 libqt4-sql-sqlite-32bit-4.6.3-5.34.2 libqt4-sql-unixODBC-32bit-4.6.3-5.34.2 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): libqt4-devel-doc-data-4.6.3-5.34.2 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64): libQtWebKit4-x86-4.6.3-5.34.2 libqt4-sql-mysql-x86-4.6.3-5.34.2 libqt4-sql-postgresql-x86-4.6.3-5.34.2 libqt4-sql-sqlite-x86-4.6.3-5.34.2 libqt4-sql-unixODBC-x86-4.6.3-5.34.2 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libQtWebKit4-4.6.3-5.34.2 libqt4-4.6.3-5.34.2 libqt4-qt3support-4.6.3-5.34.2 libqt4-sql-4.6.3-5.34.2 libqt4-sql-mysql-4.6.3-5.34.2 libqt4-sql-sqlite-4.6.3-5.34.2 libqt4-x11-4.6.3-5.34.2 qt4-x11-tools-4.6.3-5.34.2 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libQtWebKit4-32bit-4.6.3-5.34.2 libqt4-32bit-4.6.3-5.34.2 libqt4-qt3support-32bit-4.6.3-5.34.2 libqt4-sql-32bit-4.6.3-5.34.2 libqt4-x11-32bit-4.6.3-5.34.2 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libQtWebKit4-4.6.3-5.34.2 libqt4-4.6.3-5.34.2 libqt4-qt3support-4.6.3-5.34.2 libqt4-sql-4.6.3-5.34.2 libqt4-sql-mysql-4.6.3-5.34.2 libqt4-sql-sqlite-4.6.3-5.34.2 libqt4-x11-4.6.3-5.34.2 qt4-x11-tools-4.6.3-5.34.2 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.34.2 libqt4-32bit-4.6.3-5.34.2 libqt4-qt3support-32bit-4.6.3-5.34.2 libqt4-sql-32bit-4.6.3-5.34.2 libqt4-x11-32bit-4.6.3-5.34.2 - SUSE Linux Enterprise Server 11 SP3 (ia64): libQtWebKit4-x86-4.6.3-5.34.2 libqt4-qt3support-x86-4.6.3-5.34.2 libqt4-sql-x86-4.6.3-5.34.2 libqt4-x11-x86-4.6.3-5.34.2 libqt4-x86-4.6.3-5.34.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libQtWebKit4-4.6.3-5.34.2 libqt4-4.6.3-5.34.2 libqt4-qt3support-4.6.3-5.34.2 libqt4-sql-4.6.3-5.34.2 libqt4-sql-mysql-4.6.3-5.34.2 libqt4-sql-postgresql-4.6.3-5.34.2 libqt4-sql-sqlite-4.6.3-5.34.2 libqt4-sql-unixODBC-4.6.3-5.34.2 libqt4-x11-4.6.3-5.34.2 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libQtWebKit4-32bit-4.6.3-5.34.2 libqt4-32bit-4.6.3-5.34.2 libqt4-qt3support-32bit-4.6.3-5.34.2 libqt4-sql-32bit-4.6.3-5.34.2 libqt4-sql-mysql-32bit-4.6.3-5.34.2 libqt4-sql-postgresql-32bit-4.6.3-5.34.2 libqt4-sql-sqlite-32bit-4.6.3-5.34.2 libqt4-sql-unixODBC-32bit-4.6.3-5.34.2 libqt4-x11-32bit-4.6.3-5.34.2 References: https://www.suse.com/security/cve/CVE-2015-0295.html https://www.suse.com/security/cve/CVE-2015-1858.html https://www.suse.com/security/cve/CVE-2015-1859.html https://www.suse.com/security/cve/CVE-2015-1860.html https://bugzilla.suse.com/921999 https://bugzilla.suse.com/927806 https://bugzilla.suse.com/927807 https://bugzilla.suse.com/927808 https://download.suse.com/patch/finder/?keywords=9689c635e31524ec167e859d445097b5 From sle-security-updates at lists.suse.com Mon Jun 1 07:05:50 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Jun 2015 15:05:50 +0200 (CEST) Subject: SUSE-SU-2015:0978-1: important: Security update for MozillaFirefox Message-ID: <20150601130550.A99F732068@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0978-1 Rating: important References: #930622 Cross-References: CVE-2015-0797 CVE-2015-2708 CVE-2015-2709 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. It includes one version update. Description: This update to Firefox 31.7.0 ESR fixes the following issues: * MFSA 2015-46 (CVE-2015-2708, CVE-2015-2709): Miscellaneous memory safety hazards (rv:38.0 / rv:31.7). Upstream references: bmo#1120655, bmo#1143299, bmo#1151139, bmo#1152177, bmo#1111251, bmo#1117977, bmo#1128064, bmo#1135066, bmo#1143194, bmo#1146101, bmo#1149526, bmo#1153688, bmo#1155474. * MFSA 2015-47 (CVE-2015-0797): Buffer overflow parsing H.264 video with Linux Gstreamer. Upstream references: bmo#1080995. * MFSA 2015-48 (CVE-2015-2710): Buffer overflow with SVG content and CSS. Upstream references: bmo#1149542. * MFSA 2015-51 (CVE-2015-2713): Use-after-free during text processing with vertical text enabled. Upstream references: bmo#1153478. * MFSA 2015-54 (CVE-2015-2716): Buffer overflow when parsing compressed XML. Upstream references: bmo#1140537. Security Issues: * CVE-2015-0797 * CVE-2015-2708 * CVE-2015-2709 * CVE-2015-2710 * CVE-2015-2713 * CVE-2015-2716 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox-20150510=10691 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox-20150510=10691 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox-20150510=10691 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox-20150510=10691 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-31.7.0esr-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 31.7.0esr]: MozillaFirefox-31.7.0esr-0.8.1 MozillaFirefox-translations-31.7.0esr-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 31.7.0esr]: MozillaFirefox-31.7.0esr-0.8.1 MozillaFirefox-translations-31.7.0esr-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 31.7.0esr]: MozillaFirefox-31.7.0esr-0.8.1 MozillaFirefox-translations-31.7.0esr-0.8.1 References: https://www.suse.com/security/cve/CVE-2015-0797.html https://www.suse.com/security/cve/CVE-2015-2708.html https://www.suse.com/security/cve/CVE-2015-2709.html https://www.suse.com/security/cve/CVE-2015-2710.html https://www.suse.com/security/cve/CVE-2015-2713.html https://www.suse.com/security/cve/CVE-2015-2716.html https://bugzilla.suse.com/930622 https://download.suse.com/patch/finder/?keywords=ab9c724c1f8dad58c3aecf28fa855174 From sle-security-updates at lists.suse.com Mon Jun 1 07:06:10 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Jun 2015 15:06:10 +0200 (CEST) Subject: SUSE-SU-2015:0979-1: moderate: Security update for dnsmasq Message-ID: <20150601130610.11B5E3204C@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0979-1 Rating: moderate References: #923144 #928867 Cross-References: CVE-2015-3294 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The DNS server dnsmasq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read heap memory, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) The following bug was fixed: * bsc#923144: When answer to an upstream query is a CNAME pointing to an A/AAAA record which is present locally (/etc/hosts), allow caching when the upstream and local A/AAAA records have the same value. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-229=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-229=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): dnsmasq-2.71-4.1 dnsmasq-debuginfo-2.71-4.1 dnsmasq-debugsource-2.71-4.1 - SUSE Linux Enterprise Desktop 12 (x86_64): dnsmasq-2.71-4.1 dnsmasq-debuginfo-2.71-4.1 dnsmasq-debugsource-2.71-4.1 References: https://www.suse.com/security/cve/CVE-2015-3294.html https://bugzilla.suse.com/923144 https://bugzilla.suse.com/928867 From sle-security-updates at lists.suse.com Tue Jun 2 03:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Jun 2015 11:04:53 +0200 (CEST) Subject: SUSE-SU-2015:0984-1: moderate: Security update for docker Message-ID: <20150602090453.E274932084@maintenance.suse.de> SUSE Security Update: Security update for docker ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0984-1 Rating: moderate References: #930235 #931301 Cross-References: CVE-2015-3627 CVE-2015-3629 CVE-2015-3630 CVE-2015-3631 Affected Products: SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: The Linux container runtime environment Docker was updated to version 1.6.2 to fix several security and non-security issues. - Security: - Fix read/write /proc paths. (CVE-2015-3630) - Prohibit VOLUME /proc and VOLUME /. (CVE-2015-3631) - Fix opening of file-descriptor 1. (CVE-2015-3627) - Fix symlink traversal on container respawn allowing local privilege escalation. (CVE-2015-3629) - Runtime: - Update Apparmor policy to not allow mounts. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-230=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (x86_64): docker-1.6.2-31.2 docker-debuginfo-1.6.2-31.2 docker-debugsource-1.6.2-31.2 References: https://www.suse.com/security/cve/CVE-2015-3627.html https://www.suse.com/security/cve/CVE-2015-3629.html https://www.suse.com/security/cve/CVE-2015-3630.html https://www.suse.com/security/cve/CVE-2015-3631.html https://bugzilla.suse.com/930235 https://bugzilla.suse.com/931301 From sle-security-updates at lists.suse.com Tue Jun 2 04:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Jun 2015 12:04:53 +0200 (CEST) Subject: SUSE-SU-2015:0985-1: moderate: Security update for sudo Message-ID: <20150602100453.264F032084@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0985-1 Rating: moderate References: #880764 #901145 #904694 #917806 Cross-References: CVE-2014-9680 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for sudo provides the following fixes: * Handle TZ environment variable safely. (CVE-2014-9680, bnc#917806) * Do not truncate long commands (131072 or more characters) without any warning. (bnc#901145) * Create log files with ownership set to user and group 'root'. (bnc#904694) * Close PAM session properly. (bnc#880764) Security Issues: * CVE-2014-9680 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-sudo=10686 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-sudo=10686 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-sudo=10686 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): sudo-1.7.6p2-0.23.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): sudo-1.7.6p2-0.23.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): sudo-1.7.6p2-0.23.1 References: https://www.suse.com/security/cve/CVE-2014-9680.html https://bugzilla.suse.com/880764 https://bugzilla.suse.com/901145 https://bugzilla.suse.com/904694 https://bugzilla.suse.com/917806 https://download.suse.com/patch/finder/?keywords=3f29625c93073c1ed3b6a38fb74296cb From sle-security-updates at lists.suse.com Wed Jun 3 01:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Jun 2015 09:04:55 +0200 (CEST) Subject: SUSE-SU-2015:0990-1: moderate: Security update for curl Message-ID: <20150603070455.BCC0032089@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0990-1 Rating: moderate References: #927556 #927607 #927608 #927746 #928533 Cross-References: CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-235=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-235=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-235=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): curl-debuginfo-7.37.0-15.1 curl-debugsource-7.37.0-15.1 libcurl-devel-7.37.0-15.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): curl-7.37.0-15.1 curl-debuginfo-7.37.0-15.1 curl-debugsource-7.37.0-15.1 libcurl4-7.37.0-15.1 libcurl4-debuginfo-7.37.0-15.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libcurl4-32bit-7.37.0-15.1 libcurl4-debuginfo-32bit-7.37.0-15.1 - SUSE Linux Enterprise Desktop 12 (x86_64): curl-7.37.0-15.1 curl-debuginfo-7.37.0-15.1 curl-debugsource-7.37.0-15.1 libcurl4-32bit-7.37.0-15.1 libcurl4-7.37.0-15.1 libcurl4-debuginfo-32bit-7.37.0-15.1 libcurl4-debuginfo-7.37.0-15.1 References: https://www.suse.com/security/cve/CVE-2015-3143.html https://www.suse.com/security/cve/CVE-2015-3144.html https://www.suse.com/security/cve/CVE-2015-3145.html https://www.suse.com/security/cve/CVE-2015-3148.html https://www.suse.com/security/cve/CVE-2015-3153.html https://bugzilla.suse.com/927556 https://bugzilla.suse.com/927607 https://bugzilla.suse.com/927608 https://bugzilla.suse.com/927746 https://bugzilla.suse.com/928533 From sle-security-updates at lists.suse.com Mon Jun 8 07:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Jun 2015 15:04:55 +0200 (CEST) Subject: SUSE-SU-2015:1011-1: critical: Security update for cups Message-ID: <20150608130455.BA64832089@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1011-1 Rating: critical References: #924208 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update fixes a privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the server. This combination of issues could lead to remote code execution. CERT-VU-810572 has been assigned to this issue. Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-cups=10707 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-cups=10707 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-cups=10707 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-cups=10707 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): cups-devel-1.3.9-8.46.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): cups-1.3.9-8.46.56.1 cups-client-1.3.9-8.46.56.1 cups-libs-1.3.9-8.46.56.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): cups-libs-32bit-1.3.9-8.46.56.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): cups-1.3.9-8.46.56.1 cups-client-1.3.9-8.46.56.1 cups-libs-1.3.9-8.46.56.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): cups-libs-32bit-1.3.9-8.46.56.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): cups-libs-x86-1.3.9-8.46.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): cups-1.3.9-8.46.56.1 cups-client-1.3.9-8.46.56.1 cups-libs-1.3.9-8.46.56.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): cups-libs-32bit-1.3.9-8.46.56.1 References: https://bugzilla.suse.com/924208 https://download.suse.com/patch/finder/?keywords=cfe8bb7d17a9116bd37d397cd41c000f From sle-security-updates at lists.suse.com Tue Jun 9 02:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Jun 2015 10:04:57 +0200 (CEST) Subject: SUSE-SU-2015:1013-1: moderate: Security update for wpa_supplicant Message-ID: <20150609080457.2FFA032089@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1013-1 Rating: moderate References: #900611 #915323 #927558 Cross-References: CVE-2014-3686 CVE-2015-0210 CVE-2015-1863 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: wpa_supplicant was updated to fix three security issues: - CVE-2015-0210: wpa_supplicant: broken certificate subject check this adds the "domain_match" config option from upstream (additional to the already existing domain_suffix_match) - CVE-2014-3686: hostapd command execution - CVE-2015-1863: P2P SSID processing vulnerability Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-244=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-244=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): wpa_supplicant-2.2-8.1 wpa_supplicant-debuginfo-2.2-8.1 wpa_supplicant-debugsource-2.2-8.1 - SUSE Linux Enterprise Desktop 12 (x86_64): wpa_supplicant-2.2-8.1 wpa_supplicant-debuginfo-2.2-8.1 wpa_supplicant-debugsource-2.2-8.1 References: https://www.suse.com/security/cve/CVE-2014-3686.html https://www.suse.com/security/cve/CVE-2015-0210.html https://www.suse.com/security/cve/CVE-2015-1863.html https://bugzilla.suse.com/900611 https://bugzilla.suse.com/915323 https://bugzilla.suse.com/927558 From sle-security-updates at lists.suse.com Tue Jun 9 02:05:47 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Jun 2015 10:05:47 +0200 (CEST) Subject: SUSE-SU-2015:1014-1: moderate: Security update for vorbis-tools Message-ID: <20150609080547.42DDD32068@maintenance.suse.de> SUSE Security Update: Security update for vorbis-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1014-1 Rating: moderate References: #914439 #914441 Cross-References: CVE-2014-9638 CVE-2014-9639 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: Vorbis tools was updated to fix division by zero and integer overflows by crafted WAV files (CVE-2014-9638, CVE-2014-9639, bnc#914439, bnc#914441), that would allow attackers to crash the vorbis tools processes. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-245=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-245=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): vorbis-tools-1.4.0-23.1 vorbis-tools-debuginfo-1.4.0-23.1 vorbis-tools-debugsource-1.4.0-23.1 - SUSE Linux Enterprise Server 12 (noarch): vorbis-tools-lang-1.4.0-23.1 - SUSE Linux Enterprise Desktop 12 (x86_64): vorbis-tools-1.4.0-23.1 vorbis-tools-debuginfo-1.4.0-23.1 vorbis-tools-debugsource-1.4.0-23.1 - SUSE Linux Enterprise Desktop 12 (noarch): vorbis-tools-lang-1.4.0-23.1 References: https://www.suse.com/security/cve/CVE-2014-9638.html https://www.suse.com/security/cve/CVE-2014-9639.html https://bugzilla.suse.com/914439 https://bugzilla.suse.com/914441 From sle-security-updates at lists.suse.com Tue Jun 9 02:06:17 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Jun 2015 10:06:17 +0200 (CEST) Subject: SUSE-SU-2015:1015-1: moderate: Security update for dnsmasq Message-ID: <20150609080617.A19E632089@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1015-1 Rating: moderate References: #923144 #928867 Cross-References: CVE-2015-3294 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: The DNS server dnsmasq was updated to fix one security issue and one non-security bug: * CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read memory from the heap, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) * bsc#923144: When answer to an upstream query is a CNAME pointing to an A/AAAA record which is present locally (/etc/hosts), allow caching when the upstream and local A/AAAA records have the same value. Security Issues: * CVE-2015-3294 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-dnsmasq=10650 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-dnsmasq=10650 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-dnsmasq=10650 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 2.71]: dnsmasq-2.71-0.12.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.71]: dnsmasq-2.71-0.12.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 2.71]: dnsmasq-2.71-0.12.13.1 References: https://www.suse.com/security/cve/CVE-2015-3294.html https://bugzilla.suse.com/923144 https://bugzilla.suse.com/928867 https://download.suse.com/patch/finder/?keywords=304ffac9847406592e7dae5b253b7965 From sle-security-updates at lists.suse.com Tue Jun 9 06:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Jun 2015 14:04:57 +0200 (CEST) Subject: SUSE-SU-2015:1018-1: moderate: Security update for php53 Message-ID: <20150609120457.CC21B32089@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1018-1 Rating: moderate References: #922022 #922451 #922452 #923946 #924972 #925109 #928506 #928511 #931421 #931769 #931772 #931776 Cross-References: CVE-2014-9705 CVE-2014-9709 CVE-2015-2301 CVE-2015-2305 CVE-2015-2783 CVE-2015-2787 CVE-2015-3329 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4026 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has one errata is now available. Description: PHP 5.3 was updated to fix multiple security issues: * bnc#931776: pcntl_exec() does not check path validity (CVE-2015-4026) * bnc#931772: overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4022) * bnc#931769: memory corruption in phar_parse_tarfile when entry filename starts with NULL (CVE-2015-4021) * bnc#931421: multipart/form-data remote denial-of-service vulnerability (CVE-2015-4024) * bnc#928511: buffer over-read in unserialize when parsing Phar (CVE-2015-2783) * bnc#928506: buffer over flow when parsing tar/zip/phar in phar_set_inode() (CVE-2015-3329) * bnc#925109: SoapClient's __call() type confusion through unserialize() * bnc#924972: use-after-free vulnerability in the process_nested_data function (CVE-2015-2787) * bnc#923946: embedded gd copy: buffer read overflow in gd_gif_in.c (CVE-2014-9709) * bnc#922452: built-in regular expression (regex) library contains a heap overflow vulnerability (CVE-2015-2305) * bnc#922451: heap buffer overflow in enchant_broker_request_dict() (CVE-2014-9705) * bnc#922022: php's built-in regular expression (regex) library contains a heap overflow vulnerability (CVE-2015-2301) Security Issues: * CVE-2015-4026 * CVE-2015-4022 * CVE-2015-4021 * CVE-2015-4024 * CVE-2015-2783 * CVE-2015-3329 * CVE-2015-2787 * CVE-2014-9709 * CVE-2015-2305 * CVE-2014-9705 * CVE-2015-2301 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-apache2-mod_php53=10716 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-apache2-mod_php53=10716 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-apache2-mod_php53=10716 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-0.41.1 php53-imap-5.3.17-0.41.1 php53-posix-5.3.17-0.41.1 php53-readline-5.3.17-0.41.1 php53-sockets-5.3.17-0.41.1 php53-sqlite-5.3.17-0.41.1 php53-tidy-5.3.17-0.41.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): apache2-mod_php53-5.3.17-0.41.1 php53-5.3.17-0.41.1 php53-bcmath-5.3.17-0.41.1 php53-bz2-5.3.17-0.41.1 php53-calendar-5.3.17-0.41.1 php53-ctype-5.3.17-0.41.1 php53-curl-5.3.17-0.41.1 php53-dba-5.3.17-0.41.1 php53-dom-5.3.17-0.41.1 php53-exif-5.3.17-0.41.1 php53-fastcgi-5.3.17-0.41.1 php53-fileinfo-5.3.17-0.41.1 php53-ftp-5.3.17-0.41.1 php53-gd-5.3.17-0.41.1 php53-gettext-5.3.17-0.41.1 php53-gmp-5.3.17-0.41.1 php53-iconv-5.3.17-0.41.1 php53-intl-5.3.17-0.41.1 php53-json-5.3.17-0.41.1 php53-ldap-5.3.17-0.41.1 php53-mbstring-5.3.17-0.41.1 php53-mcrypt-5.3.17-0.41.1 php53-mysql-5.3.17-0.41.1 php53-odbc-5.3.17-0.41.1 php53-openssl-5.3.17-0.41.1 php53-pcntl-5.3.17-0.41.1 php53-pdo-5.3.17-0.41.1 php53-pear-5.3.17-0.41.1 php53-pgsql-5.3.17-0.41.1 php53-pspell-5.3.17-0.41.1 php53-shmop-5.3.17-0.41.1 php53-snmp-5.3.17-0.41.1 php53-soap-5.3.17-0.41.1 php53-suhosin-5.3.17-0.41.1 php53-sysvmsg-5.3.17-0.41.1 php53-sysvsem-5.3.17-0.41.1 php53-sysvshm-5.3.17-0.41.1 php53-tokenizer-5.3.17-0.41.1 php53-wddx-5.3.17-0.41.1 php53-xmlreader-5.3.17-0.41.1 php53-xmlrpc-5.3.17-0.41.1 php53-xmlwriter-5.3.17-0.41.1 php53-xsl-5.3.17-0.41.1 php53-zip-5.3.17-0.41.1 php53-zlib-5.3.17-0.41.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-0.41.1 php53-5.3.17-0.41.1 php53-bcmath-5.3.17-0.41.1 php53-bz2-5.3.17-0.41.1 php53-calendar-5.3.17-0.41.1 php53-ctype-5.3.17-0.41.1 php53-curl-5.3.17-0.41.1 php53-dba-5.3.17-0.41.1 php53-dom-5.3.17-0.41.1 php53-exif-5.3.17-0.41.1 php53-fastcgi-5.3.17-0.41.1 php53-fileinfo-5.3.17-0.41.1 php53-ftp-5.3.17-0.41.1 php53-gd-5.3.17-0.41.1 php53-gettext-5.3.17-0.41.1 php53-gmp-5.3.17-0.41.1 php53-iconv-5.3.17-0.41.1 php53-intl-5.3.17-0.41.1 php53-json-5.3.17-0.41.1 php53-ldap-5.3.17-0.41.1 php53-mbstring-5.3.17-0.41.1 php53-mcrypt-5.3.17-0.41.1 php53-mysql-5.3.17-0.41.1 php53-odbc-5.3.17-0.41.1 php53-openssl-5.3.17-0.41.1 php53-pcntl-5.3.17-0.41.1 php53-pdo-5.3.17-0.41.1 php53-pear-5.3.17-0.41.1 php53-pgsql-5.3.17-0.41.1 php53-pspell-5.3.17-0.41.1 php53-shmop-5.3.17-0.41.1 php53-snmp-5.3.17-0.41.1 php53-soap-5.3.17-0.41.1 php53-suhosin-5.3.17-0.41.1 php53-sysvmsg-5.3.17-0.41.1 php53-sysvsem-5.3.17-0.41.1 php53-sysvshm-5.3.17-0.41.1 php53-tokenizer-5.3.17-0.41.1 php53-wddx-5.3.17-0.41.1 php53-xmlreader-5.3.17-0.41.1 php53-xmlrpc-5.3.17-0.41.1 php53-xmlwriter-5.3.17-0.41.1 php53-xsl-5.3.17-0.41.1 php53-zip-5.3.17-0.41.1 php53-zlib-5.3.17-0.41.1 References: https://www.suse.com/security/cve/CVE-2014-9705.html https://www.suse.com/security/cve/CVE-2014-9709.html https://www.suse.com/security/cve/CVE-2015-2301.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2783.html https://www.suse.com/security/cve/CVE-2015-2787.html https://www.suse.com/security/cve/CVE-2015-3329.html https://www.suse.com/security/cve/CVE-2015-4021.html https://www.suse.com/security/cve/CVE-2015-4022.html https://www.suse.com/security/cve/CVE-2015-4024.html https://www.suse.com/security/cve/CVE-2015-4026.html https://bugzilla.suse.com/922022 https://bugzilla.suse.com/922451 https://bugzilla.suse.com/922452 https://bugzilla.suse.com/923946 https://bugzilla.suse.com/924972 https://bugzilla.suse.com/925109 https://bugzilla.suse.com/928506 https://bugzilla.suse.com/928511 https://bugzilla.suse.com/931421 https://bugzilla.suse.com/931769 https://bugzilla.suse.com/931772 https://bugzilla.suse.com/931776 https://download.suse.com/patch/finder/?keywords=50901ea397c43cdc72e7b8b864450cd7 From sle-security-updates at lists.suse.com Tue Jun 9 08:05:00 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Jun 2015 16:05:00 +0200 (CEST) Subject: SUSE-SU-2015:1019-1: moderate: Security update for patch Message-ID: <20150609140500.C715D32089@maintenance.suse.de> SUSE Security Update: Security update for patch ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1019-1 Rating: moderate References: #904519 #913678 #915328 #915329 Cross-References: CVE-2015-1196 CVE-2015-1395 CVE-2015-1396 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: The GNU patch utility was updated to 2.7.5 to fix three security issues and one non-security bug. The following vulnerabilities were fixed: * CVE-2015-1196: directory traversal flaw when handling git-style patches. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#913678) * CVE-2015-1395: directory traversal flaw when handling patches which rename files. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#915328) * CVE-2015-1396: directory traversal flaw via symbolic links. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a by applying a specially crafted patch. (bsc#915329) The following bug was fixed: * bsc#904519: Function names in hunks (from diff -p) are now preserved in reject files. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-247=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-247=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): patch-2.7.5-7.1 patch-debuginfo-2.7.5-7.1 patch-debugsource-2.7.5-7.1 - SUSE Linux Enterprise Desktop 12 (x86_64): patch-2.7.5-7.1 patch-debuginfo-2.7.5-7.1 patch-debugsource-2.7.5-7.1 References: https://www.suse.com/security/cve/CVE-2015-1196.html https://www.suse.com/security/cve/CVE-2015-1395.html https://www.suse.com/security/cve/CVE-2015-1396.html https://bugzilla.suse.com/904519 https://bugzilla.suse.com/913678 https://bugzilla.suse.com/915328 https://bugzilla.suse.com/915329 From sle-security-updates at lists.suse.com Tue Jun 9 08:05:54 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Jun 2015 16:05:54 +0200 (CEST) Subject: SUSE-SU-2015:1020-1: moderate: Security update for autofs Message-ID: <20150609140554.4990032089@maintenance.suse.de> SUSE Security Update: Security update for autofs ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1020-1 Rating: moderate References: #901448 #909472 #913376 #916203 #917977 Cross-References: CVE-2014-8169 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: autofs was updated to fix one security issue. This security issue was fixed: - CVE-2014-8169: Prevent potential privilege escalation via interpreter load path for program-based automount maps (bnc#917977). These non-security issues were fixed: - Dont pass sloppy option for other than nfs mounts (bnc#901448, bnc#916203) - Fix insserv warning at postinstall (bnc#913376) - Fix autofs.service so that multiple options passed through sysconfig AUTOFS_OPTIONS work correctly (bnc#909472) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-248=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-248=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): autofs-5.0.9-8.1 autofs-debuginfo-5.0.9-8.1 autofs-debugsource-5.0.9-8.1 - SUSE Linux Enterprise Desktop 12 (x86_64): autofs-5.0.9-8.1 autofs-debuginfo-5.0.9-8.1 autofs-debugsource-5.0.9-8.1 References: https://www.suse.com/security/cve/CVE-2014-8169.html https://bugzilla.suse.com/901448 https://bugzilla.suse.com/909472 https://bugzilla.suse.com/913376 https://bugzilla.suse.com/916203 https://bugzilla.suse.com/917977 From sle-security-updates at lists.suse.com Wed Jun 10 06:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Jun 2015 14:04:55 +0200 (CEST) Subject: SUSE-SU-2015:1024-1: moderate: Security update for FUSE Message-ID: <20150610120455.7E3D332089@maintenance.suse.de> SUSE Security Update: Security update for FUSE ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1024-1 Rating: moderate References: #931452 Cross-References: CVE-2015-3202 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for FUSE fixes the following security issue: * CVE-2015-3202: FUSE did not clear the environment upon execution of external programs. Security Issues: * CVE-2015-3202 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-fuse=10694 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-fuse=10694 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-fuse=10694 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-fuse=10694 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): fuse-devel-2.8.7-0.11.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): fuse-2.8.7-0.11.1 libfuse2-2.8.7-0.11.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): fuse-2.8.7-0.11.1 libfuse2-2.8.7-0.11.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): fuse-2.8.7-0.11.1 libfuse2-2.8.7-0.11.1 References: https://www.suse.com/security/cve/CVE-2015-3202.html https://bugzilla.suse.com/931452 https://download.suse.com/patch/finder/?keywords=361642762ee51e4f3081c74ab3d188b5 From sle-security-updates at lists.suse.com Wed Jun 10 06:05:13 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Jun 2015 14:05:13 +0200 (CEST) Subject: SUSE-SU-2015:1025-1: moderate: Security update for xorg-x11-server Message-ID: <20150610120513.D391632089@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1025-1 Rating: moderate References: #928520 Cross-References: CVE-2015-3418 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes a regression introduced with the fix for CVE-2014-8092: * CVE-2015-3418: Xserver: PutImage crashes Server when called with 0 height. (bsc#928520) Security Issues: * CVE-2015-3418 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xorg-x11-Xvnc=10702 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-xorg-x11-Xvnc=10702 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xorg-x11-Xvnc=10702 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xorg-x11-Xvnc=10702 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): xorg-x11-server-sdk-7.4-27.105.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): xorg-x11-Xvnc-7.4-27.105.1 xorg-x11-server-7.4-27.105.1 xorg-x11-server-extra-7.4-27.105.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): xorg-x11-Xvnc-7.4-27.105.1 xorg-x11-server-7.4-27.105.1 xorg-x11-server-extra-7.4-27.105.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xorg-x11-Xvnc-7.4-27.105.1 xorg-x11-server-7.4-27.105.1 xorg-x11-server-extra-7.4-27.105.1 References: https://www.suse.com/security/cve/CVE-2015-3418.html https://bugzilla.suse.com/928520 https://download.suse.com/patch/finder/?keywords=9653b407c32d8e7616ca032ca22bda45 From sle-security-updates at lists.suse.com Thu Jun 11 09:05:03 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 17:05:03 +0200 (CEST) Subject: SUSE-SU-2015:1041-1: critical: Security update for cups Message-ID: <20150611150503.0ABA327FF3@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1041-1 Rating: critical References: #924208 Cross-References: CVE-2012-5519 CVE-2015-1158 CVE-2015-1159 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The following issues are fixed by this update: * CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). * CVE-2015-1158: Improper Update of Reference Count * CVE-2015-1159: Cross-Site Scripting Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-264=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-264=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-264=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): cups-debuginfo-1.7.5-9.1 cups-debugsource-1.7.5-9.1 cups-devel-1.7.5-9.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): cups-1.7.5-9.1 cups-client-1.7.5-9.1 cups-client-debuginfo-1.7.5-9.1 cups-debuginfo-1.7.5-9.1 cups-debugsource-1.7.5-9.1 cups-libs-1.7.5-9.1 cups-libs-debuginfo-1.7.5-9.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): cups-libs-32bit-1.7.5-9.1 cups-libs-debuginfo-32bit-1.7.5-9.1 - SUSE Linux Enterprise Desktop 12 (x86_64): cups-1.7.5-9.1 cups-client-1.7.5-9.1 cups-client-debuginfo-1.7.5-9.1 cups-debuginfo-1.7.5-9.1 cups-debugsource-1.7.5-9.1 cups-libs-1.7.5-9.1 cups-libs-32bit-1.7.5-9.1 cups-libs-debuginfo-1.7.5-9.1 cups-libs-debuginfo-32bit-1.7.5-9.1 References: https://www.suse.com/security/cve/CVE-2012-5519.html https://www.suse.com/security/cve/CVE-2015-1158.html https://www.suse.com/security/cve/CVE-2015-1159.html https://bugzilla.suse.com/924208 From sle-security-updates at lists.suse.com Thu Jun 11 09:05:26 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 17:05:26 +0200 (CEST) Subject: SUSE-SU-2015:1042-1: important: Security update for xen Message-ID: <20150611150526.A838427FF3@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1042-1 Rating: important References: #906689 #931625 #931626 #931627 #931628 #932770 #932790 #932996 Cross-References: CVE-2015-3209 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106 CVE-2015-4163 CVE-2015-4164 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: Xen was updated to fix seven security issues and one non-security bug. The following vulnerabilities were fixed: * CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (bnc#931625) * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (bnc#931626) * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (bnc#931627) * CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (bnc#931628) * CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (bnc#932790) * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bnc#932770) * CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (bnc#932996) The following non-security bug was fixed: * bnc#906689: let systemd schedule xencommons after network-online.target and remote-fs.target so that xendomains has access to remote shares Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-262=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-262=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-262=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): xen-debugsource-4.4.2_06-21.1 xen-devel-4.4.2_06-21.1 - SUSE Linux Enterprise Server 12 (x86_64): xen-4.4.2_06-21.1 xen-debugsource-4.4.2_06-21.1 xen-doc-html-4.4.2_06-21.1 xen-kmp-default-4.4.2_06_k3.12.39_47-21.1 xen-kmp-default-debuginfo-4.4.2_06_k3.12.39_47-21.1 xen-libs-32bit-4.4.2_06-21.1 xen-libs-4.4.2_06-21.1 xen-libs-debuginfo-32bit-4.4.2_06-21.1 xen-libs-debuginfo-4.4.2_06-21.1 xen-tools-4.4.2_06-21.1 xen-tools-debuginfo-4.4.2_06-21.1 xen-tools-domU-4.4.2_06-21.1 xen-tools-domU-debuginfo-4.4.2_06-21.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xen-4.4.2_06-21.1 xen-debugsource-4.4.2_06-21.1 xen-kmp-default-4.4.2_06_k3.12.39_47-21.1 xen-kmp-default-debuginfo-4.4.2_06_k3.12.39_47-21.1 xen-libs-32bit-4.4.2_06-21.1 xen-libs-4.4.2_06-21.1 xen-libs-debuginfo-32bit-4.4.2_06-21.1 xen-libs-debuginfo-4.4.2_06-21.1 References: https://www.suse.com/security/cve/CVE-2015-3209.html https://www.suse.com/security/cve/CVE-2015-4103.html https://www.suse.com/security/cve/CVE-2015-4104.html https://www.suse.com/security/cve/CVE-2015-4105.html https://www.suse.com/security/cve/CVE-2015-4106.html https://www.suse.com/security/cve/CVE-2015-4163.html https://www.suse.com/security/cve/CVE-2015-4164.html https://bugzilla.suse.com/906689 https://bugzilla.suse.com/931625 https://bugzilla.suse.com/931626 https://bugzilla.suse.com/931627 https://bugzilla.suse.com/931628 https://bugzilla.suse.com/932770 https://bugzilla.suse.com/932790 https://bugzilla.suse.com/932996 From sle-security-updates at lists.suse.com Thu Jun 11 09:07:16 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 17:07:16 +0200 (CEST) Subject: SUSE-SU-2015:1043-1: important: Security update for flash-player Message-ID: <20150611150716.280C027FF4@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1043-1 Rating: important References: #934088 Cross-References: CVE-2015-3096 CVE-2015-3098 CVE-2015-3099 CVE-2015-3100 CVE-2015-3102 CVE-2015-3103 CVE-2015-3104 CVE-2015-3105 CVE-2015-3106 CVE-2015-3107 CVE-2015-3108 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: The following issues are fixed by this updated: * CVE-2015-3096: These updates resolve a vulnerability that could be exploited to bypass the fix for CVE-2014-5333. * CVE-2015-3098, CVE-2015-3099, CVE-2015-3102:These updates resolve vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure. * CVE-2015-3100: These updates resolve a stack overflow vulnerability that could lead to code execution. * CVE-2015-3103, CVE-2015-3106, CVE-2015-3107: These updates resolve use-after-free vulnerabilities that could lead to code execution. * CVE-2015-3104: These updates resolve an integer overflow vulnerability that could lead to code execution. * CVE-2015-3105: These updates resolve a memory corruption vulnerability that could lead to code execution. * CVE-2015-3108: These updates resolve a memory leak vulnerability that could be used to bypass ASLR (CVE-2015-3108). (bsc#934088) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-263=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-263=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (i586 x86_64): flash-player-11.2.202.466-86.1 flash-player-gnome-11.2.202.466-86.1 - SUSE Linux Enterprise Desktop 12 (i586 x86_64): flash-player-11.2.202.466-86.1 flash-player-gnome-11.2.202.466-86.1 References: https://www.suse.com/security/cve/CVE-2015-3096.html https://www.suse.com/security/cve/CVE-2015-3098.html https://www.suse.com/security/cve/CVE-2015-3099.html https://www.suse.com/security/cve/CVE-2015-3100.html https://www.suse.com/security/cve/CVE-2015-3102.html https://www.suse.com/security/cve/CVE-2015-3103.html https://www.suse.com/security/cve/CVE-2015-3104.html https://www.suse.com/security/cve/CVE-2015-3105.html https://www.suse.com/security/cve/CVE-2015-3106.html https://www.suse.com/security/cve/CVE-2015-3107.html https://www.suse.com/security/cve/CVE-2015-3108.html https://bugzilla.suse.com/934088 From sle-security-updates at lists.suse.com Thu Jun 11 11:04:56 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 19:04:56 +0200 (CEST) Subject: SUSE-SU-2015:1044-1: critical: Security update for cups154 Message-ID: <20150611170456.F18A732067@maintenance.suse.de> SUSE Security Update: Security update for cups154 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1044-1 Rating: critical References: #924208 Cross-References: CVE-2012-5519 CVE-2015-1158 CVE-2015-1159 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The following issues are fixed by this update: * CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). * CVE-2015-1158: Improper Update of Reference Count * CVE-2015-1159: Cross-Site Scripting Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-265=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (ppc64le x86_64): cups154-1.5.4-9.1 cups154-client-1.5.4-9.1 cups154-client-debuginfo-1.5.4-9.1 cups154-debuginfo-1.5.4-9.1 cups154-debugsource-1.5.4-9.1 cups154-filters-1.5.4-9.1 cups154-filters-debuginfo-1.5.4-9.1 cups154-libs-1.5.4-9.1 cups154-libs-debuginfo-1.5.4-9.1 References: https://www.suse.com/security/cve/CVE-2012-5519.html https://www.suse.com/security/cve/CVE-2015-1158.html https://www.suse.com/security/cve/CVE-2015-1159.html https://bugzilla.suse.com/924208 From sle-security-updates at lists.suse.com Thu Jun 11 12:04:57 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 20:04:57 +0200 (CEST) Subject: SUSE-SU-2015:1045-1: important: Security update for Xen Message-ID: <20150611180457.06FEE32068@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1045-1 Rating: important References: #931625 #931626 #931627 #931628 #932770 #932790 #932996 Cross-References: CVE-2015-3209 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106 CVE-2015-4163 CVE-2015-4164 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: Xen was updated to fix seven security vulnerabilities: * CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bnc#931625) * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bnc#931626) * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bnc#931627) * CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bnc#931628) * CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior. (XSA-134, bnc#932790) * CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bnc#932770) * CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bnc#932996) Security Issues: * CVE-2015-4103 * CVE-2015-4104 * CVE-2015-4105 * CVE-2015-4106 * CVE-2015-4163 * CVE-2015-4164 * CVE-2015-3209 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xen-201506=10727 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xen-201506=10727 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xen-201506=10727 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): xen-devel-4.2.5_08-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): xen-kmp-default-4.2.5_08_3.0.101_0.47.55-0.9.1 xen-libs-4.2.5_08-0.9.1 xen-tools-domU-4.2.5_08-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (x86_64): xen-4.2.5_08-0.9.1 xen-doc-html-4.2.5_08-0.9.1 xen-doc-pdf-4.2.5_08-0.9.1 xen-libs-32bit-4.2.5_08-0.9.1 xen-tools-4.2.5_08-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (i586): xen-kmp-pae-4.2.5_08_3.0.101_0.47.55-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xen-kmp-default-4.2.5_08_3.0.101_0.47.55-0.9.1 xen-libs-4.2.5_08-0.9.1 xen-tools-domU-4.2.5_08-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): xen-4.2.5_08-0.9.1 xen-doc-html-4.2.5_08-0.9.1 xen-doc-pdf-4.2.5_08-0.9.1 xen-libs-32bit-4.2.5_08-0.9.1 xen-tools-4.2.5_08-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586): xen-kmp-pae-4.2.5_08_3.0.101_0.47.55-0.9.1 References: https://www.suse.com/security/cve/CVE-2015-3209.html https://www.suse.com/security/cve/CVE-2015-4103.html https://www.suse.com/security/cve/CVE-2015-4104.html https://www.suse.com/security/cve/CVE-2015-4105.html https://www.suse.com/security/cve/CVE-2015-4106.html https://www.suse.com/security/cve/CVE-2015-4163.html https://www.suse.com/security/cve/CVE-2015-4164.html https://bugzilla.suse.com/931625 https://bugzilla.suse.com/931626 https://bugzilla.suse.com/931627 https://bugzilla.suse.com/931628 https://bugzilla.suse.com/932770 https://bugzilla.suse.com/932790 https://bugzilla.suse.com/932996 https://download.suse.com/patch/finder/?keywords=3ae6793ddbacaa600cc65649e1e37a48 From sle-security-updates at lists.suse.com Thu Jun 11 12:06:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 20:06:20 +0200 (CEST) Subject: SUSE-SU-2015:1044-2: critical: Security update for cups154 Message-ID: <20150611180620.C3C9032089@maintenance.suse.de> SUSE Security Update: Security update for cups154 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1044-2 Rating: critical References: #924208 Cross-References: CVE-2012-5519 CVE-2015-1158 CVE-2015-1159 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The following issues are fixed by this update: * CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). * CVE-2015-1158: Improper Update of Reference Count * CVE-2015-1159: Cross-Site Scripting Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-265=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x): cups154-1.5.4-9.1 cups154-client-1.5.4-9.1 cups154-client-debuginfo-1.5.4-9.1 cups154-debuginfo-1.5.4-9.1 cups154-debugsource-1.5.4-9.1 cups154-filters-1.5.4-9.1 cups154-filters-debuginfo-1.5.4-9.1 cups154-libs-1.5.4-9.1 cups154-libs-debuginfo-1.5.4-9.1 References: https://www.suse.com/security/cve/CVE-2012-5519.html https://www.suse.com/security/cve/CVE-2015-1158.html https://www.suse.com/security/cve/CVE-2015-1159.html https://bugzilla.suse.com/924208 From sle-security-updates at lists.suse.com Thu Jun 11 12:06:42 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Jun 2015 20:06:42 +0200 (CEST) Subject: SUSE-SU-2015:1046-1: moderate: Security update for wireshark Message-ID: <20150611180642.687A532089@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1046-1 Rating: moderate References: #930689 #930691 Cross-References: CVE-2015-3811 CVE-2015-3812 CVE-2015-3813 CVE-2015-3814 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: Wireshark was updated to 1.10.14 to fix four security issues. The following vulnerabilities have been fixed: * CVE-2015-3811: The WCP dissector could crash while decompressing data. (wnpa-sec-2015-14) * CVE-2015-3812: The X11 dissector could leak memory. (wnpa-sec-2015-15) * CVE-2015-3813: The packet reassembly code could leak memory. (wnpa-sec-2015-16) * CVE-2015-3814: The IEEE 802.11 dissector could go into an infinite loop. (wnpa-sec-2015-17) Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-266=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-266=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-266=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): wireshark-debuginfo-1.10.14-12.1 wireshark-debugsource-1.10.14-12.1 wireshark-devel-1.10.14-12.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): wireshark-1.10.14-12.1 wireshark-debuginfo-1.10.14-12.1 wireshark-debugsource-1.10.14-12.1 - SUSE Linux Enterprise Desktop 12 (x86_64): wireshark-1.10.14-12.1 wireshark-debuginfo-1.10.14-12.1 wireshark-debugsource-1.10.14-12.1 References: https://www.suse.com/security/cve/CVE-2015-3811.html https://www.suse.com/security/cve/CVE-2015-3812.html https://www.suse.com/security/cve/CVE-2015-3813.html https://www.suse.com/security/cve/CVE-2015-3814.html https://bugzilla.suse.com/930689 https://bugzilla.suse.com/930691 From sle-security-updates at lists.suse.com Fri Jun 12 02:05:02 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Jun 2015 10:05:02 +0200 (CEST) Subject: SUSE-SU-2015:1053-1: moderate: Security update for fuse Message-ID: <20150612080502.26EB832068@maintenance.suse.de> SUSE Security Update: Security update for fuse ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1053-1 Rating: moderate References: #931452 Cross-References: CVE-2015-3202 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes a vulnerability in fuse that did not clear the environment upon execution of external programs. CVE-2015-3202 has been assigned to this issue Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-267=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-267=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-267=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): fuse-debuginfo-2.9.3-5.1 fuse-debugsource-2.9.3-5.1 fuse-devel-2.9.3-5.1 fuse-devel-static-2.9.3-5.1 libulockmgr1-2.9.3-5.1 libulockmgr1-debuginfo-2.9.3-5.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): fuse-2.9.3-5.1 fuse-debuginfo-2.9.3-5.1 fuse-debugsource-2.9.3-5.1 libfuse2-2.9.3-5.1 libfuse2-debuginfo-2.9.3-5.1 - SUSE Linux Enterprise Desktop 12 (x86_64): fuse-2.9.3-5.1 fuse-debuginfo-2.9.3-5.1 fuse-debugsource-2.9.3-5.1 libfuse2-2.9.3-5.1 libfuse2-debuginfo-2.9.3-5.1 References: https://www.suse.com/security/cve/CVE-2015-3202.html https://bugzilla.suse.com/931452 From sle-security-updates at lists.suse.com Mon Jun 15 03:04:55 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 15 Jun 2015 11:04:55 +0200 (CEST) Subject: SUSE-SU-2015:1062-1: moderate: Security update for stunnel Message-ID: <20150615090455.EFECD32089@maintenance.suse.de> SUSE Security Update: Security update for stunnel ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1062-1 Rating: moderate References: #931517 Cross-References: CVE-2015-3644 Affected Products: SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes an authentication bypass when using the "redirect" option (CVE-2015-3644, bsc#931517, backport from v5.17). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-268=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): stunnel-5.00-3.1 stunnel-debuginfo-5.00-3.1 stunnel-debugsource-5.00-3.1 References: https://www.suse.com/security/cve/CVE-2015-3644.html https://bugzilla.suse.com/931517 From sle-security-updates at lists.suse.com Mon Jun 15 09:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 15 Jun 2015 17:04:53 +0200 (CEST) Subject: SUSE-SU-2015:1064-1: moderate: Security update for flash-player Message-ID: <20150615150453.E699832089@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1064-1 Rating: moderate References: #934088 Cross-References: CVE-2015-3096 CVE-2015-3098 CVE-2015-3099 CVE-2015-3100 CVE-2015-3102 CVE-2015-3103 CVE-2015-3106 CVE-2015-3107 CVE-2015-3108 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player was updated to 11.2.202.466 to fix multiple security issues. The following vulnerabilities were fixed: * CVE-2015-3096: bypass for CVE-2014-5333 * CVE-2015-3098: vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure * CVE-2015-3099: vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure * CVE-2015-3100: stack overflow vulnerability that could lead to code execution * CVE-2015-3102: vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure * CVE-2015-3103: use-after-free vulnerabilities that could lead to code execution * CVE-2015-3104: integer overflow vulnerability that could lead to code execution * CVE-2015-3105: memory corruption vulnerability that could lead to code execution * CVE-2015-3106: use-after-free vulnerabilities that could lead to code execution * CVE-2015-3107: use-after-free vulnerabilities that could lead to code execution * CVE-2015-3108: memory leak vulnerability that could be used to bypass ASLR More information can be found on: https://helpx.adobe.com/security/products/flash-player/apsb15-11.html Security Issues: * CVE-2015-3096 * CVE-2015-3098 * CVE-2015-3099 * CVE-2015-3100 * CVE-2015-3102 * CVE-2015-3103 * CVE-2015-3106 * CVE-2015-3107 * CVE-2015-3108 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player=10762 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.466]: flash-player-11.2.202.466-0.6.1 flash-player-gnome-11.2.202.466-0.6.1 flash-player-kde4-11.2.202.466-0.6.1 References: https://www.suse.com/security/cve/CVE-2015-3096.html https://www.suse.com/security/cve/CVE-2015-3098.html https://www.suse.com/security/cve/CVE-2015-3099.html https://www.suse.com/security/cve/CVE-2015-3100.html https://www.suse.com/security/cve/CVE-2015-3102.html https://www.suse.com/security/cve/CVE-2015-3103.html https://www.suse.com/security/cve/CVE-2015-3106.html https://www.suse.com/security/cve/CVE-2015-3107.html https://www.suse.com/security/cve/CVE-2015-3108.html https://bugzilla.suse.com/934088 https://download.suse.com/patch/finder/?keywords=54458c18e1bae698ba1e29aba887242a From sle-security-updates at lists.suse.com Tue Jun 16 06:05:01 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Jun 2015 14:05:01 +0200 (CEST) Subject: SUSE-SU-2015:1071-1: important: Security update for the Linux Kernel Message-ID: <20150616120501.EE6623208D@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1071-1 Rating: important References: #899192 #900881 #909312 #913232 #914742 #915540 #916225 #917125 #919007 #919018 #920262 #921769 #922583 #922734 #922944 #924664 #924803 #924809 #925567 #926156 #926240 #926314 #927084 #927115 #927116 #927257 #927285 #927308 #927455 #928122 #928130 #928135 #928141 #928708 #929092 #929145 #929525 #929883 #930224 #930226 #930669 #930786 #931014 #931130 Cross-References: CVE-2014-3647 CVE-2014-8086 CVE-2014-8159 CVE-2015-1465 CVE-2015-2041 CVE-2015-2042 CVE-2015-2666 CVE-2015-2830 CVE-2015-2922 CVE-2015-3331 CVE-2015-3332 CVE-2015-3339 CVE-2015-3636 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 13 vulnerabilities and has 31 fixes is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to version 3.12.43 to receive various security and bugfixes. Following security bugs were fixed: - CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 did not properly perform RIP changes, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application (bsc#899192). - CVE-2014-8086: Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allowed local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag (bsc#900881). - CVE-2014-8159: The InfiniBand (IB) implementation did not properly restrict use of User Verbs for registration of memory regions, which allowed local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/ (bsc#914742). - CVE-2015-1465: The IPv4 implementation in the Linux kernel before 3.18.8 did not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allowed remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets (bsc#916225). - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 used an incorrect data type in a sysctl table, which allowed local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry (bsc#919007). - CVE-2015-2042: net/rds/sysctl.c in the Linux kernel before 3.19 used an incorrect data type in a sysctl table, which allowed local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry (bsc#919018). - CVE-2015-2666: Fixed a flaw that allowed crafted microcode to overflow the kernel stack (bsc#922944). - CVE-2015-2830: Fixed int80 fork from 64-bit tasks mishandling (bsc#926240). - CVE-2015-2922: Fixed possible denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements (bsc#922583). - CVE-2015-3331: Fixed buffer overruns in RFC4106 implementation using AESNI (bsc#927257). - CVE-2015-3332: Fixed TCP Fast Open local DoS (bsc#928135). - CVE-2015-3339: Fixed race condition flaw between the chown() and execve() system calls which could have lead to local privilege escalation (bsc#928130). - CVE-2015-3636: Fixed use-after-free in ping sockets which could have lead to local privilege escalation (bsc#929525). The following non-security bugs were fixed: - /proc/stat: convert to single_open_size() (bsc#928122). - ACPI / sysfs: Treat the count field of counter_show() as unsigned (bsc#909312). - Automatically Provide/Obsolete all subpackages of old flavors (bsc#925567) - Btrfs: btrfs_release_extent_buffer_page did not free pages of dummy extent (bsc#930226). - Btrfs: fix inode eviction infinite loop after cloning into it (bsc#930224). - Btrfs: fix inode eviction infinite loop after extent_same ioctl (bsc#930224). - Btrfs: fix log tree corruption when fs mounted with -o discard (bsc#927116). - Btrfs: fix up bounds checking in lseek (bsc#927115). - Fix rtworkqueues crash. Calling __sched_setscheduler() in interrupt context is forbidden, and destroy_worker() did so in the timer interrupt with a nohz_full config. Preclude that possibility for both boot options. - Input: psmouse - add psmouse_matches_pnp_id helper function (bsc#929092). - Input: synaptics - fix middle button on Lenovo 2015 products (bsc#929092). - Input: synaptics - handle spurious release of trackstick buttons (bsc#929092). - Input: synaptics - re-route tracksticks buttons on the Lenovo 2015 series (bsc#929092). - Input: synaptics - remove TOPBUTTONPAD property for Lenovos 2015 (bsc#929092). - Input: synaptics - retrieve the extended capabilities in query $10 (bsc#929092). - NFS: Add attribute update barriers to nfs_setattr_update_inode() (bsc#920262). - NFS: restore kabi after change to nfs_setattr_update_inode (bsc#920262). - af_iucv: fix AF_IUCV sendmsg() errno (bsc#927308, LTC#123304). - audit: do not reject all AUDIT_INODE filter types (bsc#927455). - bnx2x: Fix kdump when iommu=on (bsc#921769). - cpufreq: fix a NULL pointer dereference in __cpufreq_governor() (bsc#924664). - dasd: Fix device having no paths after suspend/resume (bsc#927308, LTC#123896). - dasd: Fix inability to set a DASD device offline (bsc#927308, LTC#123905). - dasd: Fix unresumed device after suspend/resume (bsc#927308, LTC#123892). - dasd: Missing partition after online processing (bsc#917125, LTC#120565). - drm/radeon/cik: Add macrotile mode array query (bsc#927285). - drm/radeon: fix display tiling setup on SI (bsc#927285). - drm/radeon: set correct number of banks for CIK chips in DCE (bsc#927285). - iommu/amd: Correctly encode huge pages in iommu page tables (bsc#931014). - iommu/amd: Optimize alloc_new_range for new fetch_pte interface (bsc#931014). - iommu/amd: Optimize amd_iommu_iova_to_phys for new fetch_pte interface (bsc#931014). - iommu/amd: Optimize iommu_unmap_page for new fetch_pte interface (bsc#931014). - iommu/amd: Return the pte page-size in fetch_pte (bsc#931014). - ipc/shm.c: fix overly aggressive shmdt() when calls span multiple segments (ipc fixes). - ipmi: Turn off all activity on an idle ipmi interface (bsc#915540). - ixgbe: fix detection of SFP+ capable interfaces (bsc#922734). - kgr: add error code to the message in kgr_revert_replaced_funs. - kgr: add kgraft annotations to kthreads wait_event_freezable() API calls. - kgr: correct error handling of the first patching stage. - kgr: handle the delayed patching of the modules. - kgr: handle the failure of finalization stage. - kgr: return error in kgr_init if notifier registration fails. - kgr: take switching of the fops out of kgr_patch_code to new function. - kgr: use for_each_process_thread (bsc#929883). - kgr: use kgr_in_progress for all threads (bnc#929883). - libata: Blacklist queued TRIM on Samsung SSD 850 Pro (bsc#926156). - mlx4: Call dev_kfree_skby_any instead of dev_kfree_skb (bsc#928708). - mm, numa: really disable NUMA balancing by default on single node machines (Automatic NUMA Balancing). - mm: vmscan: do not throttle based on pfmemalloc reserves if node has no reclaimable pages (bsc#924803, VM Functionality). - net/mlx4: Cache line CQE/EQE stride fixes (bsc#927084). - net/mlx4_core: Cache line EQE size support (bsc#927084). - net/mlx4_core: Enable CQE/EQE stride support (bsc#927084). - net/mlx4_en: Add mlx4_en_get_cqe helper (bsc#927084). - perf/x86/amd/ibs: Update IBS MSRs and feature definitions. - powerpc/mm: Fix mmap errno when MAP_FIXED is set and mapping exceeds the allowed address space (bsc#930669). - powerpc/numa: Add ability to disable and debug topology updates (bsc#924809). - powerpc/numa: Enable CONFIG_HAVE_MEMORYLESS_NODES (bsc#924809). - powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID (bsc#924809). - powerpc/numa: check error return from proc_create (bsc#924809). - powerpc/numa: ensure per-cpu NUMA mappings are correct on topology update (bsc#924809). - powerpc/numa: use cached value of update->cpu in update_cpu_topology (bsc#924809). - powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH (bsc#928141). - powerpc/pseries: Introduce api_version to migration sysfs interface (bsc#926314). - powerpc/pseries: Little endian fixes for post mobility device tree update (bsc#926314). - powerpc/pseries: Simplify check for suspendability during suspend/migration (bsc#926314). - powerpc: Fix sys_call_table declaration to enable syscall tracing. - powerpc: Fix warning reported by verify_cpu_node_mapping() (bsc#924809). - powerpc: Only set numa node information for present cpus at boottime (bsc#924809). - powerpc: reorder per-cpu NUMA information initialization (bsc#924809). - powerpc: some changes in numa_setup_cpu() (bsc#924809). - quota: Fix use of units in quota getting / setting interfaces (bsc#913232). - rpm/kernel-binary.spec.in: Fix build if there is no *.crt file - rpm/kernel-obs-qa.spec.in: Do not fail if the kernel versions do not match - s390/bpf: Fix ALU_NEG (A = -A) (bsc#917125, LTC#121759). - s390/bpf: Fix JMP_JGE_K (A >= K) and JMP_JGT_K (A > K) (bsc#917125, LTC#121759). - s390/bpf: Fix JMP_JGE_X (A > X) and JMP_JGT_X (A >= X) (bsc#917125, LTC#121759). - s390/bpf: Fix offset parameter for skb_copy_bits() (bsc#917125, LTC#121759). - s390/bpf: Fix sk_load_byte_msh() (bsc#917125, LTC#121759). - s390/bpf: Fix skb_copy_bits() parameter passing (bsc#917125, LTC#121759). - s390/bpf: Zero extend parameters before calling C function (bsc#917125, LTC#121759). - s390/sclp: Consolidate early sclp init calls to sclp_early_detect() (bsc#917125, LTC#122429). - s390/sclp: Determine HSA size dynamically for zfcpdump (bsc#917125, LTC#122429). - s390/sclp: Move declarations for sclp_sdias into separate header file (bsc#917125, LTC#122429). - s390/sclp: Move early code from sclp_cmd.c to sclp_early.c (bsc#917125, LTC#122429). - s390/sclp: replace uninitialized early_event_mask_sccb variable with sccb_early (bsc#917125, LTC#122429). - s390/sclp: revert smp-detect-possible-cpus.patch (bsc#917125, LTC#122429). - s390/sclp_early: Add function to detect sclp console capabilities (bsc#917125, LTC#122429). - s390/sclp_early: Get rid of sclp_early_read_info_sccb_valid (bsc#917125, LTC#122429). - s390/sclp_early: Pass sccb pointer to every *_detect() function (bsc#917125, LTC#122429). - s390/sclp_early: Replace early_read_info_sccb with sccb_early (bsc#917125, LTC#122429). - s390/sclp_early: Return correct HSA block count also for zero (bsc#917125, LTC#122429). - s390/smp: limit number of cpus in possible cpu mask (bsc#917125, LTC#122429). - s390: kgr, change the kgraft state only if enabled. - sched, time: Fix lock inversion in thread_group_cputime() - sched: Fix potential near-infinite distribute_cfs_runtime() loop (bsc#930786) - sched: Robustify topology setup (bsc#924809). - seqlock: Add irqsave variant of read_seqbegin_or_lock() (Time scalability). - storvsc: Set the SRB flags correctly when no data transfer is needed (bsc#931130). - x86/apic/uv: Update the APIC UV OEM check (bsc#929145). - x86/apic/uv: Update the UV APIC HUB check (bsc#929145). - x86/apic/uv: Update the UV APIC driver check (bsc#929145). - x86/microcode/intel: Guard against stack overflow in the loader (bsc#922944). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-269=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-269=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-269=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2015-269=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-269=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-269=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): kernel-default-debuginfo-3.12.43-52.6.1 kernel-default-debugsource-3.12.43-52.6.1 kernel-default-extra-3.12.43-52.6.1 kernel-default-extra-debuginfo-3.12.43-52.6.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): kernel-obs-build-3.12.43-52.6.2 kernel-obs-build-debugsource-3.12.43-52.6.2 - SUSE Linux Enterprise Software Development Kit 12 (noarch): kernel-docs-3.12.43-52.6.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): kernel-default-3.12.43-52.6.1 kernel-default-base-3.12.43-52.6.1 kernel-default-base-debuginfo-3.12.43-52.6.1 kernel-default-debuginfo-3.12.43-52.6.1 kernel-default-debugsource-3.12.43-52.6.1 kernel-default-devel-3.12.43-52.6.1 kernel-syms-3.12.43-52.6.1 - SUSE Linux Enterprise Server 12 (x86_64): kernel-xen-3.12.43-52.6.1 kernel-xen-base-3.12.43-52.6.1 kernel-xen-base-debuginfo-3.12.43-52.6.1 kernel-xen-debuginfo-3.12.43-52.6.1 kernel-xen-debugsource-3.12.43-52.6.1 kernel-xen-devel-3.12.43-52.6.1 - SUSE Linux Enterprise Server 12 (noarch): kernel-devel-3.12.43-52.6.1 kernel-macros-3.12.43-52.6.1 kernel-source-3.12.43-52.6.1 - SUSE Linux Enterprise Server 12 (s390x): kernel-default-man-3.12.43-52.6.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.43-52.6.1 kernel-ec2-debuginfo-3.12.43-52.6.1 kernel-ec2-debugsource-3.12.43-52.6.1 kernel-ec2-devel-3.12.43-52.6.1 kernel-ec2-extra-3.12.43-52.6.1 kernel-ec2-extra-debuginfo-3.12.43-52.6.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_43-52_6-default-1-2.3 kgraft-patch-3_12_43-52_6-xen-1-2.3 - SUSE Linux Enterprise Desktop 12 (x86_64): kernel-default-3.12.43-52.6.1 kernel-default-debuginfo-3.12.43-52.6.1 kernel-default-debugsource-3.12.43-52.6.1 kernel-default-devel-3.12.43-52.6.1 kernel-default-extra-3.12.43-52.6.1 kernel-default-extra-debuginfo-3.12.43-52.6.1 kernel-syms-3.12.43-52.6.1 kernel-xen-3.12.43-52.6.1 kernel-xen-debuginfo-3.12.43-52.6.1 kernel-xen-debugsource-3.12.43-52.6.1 kernel-xen-devel-3.12.43-52.6.1 - SUSE Linux Enterprise Desktop 12 (noarch): kernel-devel-3.12.43-52.6.1 kernel-macros-3.12.43-52.6.1 kernel-source-3.12.43-52.6.1 References: https://www.suse.com/security/cve/CVE-2014-3647.html https://www.suse.com/security/cve/CVE-2014-8086.html https://www.suse.com/security/cve/CVE-2014-8159.html https://www.suse.com/security/cve/CVE-2015-1465.html https://www.suse.com/security/cve/CVE-2015-2041.html https://www.suse.com/security/cve/CVE-2015-2042.html https://www.suse.com/security/cve/CVE-2015-2666.html https://www.suse.com/security/cve/CVE-2015-2830.html https://www.suse.com/security/cve/CVE-2015-2922.html https://www.suse.com/security/cve/CVE-2015-3331.html https://www.suse.com/security/cve/CVE-2015-3332.html https://www.suse.com/security/cve/CVE-2015-3339.html https://www.suse.com/security/cve/CVE-2015-3636.html https://bugzilla.suse.com/899192 https://bugzilla.suse.com/900881 https://bugzilla.suse.com/909312 https://bugzilla.suse.com/913232 https://bugzilla.suse.com/914742 https://bugzilla.suse.com/915540 https://bugzilla.suse.com/916225 https://bugzilla.suse.com/917125 https://bugzilla.suse.com/919007 https://bugzilla.suse.com/919018 https://bugzilla.suse.com/920262 https://bugzilla.suse.com/921769 https://bugzilla.suse.com/922583 https://bugzilla.suse.com/922734 https://bugzilla.suse.com/922944 https://bugzilla.suse.com/924664 https://bugzilla.suse.com/924803 https://bugzilla.suse.com/924809 https://bugzilla.suse.com/925567 https://bugzilla.suse.com/926156 https://bugzilla.suse.com/926240 https://bugzilla.suse.com/926314 https://bugzilla.suse.com/927084 https://bugzilla.suse.com/927115 https://bugzilla.suse.com/927116 https://bugzilla.suse.com/927257 https://bugzilla.suse.com/927285 https://bugzilla.suse.com/927308 https://bugzilla.suse.com/927455 https://bugzilla.suse.com/928122 https://bugzilla.suse.com/928130 https://bugzilla.suse.com/928135 https://bugzilla.suse.com/928141 https://bugzilla.suse.com/928708 https://bugzilla.suse.com/929092 https://bugzilla.suse.com/929145 https://bugzilla.suse.com/929525 https://bugzilla.suse.com/929883 https://bugzilla.suse.com/930224 https://bugzilla.suse.com/930226 https://bugzilla.suse.com/930669 https://bugzilla.suse.com/930786 https://bugzilla.suse.com/931014 https://bugzilla.suse.com/931130 From sle-security-updates at lists.suse.com Tue Jun 16 14:06:37 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Jun 2015 22:06:37 +0200 (CEST) Subject: SUSE-SU-2015:1073-1: important: Message-ID: <20150616200637.467713208D@maintenance.suse.de> Security update for java-1_7_0-ibm SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1073-1 Rating: important References: #912434 #912447 #930365 #931693 #931702 Cross-References: CVE-2015-0138 CVE-2015-0192 CVE-2015-1914 CVE-2015-2808 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update fixes the following security issues: - Version bump to 7.1-3.0 release bnc#930365 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 - Fix removeing links before update-alternatives run. bnc#931702 - Fix bnc#912434, javaws/plugin stuff should slave plugin update-alternatives - Fix bnc#912447, use system cacerts - Update to 7.1.2.10 for sec issues bnc#916266 and bnc#916265 CVE-2014-8892 CVE-2014-8891 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-270=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-270=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.0-11.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.0-11.1 java-1_7_1-ibm-jdbc-1.7.1_sr3.0-11.1 - SUSE Linux Enterprise Server 12 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.0-11.1 java-1_7_1-ibm-plugin-1.7.1_sr3.0-11.1 References: https://www.suse.com/security/cve/CVE-2015-0138.html https://www.suse.com/security/cve/CVE-2015-0192.html https://www.suse.com/security/cve/CVE-2015-1914.html https://www.suse.com/security/cve/CVE-2015-2808.html https://bugzilla.suse.com/912434 https://bugzilla.suse.com/912447 https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931693 https://bugzilla.suse.com/931702 From sle-security-updates at lists.suse.com Thu Jun 18 01:04:59 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Jun 2015 09:04:59 +0200 (CEST) Subject: SUSE-SU-2015:1077-1: moderate: Security update for openldap2 Message-ID: <20150618070459.23D4C32096@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1077-1 Rating: moderate References: #905959 #916897 #916914 Cross-References: CVE-2015-1545 CVE-2015-1546 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Desktop 12 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: openldap2 was updated to fix two security issues and one non-security bug. The following vulnerabilities were fixed: * A remote attacker could cause a denial of service through a NULL pointer dereference and crash via an empty attribute list in a deref control in a search request. (bnc#916897 CVE-2015-1545) * A remote attacker could cause a denial of service (crash) via a crafted search query with a matched values control. (bnc#916914 CVE-2015-1546) The following non-security issue was fixed: * Prevent connection-0 (internal connection) from showing up in the monitor backend (bnc#905959) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-273=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-273=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-273=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-273=1 - 12: zypper in -t patch SUSE-SLE-SAP-12-2015-273=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (s390x x86_64): openldap2-back-perl-2.4.39-16.1 openldap2-back-perl-debuginfo-2.4.39-16.1 openldap2-client-debuginfo-2.4.39-16.1 openldap2-client-debugsource-2.4.39-16.1 openldap2-debuginfo-2.4.39-16.1 openldap2-debugsource-2.4.39-16.1 openldap2-devel-2.4.39-16.1 openldap2-devel-static-2.4.39-16.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le): openldap2-back-perl-2.4.39-15.1 openldap2-back-perl-debuginfo-2.4.39-15.1 openldap2-client-debuginfo-2.4.39-15.1 openldap2-client-debugsource-2.4.39-15.1 openldap2-debuginfo-2.4.39-15.1 openldap2-debugsource-2.4.39-15.1 openldap2-devel-2.4.39-15.1 openldap2-devel-static-2.4.39-15.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libldap-2_4-2-2.4.39-16.1 libldap-2_4-2-32bit-2.4.39-16.1 libldap-2_4-2-debuginfo-2.4.39-16.1 libldap-2_4-2-debuginfo-32bit-2.4.39-16.1 openldap2-2.4.39-16.1 openldap2-back-meta-2.4.39-16.1 openldap2-back-meta-debuginfo-2.4.39-16.1 openldap2-client-2.4.39-16.1 openldap2-client-debuginfo-2.4.39-16.1 openldap2-client-debugsource-2.4.39-16.1 openldap2-debuginfo-2.4.39-16.1 openldap2-debugsource-2.4.39-16.1 - SUSE Linux Enterprise Server 12 (ppc64le): libldap-2_4-2-2.4.39-15.1 libldap-2_4-2-debuginfo-2.4.39-15.1 openldap2-2.4.39-15.1 openldap2-back-meta-2.4.39-15.1 openldap2-back-meta-debuginfo-2.4.39-15.1 openldap2-client-2.4.39-15.1 openldap2-client-debuginfo-2.4.39-15.1 openldap2-client-debugsource-2.4.39-15.1 openldap2-debuginfo-2.4.39-15.1 openldap2-debugsource-2.4.39-15.1 - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-libldap-2_3-0-2.3.37-16.1 compat-libldap-2_3-0-debuginfo-2.3.37-16.1 - SUSE Linux Enterprise Module for Legacy Software 12 (ppc64le): compat-libldap-2_3-0-2.3.37-15.1 compat-libldap-2_3-0-debuginfo-2.3.37-15.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libldap-2_4-2-2.4.39-16.1 libldap-2_4-2-32bit-2.4.39-16.1 libldap-2_4-2-debuginfo-2.4.39-16.1 libldap-2_4-2-debuginfo-32bit-2.4.39-16.1 openldap2-client-2.4.39-16.1 openldap2-client-debuginfo-2.4.39-16.1 openldap2-client-debugsource-2.4.39-16.1 - 12 (x86_64): compat-libldap-2_3-0-2.3.37-16.1 compat-libldap-2_3-0-debuginfo-2.3.37-16.1 References: https://www.suse.com/security/cve/CVE-2015-1545.html https://www.suse.com/security/cve/CVE-2015-1546.html https://bugzilla.suse.com/905959 https://bugzilla.suse.com/916897 https://bugzilla.suse.com/916914 From sle-security-updates at lists.suse.com Thu Jun 18 08:05:18 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Jun 2015 16:05:18 +0200 (CEST) Subject: SUSE-SU-2015:1085-1: important: Security update for IBM Java Message-ID: <20150618140518.5468D32096@maintenance.suse.de> SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1085-1 Rating: important References: #930365 #931702 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.5.0 was updated to SR16-FP10 fixing security issues and bugs. Tabulated information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_ 2015 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.10-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.10-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.10-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.10-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.10-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.10-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.10-0.6.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.10-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.10-0.6.1 References: https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931702 https://download.suse.com/patch/finder/?keywords=75c7c1e62322e337b7527c52591a9e20 From sle-security-updates at lists.suse.com Thu Jun 18 08:05:47 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Jun 2015 16:05:47 +0200 (CEST) Subject: SUSE-SU-2015:1086-1: important: Security update for IBM Java Message-ID: <20150618140547.36C4132096@maintenance.suse.de> SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1086-1 Rating: important References: #912434 #912447 #930365 #931702 Cross-References: CVE-2015-0138 CVE-2015-0192 CVE-2015-0204 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs. Tabulated information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_ 2015 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-java-1_6_0-ibm=10765 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-java-1_6_0-ibm=10767 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_6_0-ibm=10766 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-devel-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-plugin-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-devel-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.4-0.3.1 References: https://www.suse.com/security/cve/CVE-2015-0138.html https://www.suse.com/security/cve/CVE-2015-0192.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0458.html https://www.suse.com/security/cve/CVE-2015-0459.html https://www.suse.com/security/cve/CVE-2015-0469.html https://www.suse.com/security/cve/CVE-2015-0477.html https://www.suse.com/security/cve/CVE-2015-0478.html https://www.suse.com/security/cve/CVE-2015-0480.html https://www.suse.com/security/cve/CVE-2015-0488.html https://www.suse.com/security/cve/CVE-2015-0491.html https://www.suse.com/security/cve/CVE-2015-1914.html https://www.suse.com/security/cve/CVE-2015-2808.html https://bugzilla.suse.com/912434 https://bugzilla.suse.com/912447 https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931702 https://download.suse.com/patch/finder/?keywords=6f9a706de68429847056a5fac89d2fd8 https://download.suse.com/patch/finder/?keywords=8e0b4a662058afb89ec5495af0c8e3db https://download.suse.com/patch/finder/?keywords=cfac8b8406c0b7db38257f6caed57376 From sle-security-updates at lists.suse.com Fri Jun 19 16:05:06 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 20 Jun 2015 00:05:06 +0200 (CEST) Subject: SUSE-SU-2015:1091-1: moderate: Security update for postgresql91 Message-ID: <20150619220506.A61F431FD2@maintenance.suse.de> SUSE Security Update: Security update for postgresql91 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1091-1 Rating: moderate References: #907651 #931972 #931973 #931974 #932040 Cross-References: CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 Affected Products: SUSE Manager Server SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. It includes one version update. Description: This update provides PostgreSQL 9.1.18, which brings fixes for security issues and other enhancements. The following vulnerabilities have been fixed: * CVE-2015-3165: Avoid possible crash when client disconnects. (bsc#931972) * CVE-2015-3166: Consistently check for failure of the *printf(). (bsc#931973) * CVE-2015-3167: In contrib/pgcrypto, uniformly report decryption failures. (bsc#931974) For a comprehensive list of changes, please refer to http://www.postgresql.org/docs/9.1/static/release-9-1-18.html . This update also includes changes in PostgreSQL's packaging to prepare for the migration to the new major version 9.4. (FATE#316970, bsc#907651) Security Issues: * CVE-2015-3165 * CVE-2015-3166 * CVE-2015-3167 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-postgresql91-201505=10760 - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-postgresql91-201505=10760 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-postgresql91-201505=10760 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-postgresql91-201505=10760 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-postgresql91-201505=10760 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (s390x x86_64) [New Version: 9.1.18]: postgresql91-pltcl-9.1.18-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.18]: postgresql91-devel-9.1.18-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 9.1.18]: postgresql91-9.1.18-0.3.1 postgresql91-contrib-9.1.18-0.3.1 postgresql91-docs-9.1.18-0.3.1 postgresql91-server-9.1.18-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.18]: postgresql91-9.1.18-0.3.1 postgresql91-contrib-9.1.18-0.3.1 postgresql91-docs-9.1.18-0.3.1 postgresql91-server-9.1.18-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 9.1.18]: postgresql91-9.1.18-0.3.1 postgresql91-docs-9.1.18-0.3.1 References: https://www.suse.com/security/cve/CVE-2015-3165.html https://www.suse.com/security/cve/CVE-2015-3166.html https://www.suse.com/security/cve/CVE-2015-3167.html https://bugzilla.suse.com/907651 https://bugzilla.suse.com/931972 https://bugzilla.suse.com/931973 https://bugzilla.suse.com/931974 https://bugzilla.suse.com/932040 https://download.suse.com/patch/finder/?keywords=00fcb88ab431584bc7bf32ba75396dee From sle-security-updates at lists.suse.com Mon Jun 22 08:04:53 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 22 Jun 2015 16:04:53 +0200 (CEST) Subject: SUSE-SU-2015:1086-2: important: Security update for IBM Java Message-ID: <20150622140453.E6AA432049@maintenance.suse.de> SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1086-2 Rating: important References: #912434 #912447 #930365 #931702 Cross-References: CVE-2015-0138 CVE-2015-0192 CVE-2015-0204 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs. Tabulated information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_ 2015 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-java-1_6_0-ibm=10761 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-java-1_6_0-ibm=10761 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-java-1_6_0-ibm=10761 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-plugin-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.4-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.4-0.3.1 References: https://www.suse.com/security/cve/CVE-2015-0138.html https://www.suse.com/security/cve/CVE-2015-0192.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0458.html https://www.suse.com/security/cve/CVE-2015-0459.html https://www.suse.com/security/cve/CVE-2015-0469.html https://www.suse.com/security/cve/CVE-2015-0477.html https://www.suse.com/security/cve/CVE-2015-0478.html https://www.suse.com/security/cve/CVE-2015-0480.html https://www.suse.com/security/cve/CVE-2015-0488.html https://www.suse.com/security/cve/CVE-2015-0491.html https://www.suse.com/security/cve/CVE-2015-1914.html https://www.suse.com/security/cve/CVE-2015-2808.html https://bugzilla.suse.com/912434 https://bugzilla.suse.com/912447 https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931702 https://download.suse.com/patch/finder/?keywords=224547d04b097be81efdd550de500459 From sle-security-updates at lists.suse.com Mon Jun 22 13:04:50 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 22 Jun 2015 21:04:50 +0200 (CEST) Subject: SUSE-SU-2015:1098-1: moderate: Security update for wireshark Message-ID: <20150622190450.5948232049@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1098-1 Rating: moderate References: #930691 Cross-References: CVE-2015-3811 CVE-2015-3812 CVE-2015-3814 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: Wireshark was updated and fixes the following issues: * CVE-2015-3811: The WCP dissector could crash while decompressing data. * CVE-2015-3812: The X11 dissector could leak memory * CVE-2015-3814: The IEEE 802.11 dissector could go into an infinite loop. Security Issues: * CVE-2015-3811 * CVE-2015-3812 * CVE-2015-3814 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-wireshark=10771 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-wireshark=10771 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-wireshark=10771 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-wireshark=10771 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.10.14]: wireshark-devel-1.10.14-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64) [New Version: 1.10.14]: wireshark-1.10.14-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 1.10.14]: wireshark-1.10.14-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.10.14]: wireshark-1.10.14-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.10.14]: wireshark-1.10.14-0.3.1 References: https://www.suse.com/security/cve/CVE-2015-3811.html https://www.suse.com/security/cve/CVE-2015-3812.html https://www.suse.com/security/cve/CVE-2015-3814.html https://bugzilla.suse.com/930691 https://download.suse.com/patch/finder/?keywords=36aa94401b00b061228c5708edabe8b7 From sle-security-updates at lists.suse.com Tue Jun 23 07:59:31 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 15:59:31 +0200 (CEST) Subject: SUSE-SU-2015:0925-2: moderate: Security update for python-PyYAML Message-ID: <20150623135931.577F432049@maintenance.suse.de> SUSE Security Update: Security update for python-PyYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0925-2 Rating: moderate References: #921588 Cross-References: CVE-2014-9130 Affected Products: SUSE OpenStack Cloud Compute 5 SUSE Enterprise Storage 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings The following issue was fixed: - #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Compute 5: zypper in -t patch SUSE-SLE12-CLOUD-5-2015-208=1 - SUSE Enterprise Storage 1.0: zypper in -t patch SUSE-Storage-1.0-2015-208=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud Compute 5 (x86_64): python-PyYAML-3.10-15.1 python-PyYAML-debuginfo-3.10-15.1 python-PyYAML-debugsource-3.10-15.1 - SUSE Enterprise Storage 1.0 (x86_64): python-PyYAML-3.10-15.1 python-PyYAML-debuginfo-3.10-15.1 python-PyYAML-debugsource-3.10-15.1 References: https://www.suse.com/security/cve/CVE-2014-9130.html https://bugzilla.suse.com/921588 From sle-security-updates at lists.suse.com Tue Jun 23 07:59:49 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 15:59:49 +0200 (CEST) Subject: SUSE-SU-2015:1102-1: moderate: Security update for SES 1.0 Message-ID: <20150623135949.99C1E32049@maintenance.suse.de> SUSE Security Update: Security update for SES 1.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1102-1 Rating: moderate References: #889053 #903007 #907510 #915567 #915783 #919091 #919313 #919965 #920926 #924269 #924894 #927862 #929553 #929886 #929914 Cross-References: CVE-2014-3589 CVE-2014-3598 CVE-2015-3010 Affected Products: SUSE Enterprise Storage 1.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has 12 fixes is now available. Description: This collective update for SUSE Enterprise Storage 1.0 provides fixes and enhancements. ceph (update to version 0.80.9): - Support non-ASCII characters. (bnc#907510) - Fixes issue with more than one OSD / MON on same node. (bnc#927862) - Reinstates Environment=CLUSTER=ceph lines removed by last patch. (bnc#915567) - Use same systemd service files for all cluster names. (bnc#915567) - In OSDMonitor fallback to json-pretty in case of invalid formatter. (bnc#919313) - Increase max files to 131072 for ceph-osd daemon. (bnc#924894) - Fix "OSDs shutdown during rados benchmark tests". (bnc#924269) - Add SuSEfirewall2 service files for Ceph MON, OSD and MDS. (bnc#919091) - Added support for multiple cluster names with systemd to ceph-disk. (bnc#915567) - Move udev rules for rbd devices to the client package ceph-common. - Several issues reported upstream have been fixed: #9973 #9918 #9907 #9877 #9854 #9587 #9479 #9478 #9254 #5595 #10978 #10965 #10907 #10553 #10471 #10421 #10307 #10299 #10271 #10271 #10270 #10262 #10103 #10095. ceph-deploy: - Drop support for multiple customer names on the same hardware. (bsc#915567) - Check for errors when generating rgw keys. (bsc#915783) - Do not import new repository keys automatically when installing packages with Zypper. (bsc#919965) - Improved detection of disk vs. OSD block devices with a simple set of tests. (bsc#889053) - Do not create keyring files as world-readable. (bsc#920926, CVE-2015-3010) - Added support for multiple cluster names with systemd to ceph-disk. (bnc#915567) calamari-clients: - Reduce krakenFailThreshold to 5 minutes. (bsc#903007) python-Pillow (update to version 2.7.0): - Fix issues in Jpeg2KImagePlugin and IcnsImagePlugin which could have allowed denial of service attacks. (CVE-2014-3598, CVE-2014-3589) python-djangorestframework: - Escape URLs when replacing format= query parameter, as used in dropdown on GET button in browsable API to allow explicit selection of JSON vs HTML output. (bsc#929914) - Escape request path when it is include as part of the login and logout links in the browsable API. (bsc#929886) For a comprehensive list of changes please refer to each package's change log. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 1.0: zypper in -t patch SUSE-Storage-1.0-2015-250=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Enterprise Storage 1.0 (x86_64): ceph-0.80.9-5.1 ceph-common-0.80.9-5.1 ceph-common-debuginfo-0.80.9-5.1 ceph-debuginfo-0.80.9-5.1 ceph-debugsource-0.80.9-5.1 ceph-fuse-0.80.9-5.1 ceph-fuse-debuginfo-0.80.9-5.1 ceph-radosgw-0.80.9-5.1 ceph-radosgw-debuginfo-0.80.9-5.1 ceph-test-0.80.9-5.1 ceph-test-debuginfo-0.80.9-5.1 libcephfs1-0.80.9-5.1 libcephfs1-debuginfo-0.80.9-5.1 librados2-0.80.9-5.1 librados2-debuginfo-0.80.9-5.1 librbd1-0.80.9-5.1 librbd1-debuginfo-0.80.9-5.1 python-Pillow-2.7.0-4.1 python-Pillow-debuginfo-2.7.0-4.1 python-Pillow-debugsource-2.7.0-4.1 python-ceph-0.80.9-5.1 rbd-fuse-0.80.9-5.1 rbd-fuse-debuginfo-0.80.9-5.1 - SUSE Enterprise Storage 1.0 (noarch): calamari-clients-1.2.2+git.1428648634.40dfe5b-3.1 ceph-deploy-1.5.19+git.1431355031.6178cf3-9.1 python-djangorestframework-2.3.12-4.2 References: https://www.suse.com/security/cve/CVE-2014-3589.html https://www.suse.com/security/cve/CVE-2014-3598.html https://www.suse.com/security/cve/CVE-2015-3010.html https://bugzilla.suse.com/889053 https://bugzilla.suse.com/903007 https://bugzilla.suse.com/907510 https://bugzilla.suse.com/915567 https://bugzilla.suse.com/915783 https://bugzilla.suse.com/919091 https://bugzilla.suse.com/919313 https://bugzilla.suse.com/919965 https://bugzilla.suse.com/920926 https://bugzilla.suse.com/924269 https://bugzilla.suse.com/924894 https://bugzilla.suse.com/927862 https://bugzilla.suse.com/929553 https://bugzilla.suse.com/929886 https://bugzilla.suse.com/929914 From sle-security-updates at lists.suse.com Tue Jun 23 08:03:02 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 16:03:02 +0200 (CEST) Subject: SUSE-SU-2015:1103-1: important: Security update for e2fsprogs Message-ID: <20150623140302.385D832049@maintenance.suse.de> SUSE Security Update: Security update for e2fsprogs ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1103-1 Rating: important References: #915402 #918346 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Desktop 11-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update provides the following security-fixes for e2fsprogs: libext2fs: fix potential buffer overflow in closefs() (bsc#918346, CVE-2015-1572) libext2fs: avoid buffer overflow if s_first_meta_bg is too big (bsc#915402, CVE-2015-0247) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-e2fsprogs-219=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-e2fsprogs-219=1 - SUSE Linux Enterprise Desktop 11-SP4: zypper in -t patch sledsp4-e2fsprogs-219=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): e2fsprogs-devel-1.41.9-2.14.2 libcom_err-devel-1.41.9-2.14.2 libext2fs-devel-1.41.9-2.14.2 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libcom_err-devel-32bit-1.41.9-2.14.2 libext2fs-devel-32bit-1.41.9-2.14.2 libext2fs2-32bit-1.41.9-2.14.2 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64): libext2fs2-x86-1.41.9-2.14.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): e2fsprogs-1.41.9-2.14.2 libcom_err2-1.41.9-2.14.2 libext2fs2-1.41.9-2.14.2 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libcom_err2-32bit-1.41.9-2.14.2 - SUSE Linux Enterprise Server 11-SP4 (ia64): libcom_err2-x86-1.41.9-2.14.2 - SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64): e2fsprogs-1.41.9-2.14.2 libcom_err2-1.41.9-2.14.2 libext2fs2-1.41.9-2.14.2 - SUSE Linux Enterprise Desktop 11-SP4 (x86_64): libcom_err2-32bit-1.41.9-2.14.2 References: https://bugzilla.suse.com/915402 https://bugzilla.suse.com/918346 From sle-security-updates at lists.suse.com Tue Jun 23 08:05:11 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 16:05:11 +0200 (CEST) Subject: SUSE-SU-2015:1109-1: moderate: Security update for python-Django Message-ID: <20150623140511.640F73205C@maintenance.suse.de> SUSE Security Update: Security update for python-Django ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1109-1 Rating: moderate References: #913053 #913055 #913056 #923172 #923176 Cross-References: CVE-2015-0219 CVE-2015-0221 CVE-2015-0222 CVE-2015-2316 CVE-2015-2317 Affected Products: SUSE Enterprise Storage 1.0 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: python-django was updated to 1.6.11 to fix security issues and non-security bugs. The following vulnerabilities were fixed: * Made is_safe_url() reject URLs that start with control characters to mitigate possible XSS attack via user-supplied redirect URLs (bnc#923176, CVE-2015-2317) * Fixed an infinite loop possibility in strip_tags() (bnc#923172, CVE-2015-2316) * WSGI header spoofing via underscore/dash conflation (bnc#913053, CVE-2015-0219) * Mitigated possible XSS attack via user-supplied redirect URLs * Denial-of-service attack against ``django.views.static.serve`` (bnc#913056, CVE-2015-0221) * Database denial-of-service with ``ModelMultipleChoiceField`` (bnc#913055, CVE-2015-0222) The update also contains fixes for non-security bugs, functional and stability issues. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 1.0: zypper in -t patch SUSE-Storage-1.0-2015-271=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Enterprise Storage 1.0 (noarch): python-Django-1.6.11-4.1 References: https://www.suse.com/security/cve/CVE-2015-0219.html https://www.suse.com/security/cve/CVE-2015-0221.html https://www.suse.com/security/cve/CVE-2015-0222.html https://www.suse.com/security/cve/CVE-2015-2316.html https://www.suse.com/security/cve/CVE-2015-2317.html https://bugzilla.suse.com/913053 https://bugzilla.suse.com/913055 https://bugzilla.suse.com/913056 https://bugzilla.suse.com/923172 https://bugzilla.suse.com/923176 From sle-security-updates at lists.suse.com Tue Jun 23 08:06:24 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 16:06:24 +0200 (CEST) Subject: SUSE-SU-2015:1112-1: moderate: Security update for python-Django Message-ID: <20150623140624.AB46232067@maintenance.suse.de> SUSE Security Update: Security update for python-Django ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1112-1 Rating: moderate References: #913053 #913055 #913056 #923172 #923176 Cross-References: CVE-2015-0219 CVE-2015-0221 CVE-2015-0222 CVE-2015-2316 CVE-2015-2317 Affected Products: SUSE Enterprise Storage 1.0 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: python-django was updated to 1.6.11 to fix security issues and non-security bugs. The following vulnerabilities were fixed: * Made is_safe_url() reject URLs that start with control characters to mitigate possible XSS attack via user-supplied redirect URLs (bnc#923176, CVE-2015-2317) * Fixed an infinite loop possibility in strip_tags() (bnc#923172, CVE-2015-2316) * WSGI header spoofing via underscore/dash conflation (bnc#913053, CVE-2015-0219) * Mitigated possible XSS attack via user-supplied redirect URLs * Denial-of-service attack against ``django.views.static.serve`` (bnc#913056, CVE-2015-0221) * Database denial-of-service with ``ModelMultipleChoiceField`` (bnc#913055, CVE-2015-0222) The update also contains fixes for non-security bugs, functional and stability issues. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 1.0: zypper in -t patch SUSE-Storage-1.0-2015-271=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Enterprise Storage 1.0 (noarch): python-Django-1.6.11-4.1 References: https://www.suse.com/security/cve/CVE-2015-0219.html https://www.suse.com/security/cve/CVE-2015-0221.html https://www.suse.com/security/cve/CVE-2015-0222.html https://www.suse.com/security/cve/CVE-2015-2316.html https://www.suse.com/security/cve/CVE-2015-2317.html https://bugzilla.suse.com/913053 https://bugzilla.suse.com/913055 https://bugzilla.suse.com/913056 https://bugzilla.suse.com/923172 https://bugzilla.suse.com/923176 From sle-security-updates at lists.suse.com Tue Jun 23 08:08:44 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 16:08:44 +0200 (CEST) Subject: SUSE-SU-2015:0979-2: moderate: Security update for dnsmasq Message-ID: <20150623140844.5484A3205C@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0979-2 Rating: moderate References: #923144 #928867 Cross-References: CVE-2015-3294 Affected Products: SUSE OpenStack Cloud Compute 5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The DNS server dnsmasq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read heap memory, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) The following bug was fixed: * bsc#923144: When answer to an upstream query is a CNAME pointing to an A/AAAA record which is present locally (/etc/hosts), allow caching when the upstream and local A/AAAA records have the same value. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Compute 5: zypper in -t patch SUSE-SLE12-CLOUD-5-2015-229=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud Compute 5 (x86_64): dnsmasq-debuginfo-2.71-4.1 dnsmasq-debugsource-2.71-4.1 dnsmasq-utils-2.71-4.1 dnsmasq-utils-debuginfo-2.71-4.1 References: https://www.suse.com/security/cve/CVE-2015-3294.html https://bugzilla.suse.com/923144 https://bugzilla.suse.com/928867 From sle-security-updates at lists.suse.com Tue Jun 23 08:10:16 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 16:10:16 +0200 (CEST) Subject: SUSE-SU-2015:0979-2: moderate: Security update for dnsmasq Message-ID: <20150623141016.CC8623205C@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0979-2 Rating: moderate References: #923144 #928867 Cross-References: CVE-2015-3294 Affected Products: SUSE OpenStack Cloud Compute 5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The DNS server dnsmasq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read heap memory, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) The following bug was fixed: * bsc#923144: When answer to an upstream query is a CNAME pointing to an A/AAAA record which is present locally (/etc/hosts), allow caching when the upstream and local A/AAAA records have the same value. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Compute 5: zypper in -t patch SUSE-SLE12-CLOUD-5-2015-229=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud Compute 5 (x86_64): dnsmasq-debuginfo-2.71-4.1 dnsmasq-debugsource-2.71-4.1 dnsmasq-utils-2.71-4.1 dnsmasq-utils-debuginfo-2.71-4.1 References: https://www.suse.com/security/cve/CVE-2015-3294.html https://bugzilla.suse.com/923144 https://bugzilla.suse.com/928867 From sle-security-updates at lists.suse.com Tue Jun 23 10:05:07 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Jun 2015 18:05:07 +0200 (CEST) Subject: SUSE-SU-2015:1127-1: moderate: Security update for xorg-x11-server Message-ID: <20150623160507.79EC03205C@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1127-1 Rating: moderate References: #923229 #925019 #925021 #925022 #928520 Cross-References: CVE-2014-8092 CVE-2015-3418 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: The X Server was updated to fix 1 security issues and 4 bugs: Security issues: - CVE-2015-3418: Fixed a regression introduced by CVE-2014-8092 in PutImage that caused crashes when called with 0 height (bnc#928520). Bugs fixed: - Xephyr: Don't crash when no command line argument is specified The DDX specific command line parsing function only gets called if command line arguments are present. Therefore this function is not suitable to initialize mandatory global variables. Replace main() instead. (bnc#925022) - Xephyr: Print default server display number if none is specified (bnc#925022) - Xephyr: Fix broken image when endianess of client machine and host-Xserver differ The image is created in the native byte order of the machine Xephyr is rendered on however drawn in the image byte order of the Xephyr server. Correct byte order in the xcb_image_t structure and convert to native before updating the window. If depths of Xephyr and host server differ this is already taken care of by the depth conversion routine. (bnc#923229). - Xephyr: Fix compile when debugging is enabled (bnc#925021) - Xephyr: Fix screen image draw for the non-Glamor & non-XHSM case xcb_image_put() prints the entire image, therefore don't use an offset. (bnc#925019) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-278=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-278=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-278=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): xorg-x11-server-debuginfo-7.6_1.15.2-28.4 xorg-x11-server-debugsource-7.6_1.15.2-28.4 xorg-x11-server-sdk-7.6_1.15.2-28.4 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): xorg-x11-server-7.6_1.15.2-28.4 xorg-x11-server-debuginfo-7.6_1.15.2-28.4 xorg-x11-server-debugsource-7.6_1.15.2-28.4 xorg-x11-server-extra-7.6_1.15.2-28.4 xorg-x11-server-extra-debuginfo-7.6_1.15.2-28.4 - SUSE Linux Enterprise Desktop 12 (x86_64): xorg-x11-server-7.6_1.15.2-28.4 xorg-x11-server-debuginfo-7.6_1.15.2-28.4 xorg-x11-server-debugsource-7.6_1.15.2-28.4 xorg-x11-server-extra-7.6_1.15.2-28.4 xorg-x11-server-extra-debuginfo-7.6_1.15.2-28.4 References: https://www.suse.com/security/cve/CVE-2014-8092.html https://www.suse.com/security/cve/CVE-2015-3418.html https://bugzilla.suse.com/923229 https://bugzilla.suse.com/925019 https://bugzilla.suse.com/925021 https://bugzilla.suse.com/925022 https://bugzilla.suse.com/928520 From sle-security-updates at lists.suse.com Wed Jun 24 09:05:08 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Jun 2015 17:05:08 +0200 (CEST) Subject: SUSE-SU-2015:1136-1: important: Security update for flash-player Message-ID: <20150624150508.7780D3205C@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1136-1 Rating: important References: #935701 Cross-References: CVE-2015-3113 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Adobe Flash Player was updated to 11.2.202.468, fixing a security issue, where attackers could trigger a heap overflow and could execute code. https://helpx.adobe.com/security/products/flash-player/apsb15-14.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-279=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-279=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (i586 x86_64): flash-player-11.2.202.468-89.1 flash-player-gnome-11.2.202.468-89.1 - SUSE Linux Enterprise Desktop 12 (i586 x86_64): flash-player-11.2.202.468-89.1 flash-player-gnome-11.2.202.468-89.1 References: https://www.suse.com/security/cve/CVE-2015-3113.html https://bugzilla.suse.com/935701 From sle-security-updates at lists.suse.com Wed Jun 24 14:05:07 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Jun 2015 22:05:07 +0200 (CEST) Subject: SUSE-SU-2015:1086-3: important: Security update for Java Message-ID: <20150624200507.9B6143205C@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1086-3 Rating: important References: #912434 #912447 #930365 #931702 Cross-References: CVE-2015-0138 CVE-2015-0192 CVE-2015-0204 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: IBM Java 1.7.0 was updated to SR9 fixing security issues and bugs. Tabulated information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_ 2015 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-java-1_7_0-ibm=10785 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-devel-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.0-0.7.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-plugin-1.7.0_sr9.0-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-0138.html https://www.suse.com/security/cve/CVE-2015-0192.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0458.html https://www.suse.com/security/cve/CVE-2015-0459.html https://www.suse.com/security/cve/CVE-2015-0469.html https://www.suse.com/security/cve/CVE-2015-0477.html https://www.suse.com/security/cve/CVE-2015-0478.html https://www.suse.com/security/cve/CVE-2015-0480.html https://www.suse.com/security/cve/CVE-2015-0488.html https://www.suse.com/security/cve/CVE-2015-0491.html https://www.suse.com/security/cve/CVE-2015-1914.html https://www.suse.com/security/cve/CVE-2015-2808.html https://bugzilla.suse.com/912434 https://bugzilla.suse.com/912447 https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931702 https://download.suse.com/patch/finder/?keywords=9ca57b921374626bc74b4dc6c6926af7 From sle-security-updates at lists.suse.com Wed Jun 24 14:06:02 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Jun 2015 22:06:02 +0200 (CEST) Subject: SUSE-SU-2015:1137-1: moderate: Security update for flash-player Message-ID: <20150624200602.E5AAB3205C@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1137-1 Rating: moderate References: #935701 Cross-References: CVE-2015-3113 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: Adobe Flash Player was updated to 11.2.202.468, fixing a security issue, where attackers could have triggered a heap overflow and could have executed code. https://helpx.adobe.com/security/products/flash-player/apsb15-14.html Security Issues: * CVE-2015-3113 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player=10805 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.468]: flash-player-11.2.202.468-0.7.1 flash-player-gnome-11.2.202.468-0.7.1 flash-player-kde4-11.2.202.468-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-3113.html https://bugzilla.suse.com/935701 https://download.suse.com/patch/finder/?keywords=e48696c554afb9305cb98005c94e9af7 From sle-security-updates at lists.suse.com Wed Jun 24 14:06:20 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Jun 2015 22:06:20 +0200 (CEST) Subject: SUSE-SU-2015:1138-1: important: Security update for IBM Java Message-ID: <20150624200620.320DA3205C@maintenance.suse.de> SUSE Security Update: Security update for IBM Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1138-1 Rating: important References: #930365 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs. Tabulated information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_ 2015 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.4-0.8.1 java-1_6_0-ibm-devel-1.6.0_sr16.4-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-0.8.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr16.4-0.8.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr16.4-0.8.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.4-0.8.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr16.4-0.8.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr16.4-0.8.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.4-0.8.1 References: https://bugzilla.suse.com/930365 https://download.suse.com/patch/finder/?keywords=c5428e2c57be4bc06608802e52f69888 From sle-security-updates at lists.suse.com Thu Jun 25 07:05:02 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Jun 2015 15:05:02 +0200 (CEST) Subject: SUSE-SU-2015:1141-1: moderate: Security update for python-keystoneclient Message-ID: <20150625130502.428383205C@maintenance.suse.de> SUSE Security Update: Security update for python-keystoneclient ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1141-1 Rating: moderate References: #897103 #928205 Cross-References: CVE-2014-7144 CVE-2015-1852 Affected Products: SUSE Cloud 4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: python-keystoneclient was updated to fix two security issues: * bsc#928205: S3Token TLS certificate verification option not honored. (CVE-2015-1852) * bsc#897103: TLS certificate verification option not honored in paste configs. (CVE-2014-7144) Security Issues: * CVE-2014-7144 * CVE-2015-1852 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 4: zypper in -t patch sleclo40sp3-python-keystoneclient=10667 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 4 (x86_64): python-keystoneclient-0.9.0-0.13.1 python-keystoneclient-doc-0.9.0-0.13.1 References: https://www.suse.com/security/cve/CVE-2014-7144.html https://www.suse.com/security/cve/CVE-2015-1852.html https://bugzilla.suse.com/897103 https://bugzilla.suse.com/928205 https://download.suse.com/patch/finder/?keywords=4714a8b59432e065411eb4fa1f784f01 From sle-security-updates at lists.suse.com Thu Jun 25 10:05:46 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Jun 2015 18:05:46 +0200 (CEST) Subject: SUSE-SU-2015:1143-1: important: Security update for openssl Message-ID: <20150625160546.605D13205C@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1143-1 Rating: important References: #926597 #929678 #931698 #933898 #933911 #934487 #934489 #934491 #934493 Cross-References: CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 CVE-2015-4000 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has two fixes is now available. Description: This update of openssl fixes the following security issues: - CVE-2015-4000 (bsc#931698) * The Logjam Attack / weakdh.org * reject connections with DH parameters shorter than 1024 bits * generates 2048-bit DH parameters by default - CVE-2015-1788 (bsc#934487) * Malformed ECParameters causes infinite loop - CVE-2015-1789 (bsc#934489) * Exploitable out-of-bounds read in X509_cmp_time - CVE-2015-1790 (bsc#934491) * PKCS7 crash with missing EnvelopedContent - CVE-2015-1792 (bsc#934493) * CMS verify infinite loop with unknown hash function - CVE-2015-1791 (bsc#933911) * race condition in NewSessionTicket - CVE-2015-3216 (bsc#933898) * Crash in ssleay_rand_bytes due to locking regression - fix a timing side channel in RSA decryption (bnc#929678) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-282=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-282=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-282=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-25.1 openssl-debuginfo-1.0.1i-25.1 openssl-debugsource-1.0.1i-25.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-25.1 libopenssl1_0_0-debuginfo-1.0.1i-25.1 libopenssl1_0_0-hmac-1.0.1i-25.1 openssl-1.0.1i-25.1 openssl-debuginfo-1.0.1i-25.1 openssl-debugsource-1.0.1i-25.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-25.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-25.1 libopenssl1_0_0-hmac-32bit-1.0.1i-25.1 - SUSE Linux Enterprise Server 12 (noarch): openssl-doc-1.0.1i-25.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libopenssl1_0_0-1.0.1i-25.1 libopenssl1_0_0-32bit-1.0.1i-25.1 libopenssl1_0_0-debuginfo-1.0.1i-25.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-25.1 openssl-1.0.1i-25.1 openssl-debuginfo-1.0.1i-25.1 openssl-debugsource-1.0.1i-25.1 References: https://www.suse.com/security/cve/CVE-2015-1788.html https://www.suse.com/security/cve/CVE-2015-1789.html https://www.suse.com/security/cve/CVE-2015-1790.html https://www.suse.com/security/cve/CVE-2015-1791.html https://www.suse.com/security/cve/CVE-2015-1792.html https://www.suse.com/security/cve/CVE-2015-3216.html https://www.suse.com/security/cve/CVE-2015-4000.html https://bugzilla.suse.com/926597 https://bugzilla.suse.com/929678 https://bugzilla.suse.com/931698 https://bugzilla.suse.com/933898 https://bugzilla.suse.com/933911 https://bugzilla.suse.com/934487 https://bugzilla.suse.com/934489 https://bugzilla.suse.com/934491 https://bugzilla.suse.com/934493 From sle-security-updates at lists.suse.com Thu Jun 25 11:05:07 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Jun 2015 19:05:07 +0200 (CEST) Subject: SUSE-SU-2015:1144-1: moderate: Security update for icu Message-ID: <20150625170507.CA7483205C@maintenance.suse.de> SUSE Security Update: Security update for icu ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1144-1 Rating: moderate References: #917129 Cross-References: CVE-2014-9654 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following security issue in icu: * CVE-2014-9654: insufficient size limit checks in regular expression compiler (bsc#917129) Security Issues: * CVE-2014-9654 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-icu=10783 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-icu=10783 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-icu=10783 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-icu=10783 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libicu-devel-4.0-7.28.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libicu-devel-32bit-4.0-7.28.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): icu-4.0-7.28.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64): libicu-32bit-4.0-7.28.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libicu-4.0-7.28.1 libicu-doc-4.0-7.28.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libicu-32bit-4.0-7.28.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libicu-4.0-7.28.1 libicu-doc-4.0-7.28.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libicu-32bit-4.0-7.28.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libicu-x86-4.0-7.28.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): icu-4.0-7.28.1 libicu-4.0-7.28.1 References: https://www.suse.com/security/cve/CVE-2014-9654.html https://bugzilla.suse.com/917129 https://download.suse.com/patch/finder/?keywords=591af123987e7e88134ee97f079b3103 From sle-security-updates at lists.suse.com Fri Jun 26 05:05:08 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 26 Jun 2015 13:05:08 +0200 (CEST) Subject: SUSE-SU-2015:1150-1: important: Security update for compat-openssl098 Message-ID: <20150626110508.C17303205C@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1150-1 Rating: important References: #879179 #929678 #931698 #933898 #933911 #934487 #934489 #934491 #934493 Cross-References: CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 CVE-2015-4000 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has two fixes is now available. Description: This update fixes the following security issues: - CVE-2015-4000 (boo#931698) * The Logjam Attack / weakdh.org * reject connections with DH parameters shorter than 1024 bits * generates 2048-bit DH parameters by default - CVE-2015-1788 (boo#934487) * Malformed ECParameters causes infinite loop - CVE-2015-1789 (boo#934489) * Exploitable out-of-bounds read in X509_cmp_time - CVE-2015-1790 (boo#934491) * PKCS7 crash with missing EnvelopedContent - CVE-2015-1792 (boo#934493) * CMS verify infinite loop with unknown hash function - CVE-2015-1791 (boo#933911) * race condition in NewSessionTicket - CVE-2015-3216 (boo#933898) * Crash in ssleay_rand_bytes due to locking regression * modified openssl-1.0.1i-fipslocking.patch - fix timing side channel in RSA decryption (bnc#929678) - add ECC ciphersuites to DEFAULT (bnc#879179) - Disable EXPORT ciphers by default (bnc#931698, comment #3) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-285=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-285=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-78.1 libopenssl0_9_8-0.9.8j-78.1 libopenssl0_9_8-32bit-0.9.8j-78.1 libopenssl0_9_8-debuginfo-0.9.8j-78.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-78.1 - SUSE Linux Enterprise Desktop 12 (x86_64): compat-openssl098-debugsource-0.9.8j-78.1 libopenssl0_9_8-0.9.8j-78.1 libopenssl0_9_8-32bit-0.9.8j-78.1 libopenssl0_9_8-debuginfo-0.9.8j-78.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-78.1 References: https://www.suse.com/security/cve/CVE-2015-1788.html https://www.suse.com/security/cve/CVE-2015-1789.html https://www.suse.com/security/cve/CVE-2015-1790.html https://www.suse.com/security/cve/CVE-2015-1791.html https://www.suse.com/security/cve/CVE-2015-1792.html https://www.suse.com/security/cve/CVE-2015-3216.html https://www.suse.com/security/cve/CVE-2015-4000.html https://bugzilla.suse.com/879179 https://bugzilla.suse.com/929678 https://bugzilla.suse.com/931698 https://bugzilla.suse.com/933898 https://bugzilla.suse.com/933911 https://bugzilla.suse.com/934487 https://bugzilla.suse.com/934489 https://bugzilla.suse.com/934491 https://bugzilla.suse.com/934493 From sle-security-updates at lists.suse.com Fri Jun 26 07:08:00 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 26 Jun 2015 15:08:00 +0200 (CEST) Subject: SUSE-SU-2015:1152-1: important: Security update for KVM Message-ID: <20150626130800.E61F73205C@maintenance.suse.de> SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1152-1 Rating: important References: #932267 #932770 Cross-References: CVE-2015-3209 Affected Products: SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: KVM was updated to fix two security issues: * CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (bsc#932770) * CVE-2015-4037: Predictable directory names for smb configuration. (bsc#932267) Security Issues: * CVE-2015-3209 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kvm=10747 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kvm=10747 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 (i586 s390x x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.22.31.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.22.31.1 References: https://www.suse.com/security/cve/CVE-2015-3209.html https://bugzilla.suse.com/932267 https://bugzilla.suse.com/932770 https://download.suse.com/patch/finder/?keywords=22b018e7745a4c6e213ac9c05777d59d From sle-security-updates at lists.suse.com Fri Jun 26 20:05:09 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 27 Jun 2015 04:05:09 +0200 (CEST) Subject: SUSE-SU-2015:1086-4: important: Security update for java-1_7_0-ibm Message-ID: <20150627020509.A58E532006@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1086-4 Rating: important References: #912434 #912447 #930365 #931702 Cross-References: CVE-2015-0138 CVE-2015-0192 CVE-2015-0204 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: IBM Java 1.7.0 was updated to SR9 fixing security issues and bugs. Tabulated information can be found on: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_ 2015 . Security Issues: * CVE-2015-0192 * CVE-2015-2808 * CVE-2015-1914 * CVE-2015-0138 * CVE-2015-0491 * CVE-2015-0458 * CVE-2015-0459 * CVE-2015-0469 * CVE-2015-0480 * CVE-2015-0488 * CVE-2015-0478 * CVE-2015-0477 * CVE-2015-0204 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-java-1_7_0-ibm=10784 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-java-1_7_0-ibm=10784 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-java-1_7_0-ibm=10784 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-devel-1.7.0_sr9.0-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): java-1_7_0-ibm-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-alsa-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-plugin-1.7.0_sr9.0-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.0-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.0-0.7.1 java-1_7_0-ibm-plugin-1.7.0_sr9.0-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-0138.html https://www.suse.com/security/cve/CVE-2015-0192.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0458.html https://www.suse.com/security/cve/CVE-2015-0459.html https://www.suse.com/security/cve/CVE-2015-0469.html https://www.suse.com/security/cve/CVE-2015-0477.html https://www.suse.com/security/cve/CVE-2015-0478.html https://www.suse.com/security/cve/CVE-2015-0480.html https://www.suse.com/security/cve/CVE-2015-0488.html https://www.suse.com/security/cve/CVE-2015-0491.html https://www.suse.com/security/cve/CVE-2015-1914.html https://www.suse.com/security/cve/CVE-2015-2808.html https://bugzilla.suse.com/912434 https://bugzilla.suse.com/912447 https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931702 https://download.suse.com/patch/finder/?keywords=9679d0aa3625acf75e826a41db3c367b From sle-security-updates at lists.suse.com Mon Jun 29 06:05:19 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 29 Jun 2015 14:05:19 +0200 (CEST) Subject: SUSE-SU-2015:1156-1: important: Security update for Xen Message-ID: <20150629120519.5C03132088@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1156-1 Rating: important References: #931625 #931626 #931627 #931628 #932770 #932996 Cross-References: CVE-2015-3209 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106 CVE-2015-4164 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: Xen was updated to fix six security issues: * CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) * CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) * CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Security Issues: * CVE-2015-4103 * CVE-2015-4104 * CVE-2015-4105 * CVE-2015-4106 * CVE-2015-4164 * CVE-2015-3209 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-xen-201506=10726 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): xen-4.0.3_21548_18-0.25.1 xen-doc-html-4.0.3_21548_18-0.25.1 xen-doc-pdf-4.0.3_21548_18-0.25.1 xen-kmp-default-4.0.3_21548_18_2.6.32.59_0.19-0.25.1 xen-kmp-trace-4.0.3_21548_18_2.6.32.59_0.19-0.25.1 xen-libs-4.0.3_21548_18-0.25.1 xen-tools-4.0.3_21548_18-0.25.1 xen-tools-domU-4.0.3_21548_18-0.25.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): xen-kmp-pae-4.0.3_21548_18_2.6.32.59_0.19-0.25.1 References: https://www.suse.com/security/cve/CVE-2015-3209.html https://www.suse.com/security/cve/CVE-2015-4103.html https://www.suse.com/security/cve/CVE-2015-4104.html https://www.suse.com/security/cve/CVE-2015-4105.html https://www.suse.com/security/cve/CVE-2015-4106.html https://www.suse.com/security/cve/CVE-2015-4164.html https://bugzilla.suse.com/931625 https://bugzilla.suse.com/931626 https://bugzilla.suse.com/931627 https://bugzilla.suse.com/931628 https://bugzilla.suse.com/932770 https://bugzilla.suse.com/932996 https://download.suse.com/patch/finder/?keywords=5db78436698154117f5060fbcf442cac From sle-security-updates at lists.suse.com Mon Jun 29 07:05:15 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 29 Jun 2015 15:05:15 +0200 (CEST) Subject: SUSE-SU-2015:1157-1: important: Security update for Xen Message-ID: <20150629130515.469E932088@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1157-1 Rating: important References: #931625 #931626 #931627 #931628 #932770 #932996 Cross-References: CVE-2015-3209 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106 CVE-2015-4163 CVE-2015-4164 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: Xen was updated to fix six security issues: * CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) * CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) * CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) * CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Security Issues: * CVE-2015-4103 * CVE-2015-4104 * CVE-2015-4105 * CVE-2015-4106 * CVE-2015-4163 * CVE-2015-4164 * CVE-2015-3209 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-xen-201506=10729 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64): xen-devel-4.1.6_08-0.13.1 xen-kmp-default-4.1.6_08_3.0.101_0.7.29-0.13.1 xen-kmp-trace-4.1.6_08_3.0.101_0.7.29-0.13.1 xen-libs-4.1.6_08-0.13.1 xen-tools-domU-4.1.6_08-0.13.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64): xen-4.1.6_08-0.13.1 xen-doc-html-4.1.6_08-0.13.1 xen-doc-pdf-4.1.6_08-0.13.1 xen-libs-32bit-4.1.6_08-0.13.1 xen-tools-4.1.6_08-0.13.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586): xen-kmp-pae-4.1.6_08_3.0.101_0.7.29-0.13.1 References: https://www.suse.com/security/cve/CVE-2015-3209.html https://www.suse.com/security/cve/CVE-2015-4103.html https://www.suse.com/security/cve/CVE-2015-4104.html https://www.suse.com/security/cve/CVE-2015-4105.html https://www.suse.com/security/cve/CVE-2015-4106.html https://www.suse.com/security/cve/CVE-2015-4163.html https://www.suse.com/security/cve/CVE-2015-4164.html https://bugzilla.suse.com/931625 https://bugzilla.suse.com/931626 https://bugzilla.suse.com/931627 https://bugzilla.suse.com/931628 https://bugzilla.suse.com/932770 https://bugzilla.suse.com/932996 https://download.suse.com/patch/finder/?keywords=664b696391d543da0f24d6d0b039a056 From sle-security-updates at lists.suse.com Tue Jun 30 09:05:16 2015 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Jun 2015 17:05:16 +0200 (CEST) Subject: SUSE-SU-2015:1161-1: important: Security update for java-1_6_0-ibm Message-ID: <20150630150516.DDFFA32096@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1161-1 Rating: important References: #912434 #912447 #930365 #931702 Cross-References: CVE-2015-0138 CVE-2015-0192 CVE-2015-0204 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs. Tabulated information can be found on: [http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May _2015](http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Upda te_May_2015) CVEs addressed: CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Additional bugs fixed: * Fix javaws/plugin stuff should slave plugin update-alternatives (bnc#912434) * Changed Java to use the system root CA certificates (bnc#912447) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2015-288=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.4-15.1 java-1_6_0-ibm-fonts-1.6.0_sr16.4-15.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.4-15.1 - SUSE Linux Enterprise Module for Legacy Software 12 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.4-15.1 References: https://www.suse.com/security/cve/CVE-2015-0138.html https://www.suse.com/security/cve/CVE-2015-0192.html https://www.suse.com/security/cve/CVE-2015-0204.html https://www.suse.com/security/cve/CVE-2015-0458.html https://www.suse.com/security/cve/CVE-2015-0459.html https://www.suse.com/security/cve/CVE-2015-0469.html https://www.suse.com/security/cve/CVE-2015-0477.html https://www.suse.com/security/cve/CVE-2015-0478.html https://www.suse.com/security/cve/CVE-2015-0480.html https://www.suse.com/security/cve/CVE-2015-0488.html https://www.suse.com/security/cve/CVE-2015-0491.html https://www.suse.com/security/cve/CVE-2015-1914.html https://www.suse.com/security/cve/CVE-2015-2808.html https://bugzilla.suse.com/912434 https://bugzilla.suse.com/912447 https://bugzilla.suse.com/930365 https://bugzilla.suse.com/931702