From sle-security-updates at lists.suse.com Thu Dec 1 06:07:40 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Dec 2016 14:07:40 +0100 (CET) Subject: SUSE-SU-2016:2958-1: moderate: Security update for mono-core Message-ID: <20161201130740.31B86FFD5@maintenance.suse.de> SUSE Security Update: Security update for mono-core ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2958-1 Rating: moderate References: #739119 #958097 Cross-References: CVE-2009-0689 CVE-2012-3543 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: mono-core was updated to fix the following vulnerabilities: - CVE-2009-0689: Remote attackers could cause a denial of service and possibly arbitrary code execution through the string-to-double parser implementation. (bsc#958097) - CVE-2012-3543: Remote attackers could cause a denial of service through increased CPU consumption due to lack of protection against predictable hash collisions when processing form parameters. (bsc#739119) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-mono-core-12866=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-mono-core-12866=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-mono-core-12866=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): bytefx-data-mysql-2.6.7-0.18.1 mono-data-firebird-2.6.7-0.18.1 mono-data-oracle-2.6.7-0.18.1 mono-data-sybase-2.6.7-0.18.1 mono-devel-2.6.7-0.18.1 mono-extras-2.6.7-0.18.1 mono-jscript-2.6.7-0.18.1 mono-wcf-2.6.7-0.18.1 mono-winfxcore-2.6.7-0.18.1 monodoc-core-2.6.7-0.18.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64): mono-core-2.6.7-0.18.1 mono-data-2.6.7-0.18.1 mono-data-postgresql-2.6.7-0.18.1 mono-data-sqlite-2.6.7-0.18.1 mono-locale-extras-2.6.7-0.18.1 mono-nunit-2.6.7-0.18.1 mono-web-2.6.7-0.18.1 mono-winforms-2.6.7-0.18.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): mono-core-2.6.7-0.18.1 mono-data-2.6.7-0.18.1 mono-data-postgresql-2.6.7-0.18.1 mono-data-sqlite-2.6.7-0.18.1 mono-locale-extras-2.6.7-0.18.1 mono-nunit-2.6.7-0.18.1 mono-web-2.6.7-0.18.1 mono-winforms-2.6.7-0.18.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): mono-core-2.6.7-0.18.1 mono-data-2.6.7-0.18.1 mono-data-postgresql-2.6.7-0.18.1 mono-data-sqlite-2.6.7-0.18.1 mono-locale-extras-2.6.7-0.18.1 mono-nunit-2.6.7-0.18.1 mono-web-2.6.7-0.18.1 mono-winforms-2.6.7-0.18.1 References: https://www.suse.com/security/cve/CVE-2009-0689.html https://www.suse.com/security/cve/CVE-2012-3543.html https://bugzilla.suse.com/739119 https://bugzilla.suse.com/958097 From sle-security-updates at lists.suse.com Thu Dec 1 10:07:51 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Dec 2016 18:07:51 +0100 (CET) Subject: SUSE-SU-2016:2964-1: important: Security update for ImageMagick Message-ID: <20161201170751.204D4FFD5@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2964-1 Rating: important References: #1000399 #1000434 #1000436 #1000688 #1000689 #1000690 #1000691 #1000692 #1000693 #1000694 #1000695 #1000698 #1000699 #1000700 #1000701 #1000703 #1000704 #1000707 #1000709 #1000711 #1000713 #1000714 #1001066 #1001221 #1002209 #1002421 #1002422 #1003629 #1005123 #1005125 #1005127 #1007245 Cross-References: CVE-2014-9907 CVE-2015-8957 CVE-2015-8958 CVE-2015-8959 CVE-2016-5687 CVE-2016-6823 CVE-2016-7101 CVE-2016-7514 CVE-2016-7515 CVE-2016-7516 CVE-2016-7517 CVE-2016-7518 CVE-2016-7519 CVE-2016-7522 CVE-2016-7523 CVE-2016-7524 CVE-2016-7525 CVE-2016-7526 CVE-2016-7527 CVE-2016-7528 CVE-2016-7529 CVE-2016-7530 CVE-2016-7531 CVE-2016-7533 CVE-2016-7535 CVE-2016-7537 CVE-2016-7799 CVE-2016-7800 CVE-2016-7996 CVE-2016-7997 CVE-2016-8682 CVE-2016-8683 CVE-2016-8684 CVE-2016-8862 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 34 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: These vulnerabilities could be triggered by processing specially crafted image files, which could lead to a process crash or resource consumtion, or potentially have unspecified futher impact. - CVE-2016-8862: Memory allocation failure in AcquireMagickMemory (bsc#1007245) - CVE-2014-9907: DOS due to corrupted DDS files (bsc#1000714) - CVE-2015-8959: DOS due to corrupted DDS files (bsc#1000713) - CVE-2016-7537: Out of bound access for corrupted pdb file (bsc#1000711) - CVE-2016-6823: BMP Coder Out-Of-Bounds Write Vulnerability (bsc#1001066) - CVE-2016-7514: Out-of-bounds read in coders/psd.c (bsc#1000688) - CVE-2016-7515: Rle file handling for corrupted file (bsc#1000689) - CVE-2016-7529: out of bound in quantum handling (bsc#1000399) - CVE-2016-7101: SGI Coder Out-Of-Bounds Read Vulnerability (bsc#1001221) - CVE-2016-7527: out of bound access in wpg file coder: (bsc#1000436) - CVE-2016-7996, CVE-2016-7997: WPG Reader Issues (bsc#1003629) - CVE-2016-7528: out of bound access in xcf file coder (bsc#1000434) - CVE-2016-8683: Check that filesize is reasonable compared to the header value (bsc#1005127) - CVE-2016-8682: Stack-buffer read overflow while reading SCT header (bsc#1005125) - CVE-2016-8684: Mismatch between real filesize and header values (bsc#1005123) - Buffer overflows in SIXEL, PDB, MAP, and TIFF coders (bsc#1002209) - CVE-2016-7525: Heap buffer overflow in psd file coder (bsc#1000701) - CVE-2016-7524: AddressSanitizer:heap-buffer-overflow READ of size 1 in meta.c:465 (bsc#1000700) - CVE-2016-7530: Out of bound in quantum handling (bsc#1000703) - CVE-2016-7531: Pbd file out of bound access (bsc#1000704) - CVE-2016-7533: Wpg file out of bound for corrupted file (bsc#1000707) - CVE-2016-7535: Out of bound access for corrupted psd file (bsc#1000709) - CVE-2016-7522: Out of bound access for malformed psd file (bsc#1000698) - CVE-2016-7517: out-of-bounds read in coders/pict.c (bsc#1000693) - CVE-2016-7516: Out of bounds problem in rle, pict, viff and sun files (bsc#1000692) - CVE-2015-8958: Potential DOS in sun file handling due to malformed files (bsc#1000691) - CVE-2015-8957: Buffer overflow in sun file handling (bsc#1000690) - CVE-2016-7519: out-of-bounds read in coders/rle.c (bsc#1000695) - CVE-2016-7518: out-of-bounds read in coders/sun.c (bsc#1000694) - CVE-2016-7800: 8BIM/8BIMW unsigned underflow leads to heap overflow (bsc#1002422) - CVE-2016-7523: AddressSanitizer:heap-buffer-overflow READ of size 1 meta.c:496 (bsc#1000699) - CVE-2016-7799: mogrify global buffer overflow (bsc#1002421) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-ImageMagick-12867=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ImageMagick-12867=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ImageMagick-12867=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-6.4.3.6-7.54.1 ImageMagick-devel-6.4.3.6-7.54.1 libMagick++-devel-6.4.3.6-7.54.1 libMagick++1-6.4.3.6-7.54.1 libMagickWand1-6.4.3.6-7.54.1 perl-PerlMagick-6.4.3.6-7.54.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libMagickWand1-32bit-6.4.3.6-7.54.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libMagickCore1-6.4.3.6-7.54.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.54.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.54.1 ImageMagick-debugsource-6.4.3.6-7.54.1 References: https://www.suse.com/security/cve/CVE-2014-9907.html https://www.suse.com/security/cve/CVE-2015-8957.html https://www.suse.com/security/cve/CVE-2015-8958.html https://www.suse.com/security/cve/CVE-2015-8959.html https://www.suse.com/security/cve/CVE-2016-5687.html https://www.suse.com/security/cve/CVE-2016-6823.html https://www.suse.com/security/cve/CVE-2016-7101.html https://www.suse.com/security/cve/CVE-2016-7514.html https://www.suse.com/security/cve/CVE-2016-7515.html https://www.suse.com/security/cve/CVE-2016-7516.html https://www.suse.com/security/cve/CVE-2016-7517.html https://www.suse.com/security/cve/CVE-2016-7518.html https://www.suse.com/security/cve/CVE-2016-7519.html https://www.suse.com/security/cve/CVE-2016-7522.html https://www.suse.com/security/cve/CVE-2016-7523.html https://www.suse.com/security/cve/CVE-2016-7524.html https://www.suse.com/security/cve/CVE-2016-7525.html https://www.suse.com/security/cve/CVE-2016-7526.html https://www.suse.com/security/cve/CVE-2016-7527.html https://www.suse.com/security/cve/CVE-2016-7528.html https://www.suse.com/security/cve/CVE-2016-7529.html https://www.suse.com/security/cve/CVE-2016-7530.html https://www.suse.com/security/cve/CVE-2016-7531.html https://www.suse.com/security/cve/CVE-2016-7533.html https://www.suse.com/security/cve/CVE-2016-7535.html https://www.suse.com/security/cve/CVE-2016-7537.html https://www.suse.com/security/cve/CVE-2016-7799.html https://www.suse.com/security/cve/CVE-2016-7800.html https://www.suse.com/security/cve/CVE-2016-7996.html https://www.suse.com/security/cve/CVE-2016-7997.html https://www.suse.com/security/cve/CVE-2016-8682.html https://www.suse.com/security/cve/CVE-2016-8683.html https://www.suse.com/security/cve/CVE-2016-8684.html https://www.suse.com/security/cve/CVE-2016-8862.html https://bugzilla.suse.com/1000399 https://bugzilla.suse.com/1000434 https://bugzilla.suse.com/1000436 https://bugzilla.suse.com/1000688 https://bugzilla.suse.com/1000689 https://bugzilla.suse.com/1000690 https://bugzilla.suse.com/1000691 https://bugzilla.suse.com/1000692 https://bugzilla.suse.com/1000693 https://bugzilla.suse.com/1000694 https://bugzilla.suse.com/1000695 https://bugzilla.suse.com/1000698 https://bugzilla.suse.com/1000699 https://bugzilla.suse.com/1000700 https://bugzilla.suse.com/1000701 https://bugzilla.suse.com/1000703 https://bugzilla.suse.com/1000704 https://bugzilla.suse.com/1000707 https://bugzilla.suse.com/1000709 https://bugzilla.suse.com/1000711 https://bugzilla.suse.com/1000713 https://bugzilla.suse.com/1000714 https://bugzilla.suse.com/1001066 https://bugzilla.suse.com/1001221 https://bugzilla.suse.com/1002209 https://bugzilla.suse.com/1002421 https://bugzilla.suse.com/1002422 https://bugzilla.suse.com/1003629 https://bugzilla.suse.com/1005123 https://bugzilla.suse.com/1005125 https://bugzilla.suse.com/1005127 https://bugzilla.suse.com/1007245 From sle-security-updates at lists.suse.com Fri Dec 2 07:08:38 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Dec 2016 15:08:38 +0100 (CET) Subject: SUSE-SU-2016:2969-1: moderate: Security update for libgit2 Message-ID: <20161202140838.EC209FFC0@maintenance.suse.de> SUSE Security Update: Security update for libgit2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2969-1 Rating: moderate References: #1003810 Cross-References: CVE-2016-8568 CVE-2016-8569 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: libgit2 was updated to fix two security issues. These security issues were fixed: - CVE-2016-8568: Read out-of-bounds in git_oid_nfmt (bsc#1003810). - CVE-2016-8569: DoS caused by a NULL pointer dereference in git_commit_message (bsc#1003810). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1741=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (x86_64): libgit2-24-0.24.1-3.1 libgit2-24-debuginfo-0.24.1-3.1 libgit2-debugsource-0.24.1-3.1 References: https://www.suse.com/security/cve/CVE-2016-8568.html https://www.suse.com/security/cve/CVE-2016-8569.html https://bugzilla.suse.com/1003810 From sle-security-updates at lists.suse.com Fri Dec 2 08:07:40 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Dec 2016 16:07:40 +0100 (CET) Subject: SUSE-SU-2016:2971-1: moderate: Security update for pcre Message-ID: <20161202150740.9D114FFD0@maintenance.suse.de> SUSE Security Update: Security update for pcre ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2971-1 Rating: moderate References: #906574 #924960 #933288 #933878 #936227 #942865 #957566 #957567 #957598 #957600 #960837 #971741 #972127 Cross-References: CVE-2014-8964 CVE-2015-2325 CVE-2015-2327 CVE-2015-2328 CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 CVE-2015-8380 CVE-2015-8381 CVE-2015-8382 CVE-2015-8383 CVE-2015-8384 CVE-2015-8385 CVE-2015-8386 CVE-2015-8387 CVE-2015-8388 CVE-2015-8389 CVE-2015-8390 CVE-2015-8391 CVE-2015-8392 CVE-2015-8393 CVE-2015-8394 CVE-2015-8395 CVE-2016-1283 CVE-2016-3191 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise High Availability 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1744=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1744=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1744=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1744=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1744=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1744=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1744=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1744=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1744=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1744=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1744=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libpcrecpp0-32bit-8.39-5.1 libpcrecpp0-8.39-5.1 libpcrecpp0-debuginfo-32bit-8.39-5.1 libpcrecpp0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libpcrecpp0-32bit-8.39-5.1 libpcrecpp0-8.39-5.1 libpcrecpp0-debuginfo-32bit-8.39-5.1 libpcrecpp0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libpcrecpp0-8.39-5.1 libpcrecpp0-debuginfo-8.39-5.1 libpcreposix0-8.39-5.1 libpcreposix0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 pcre-devel-8.39-5.1 pcre-devel-static-8.39-5.1 pcre-tools-8.39-5.1 pcre-tools-debuginfo-8.39-5.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libpcrecpp0-8.39-5.1 libpcrecpp0-debuginfo-8.39-5.1 libpcreposix0-8.39-5.1 libpcreposix0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 pcre-devel-8.39-5.1 pcre-devel-static-8.39-5.1 pcre-tools-8.39-5.1 pcre-tools-debuginfo-8.39-5.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libpcre1-8.39-5.1 libpcre1-debuginfo-8.39-5.1 libpcre16-0-8.39-5.1 libpcre16-0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libpcre1-8.39-5.1 libpcre1-debuginfo-8.39-5.1 libpcre16-0-8.39-5.1 libpcre16-0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libpcre1-32bit-8.39-5.1 libpcre1-debuginfo-32bit-8.39-5.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libpcre1-8.39-5.1 libpcre1-debuginfo-8.39-5.1 libpcre16-0-8.39-5.1 libpcre16-0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libpcre1-32bit-8.39-5.1 libpcre1-debuginfo-32bit-8.39-5.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): libpcreposix0-8.39-5.1 libpcreposix0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise High Availability 12-SP1 (ppc64le s390x x86_64): libpcreposix0-8.39-5.1 libpcreposix0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libpcre1-32bit-8.39-5.1 libpcre1-8.39-5.1 libpcre1-debuginfo-32bit-8.39-5.1 libpcre1-debuginfo-8.39-5.1 libpcre16-0-8.39-5.1 libpcre16-0-debuginfo-8.39-5.1 libpcrecpp0-32bit-8.39-5.1 libpcrecpp0-8.39-5.1 libpcrecpp0-debuginfo-32bit-8.39-5.1 libpcrecpp0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libpcre1-32bit-8.39-5.1 libpcre1-8.39-5.1 libpcre1-debuginfo-32bit-8.39-5.1 libpcre1-debuginfo-8.39-5.1 libpcre16-0-8.39-5.1 libpcre16-0-debuginfo-8.39-5.1 libpcrecpp0-32bit-8.39-5.1 libpcrecpp0-8.39-5.1 libpcrecpp0-debuginfo-32bit-8.39-5.1 libpcrecpp0-debuginfo-8.39-5.1 pcre-debugsource-8.39-5.1 References: https://www.suse.com/security/cve/CVE-2014-8964.html https://www.suse.com/security/cve/CVE-2015-2325.html https://www.suse.com/security/cve/CVE-2015-2327.html https://www.suse.com/security/cve/CVE-2015-2328.html https://www.suse.com/security/cve/CVE-2015-3210.html https://www.suse.com/security/cve/CVE-2015-3217.html https://www.suse.com/security/cve/CVE-2015-5073.html https://www.suse.com/security/cve/CVE-2015-8380.html https://www.suse.com/security/cve/CVE-2015-8381.html https://www.suse.com/security/cve/CVE-2015-8382.html https://www.suse.com/security/cve/CVE-2015-8383.html https://www.suse.com/security/cve/CVE-2015-8384.html https://www.suse.com/security/cve/CVE-2015-8385.html https://www.suse.com/security/cve/CVE-2015-8386.html https://www.suse.com/security/cve/CVE-2015-8387.html https://www.suse.com/security/cve/CVE-2015-8388.html https://www.suse.com/security/cve/CVE-2015-8389.html https://www.suse.com/security/cve/CVE-2015-8390.html https://www.suse.com/security/cve/CVE-2015-8391.html https://www.suse.com/security/cve/CVE-2015-8392.html https://www.suse.com/security/cve/CVE-2015-8393.html https://www.suse.com/security/cve/CVE-2015-8394.html https://www.suse.com/security/cve/CVE-2015-8395.html https://www.suse.com/security/cve/CVE-2016-1283.html https://www.suse.com/security/cve/CVE-2016-3191.html https://bugzilla.suse.com/906574 https://bugzilla.suse.com/924960 https://bugzilla.suse.com/933288 https://bugzilla.suse.com/933878 https://bugzilla.suse.com/936227 https://bugzilla.suse.com/942865 https://bugzilla.suse.com/957566 https://bugzilla.suse.com/957567 https://bugzilla.suse.com/957598 https://bugzilla.suse.com/957600 https://bugzilla.suse.com/960837 https://bugzilla.suse.com/971741 https://bugzilla.suse.com/972127 From sle-security-updates at lists.suse.com Fri Dec 2 08:11:51 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Dec 2016 16:11:51 +0100 (CET) Subject: SUSE-SU-2016:2974-1: moderate: Security update for pacemaker Message-ID: <20161202151151.0F5E0FFC1@maintenance.suse.de> SUSE Security Update: Security update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2974-1 Rating: moderate References: #1000743 #1002767 #1003565 #1007433 #1009076 #967388 #986644 #987348 #995365 Cross-References: CVE-2016-7035 CVE-2016-7797 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise High Availability 12-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 7 fixes is now available. Description: This update for pacemaker fixes the following issues: - remote: Allow cluster and remote LRM API versions to diverge (bsc#1009076) - libcrmcommon: fix CVE-2016-7035 (improper IPC guarding) (bsc#1007433) - sysconfig: minor tweaks (typo, wording) - spec: more robust check for systemd being in use - spec: defines instead of some globals + error suppression - various: issues discovered via valgrind and coverity - attrd_updater: fix usage of HAVE_ATOMIC_ATTRD - crmd: cl#5185 - Record pending operations in the CIB before they are performed (bsc#1003565) - ClusterMon: fix to avoid matching other process with the same PID - mcp: improve comments for sysconfig options - remove openssl-devel and libselinux-devel as build dependencies - tools: crm_standby --version/--help should work without cluster - libpengine: only log startup-fencing warning once - pacemaker.service: do not mistakenly suggest killing fenced - libcrmcommon: report errors consistently when waiting for data on connection (bsc#986644) - remote: Correctly calculate the remaining timeouts when receiving messages (bsc#986644) - libfencing: report added node ID correctly - crm_mon: Do not call setenv with null value - pengine: Do not fence a maintenance node if it shuts down cleanly (bsc#1000743) - ping: Avoid temporary files for fping check (bsc#987348) - all: clarify licensing and copyrights - crmd: Resend the shutdown request if the DC forgets - ping: Avoid temp files in fping_check (bsc#987348) - crmd: Ensure the R_SHUTDOWN is set whenever we ask the DC to shut us down - crmd: clear remote node operation history only when it comes up - libcib,libfencing,libtransition: handle memory allocation errors without CRM_CHECK() - tools: make crm_mon XML schema handle resources with multiple active - pengine: set OCF_RESKEY_CRM_meta_notify_active_* for multistate resources - pengine: avoid null dereference in new same-node ordering option - lrmd,libcluster: ensure g_hash_table_foreach() is never passed a null table - crmd: don't log warning if abort_unless_down() can't find down event - lib: Correction of the deletion of the notice registration. - stonithd: Correction of the wrong connection process name. - crmd: Keep a state of LRMD in the DC node latest. - pengine: avoid transition loop for start-then-stop + unfencing - libpengine: allow pe_order_same_node option for constraints - cts: Restart systemd-journald with "systemctl restart systemd-journald.socket" (bsc#995365) - libcrmcommon: properly handle XML comments when comparing v2 patchset diffs - crmd: don't abort transitions for CIB comment changes - libcrmcommon: log XML comments correctly - libcrmcommon: remove extraneous format specifier from log message - remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388, bsc#1002767, CVE-2016-7797) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1742=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1742=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libpacemaker-devel-1.1.13-20.1 pacemaker-cts-1.1.13-20.1 pacemaker-cts-debuginfo-1.1.13-20.1 pacemaker-debuginfo-1.1.13-20.1 pacemaker-debugsource-1.1.13-20.1 - SUSE Linux Enterprise High Availability 12-SP1 (ppc64le s390x x86_64): libpacemaker3-1.1.13-20.1 libpacemaker3-debuginfo-1.1.13-20.1 pacemaker-1.1.13-20.1 pacemaker-cli-1.1.13-20.1 pacemaker-cli-debuginfo-1.1.13-20.1 pacemaker-cts-1.1.13-20.1 pacemaker-cts-debuginfo-1.1.13-20.1 pacemaker-debuginfo-1.1.13-20.1 pacemaker-debugsource-1.1.13-20.1 pacemaker-remote-1.1.13-20.1 pacemaker-remote-debuginfo-1.1.13-20.1 References: https://www.suse.com/security/cve/CVE-2016-7035.html https://www.suse.com/security/cve/CVE-2016-7797.html https://bugzilla.suse.com/1000743 https://bugzilla.suse.com/1002767 https://bugzilla.suse.com/1003565 https://bugzilla.suse.com/1007433 https://bugzilla.suse.com/1009076 https://bugzilla.suse.com/967388 https://bugzilla.suse.com/986644 https://bugzilla.suse.com/987348 https://bugzilla.suse.com/995365 From sle-security-updates at lists.suse.com Fri Dec 2 08:13:55 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Dec 2016 16:13:55 +0100 (CET) Subject: SUSE-SU-2016:2975-1: moderate: Security update for php5 Message-ID: <20161202151355.BB7E1FFD1@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2975-1 Rating: moderate References: #1008029 #986247 Cross-References: CVE-2016-5773 CVE-2016-9137 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for php5 fixes the following issues: - CVE-2016-9137: Use After Free in unserialize() (bsc#1008029) - CVE-2016-5773: ZipArchive class Use After Free Vulnerability in PHP's GC (bsc#986247) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1740=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1740=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1740=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1740=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1740=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1740=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1740=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): imap-debuginfo-2007e_suse-22.1 imap-debugsource-2007e_suse-22.1 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): imap-debuginfo-2007e_suse-22.1 imap-debugsource-2007e_suse-22.1 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): imap-debuginfo-2007e_suse-22.1 imap-debugsource-2007e_suse-22.1 imap-devel-2007e_suse-22.1 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 php5-debuginfo-5.5.14-86.2 php5-debugsource-5.5.14-86.2 php5-devel-5.5.14-86.2 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): imap-debuginfo-2007e_suse-22.1 imap-debugsource-2007e_suse-22.1 imap-devel-2007e_suse-22.1 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 php5-debuginfo-5.5.14-86.2 php5-debugsource-5.5.14-86.2 php5-devel-5.5.14-86.2 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php5-5.5.14-86.2 apache2-mod_php5-debuginfo-5.5.14-86.2 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 php5-5.5.14-86.2 php5-bcmath-5.5.14-86.2 php5-bcmath-debuginfo-5.5.14-86.2 php5-bz2-5.5.14-86.2 php5-bz2-debuginfo-5.5.14-86.2 php5-calendar-5.5.14-86.2 php5-calendar-debuginfo-5.5.14-86.2 php5-ctype-5.5.14-86.2 php5-ctype-debuginfo-5.5.14-86.2 php5-curl-5.5.14-86.2 php5-curl-debuginfo-5.5.14-86.2 php5-dba-5.5.14-86.2 php5-dba-debuginfo-5.5.14-86.2 php5-debuginfo-5.5.14-86.2 php5-debugsource-5.5.14-86.2 php5-dom-5.5.14-86.2 php5-dom-debuginfo-5.5.14-86.2 php5-enchant-5.5.14-86.2 php5-enchant-debuginfo-5.5.14-86.2 php5-exif-5.5.14-86.2 php5-exif-debuginfo-5.5.14-86.2 php5-fastcgi-5.5.14-86.2 php5-fastcgi-debuginfo-5.5.14-86.2 php5-fileinfo-5.5.14-86.2 php5-fileinfo-debuginfo-5.5.14-86.2 php5-fpm-5.5.14-86.2 php5-fpm-debuginfo-5.5.14-86.2 php5-ftp-5.5.14-86.2 php5-ftp-debuginfo-5.5.14-86.2 php5-gd-5.5.14-86.2 php5-gd-debuginfo-5.5.14-86.2 php5-gettext-5.5.14-86.2 php5-gettext-debuginfo-5.5.14-86.2 php5-gmp-5.5.14-86.2 php5-gmp-debuginfo-5.5.14-86.2 php5-iconv-5.5.14-86.2 php5-iconv-debuginfo-5.5.14-86.2 php5-imap-5.5.14-86.2 php5-imap-debuginfo-5.5.14-86.2 php5-intl-5.5.14-86.2 php5-intl-debuginfo-5.5.14-86.2 php5-json-5.5.14-86.2 php5-json-debuginfo-5.5.14-86.2 php5-ldap-5.5.14-86.2 php5-ldap-debuginfo-5.5.14-86.2 php5-mbstring-5.5.14-86.2 php5-mbstring-debuginfo-5.5.14-86.2 php5-mcrypt-5.5.14-86.2 php5-mcrypt-debuginfo-5.5.14-86.2 php5-mysql-5.5.14-86.2 php5-mysql-debuginfo-5.5.14-86.2 php5-odbc-5.5.14-86.2 php5-odbc-debuginfo-5.5.14-86.2 php5-opcache-5.5.14-86.2 php5-opcache-debuginfo-5.5.14-86.2 php5-openssl-5.5.14-86.2 php5-openssl-debuginfo-5.5.14-86.2 php5-pcntl-5.5.14-86.2 php5-pcntl-debuginfo-5.5.14-86.2 php5-pdo-5.5.14-86.2 php5-pdo-debuginfo-5.5.14-86.2 php5-pgsql-5.5.14-86.2 php5-pgsql-debuginfo-5.5.14-86.2 php5-phar-5.5.14-86.2 php5-phar-debuginfo-5.5.14-86.2 php5-posix-5.5.14-86.2 php5-posix-debuginfo-5.5.14-86.2 php5-pspell-5.5.14-86.2 php5-pspell-debuginfo-5.5.14-86.2 php5-shmop-5.5.14-86.2 php5-shmop-debuginfo-5.5.14-86.2 php5-snmp-5.5.14-86.2 php5-snmp-debuginfo-5.5.14-86.2 php5-soap-5.5.14-86.2 php5-soap-debuginfo-5.5.14-86.2 php5-sockets-5.5.14-86.2 php5-sockets-debuginfo-5.5.14-86.2 php5-sqlite-5.5.14-86.2 php5-sqlite-debuginfo-5.5.14-86.2 php5-suhosin-5.5.14-86.2 php5-suhosin-debuginfo-5.5.14-86.2 php5-sysvmsg-5.5.14-86.2 php5-sysvmsg-debuginfo-5.5.14-86.2 php5-sysvsem-5.5.14-86.2 php5-sysvsem-debuginfo-5.5.14-86.2 php5-sysvshm-5.5.14-86.2 php5-sysvshm-debuginfo-5.5.14-86.2 php5-tokenizer-5.5.14-86.2 php5-tokenizer-debuginfo-5.5.14-86.2 php5-wddx-5.5.14-86.2 php5-wddx-debuginfo-5.5.14-86.2 php5-xmlreader-5.5.14-86.2 php5-xmlreader-debuginfo-5.5.14-86.2 php5-xmlrpc-5.5.14-86.2 php5-xmlrpc-debuginfo-5.5.14-86.2 php5-xmlwriter-5.5.14-86.2 php5-xmlwriter-debuginfo-5.5.14-86.2 php5-xsl-5.5.14-86.2 php5-xsl-debuginfo-5.5.14-86.2 php5-zip-5.5.14-86.2 php5-zip-debuginfo-5.5.14-86.2 php5-zlib-5.5.14-86.2 php5-zlib-debuginfo-5.5.14-86.2 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-86.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): imap-debuginfo-2007e_suse-22.1 imap-debugsource-2007e_suse-22.1 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): imap-debuginfo-2007e_suse-22.1 imap-debugsource-2007e_suse-22.1 libc-client2007e_suse-2007e_suse-22.1 libc-client2007e_suse-debuginfo-2007e_suse-22.1 References: https://www.suse.com/security/cve/CVE-2016-5773.html https://www.suse.com/security/cve/CVE-2016-9137.html https://bugzilla.suse.com/1008029 https://bugzilla.suse.com/986247 From sle-security-updates at lists.suse.com Fri Dec 2 08:14:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Dec 2016 16:14:42 +0100 (CET) Subject: SUSE-SU-2016:2976-1: important: Security update for the Linux Kernel Message-ID: <20161202151442.15BDBFFC1@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2976-1 Rating: important References: #1000189 #1001419 #1002165 #1003077 #1003344 #1003568 #1003677 #1003866 #1003925 #1004517 #1004520 #1005857 #1005896 #1005903 #1006917 #1006919 #1007944 #763198 #771065 #799133 #803320 #839104 #843236 #860441 #863873 #865783 #871728 #907611 #908458 #908684 #909077 #909350 #909484 #909618 #909994 #911687 #915183 #920016 #922634 #922947 #928138 #929141 #934760 #951392 #956514 #960689 #963655 #967716 #968010 #968014 #971975 #971989 #973203 #974620 #976867 #977687 #979514 #979595 #979681 #980371 #982218 #982783 #983535 #983619 #984102 #984194 #984992 #985206 #986337 #986362 #986365 #986445 #987565 #988440 #989152 #989261 #989764 #989779 #991608 #991665 #991923 #992566 #993127 #993890 #993891 #994296 #994436 #994618 #994759 #994926 #995968 #996329 #996664 #997708 #998399 #998689 #999584 #999600 #999907 #999932 Cross-References: CVE-2013-4312 CVE-2015-7513 CVE-2015-8956 CVE-2016-0823 CVE-2016-3841 CVE-2016-4998 CVE-2016-5696 CVE-2016-6480 CVE-2016-6828 CVE-2016-7042 CVE-2016-7097 CVE-2016-7117 CVE-2016-7425 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 13 vulnerabilities and has 87 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. For the PowerPC64 a new "bigmem" flavor has been added to support big Power machines. (FATE#319026) The following security bugs were fixed: - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for remote attackers to hijack TCP sessions via a blind in-window attack (bnc#989152). - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bnc#991608). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104 bsc#922947 bsc#968014). The following non-security bugs were fixed: - ahci: Order SATA device IDs for codename Lewisburg (fate#319286). - ahci: Remove obsolete Intel Lewisburg SATA RAID device IDs (fate#319286). - alsa: hda - Add Intel Lewisburg device IDs Audio (fate#319286). - arch/powerpc: Remove duplicate/redundant Altivec entries (bsc#967716). - avoid dentry crash triggered by NFS (bsc#984194). - bigmem: Add switch to configure bigmem patches (bsc#928138,fate#319026). - blktap2: eliminate deadlock potential from shutdown path (bsc#909994). - blktap2: eliminate race from deferred work queue handling (bsc#911687). - bnx2x: fix lockdep splat (bsc#908684 FATE#317539). - bonding: always set recv_probe to bond_arp_rcv in arp monitor (bsc#977687). - bonding: fix bond_arp_rcv setting and arp validate desync state (bsc#977687). - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction (bsc#983619). - btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600). - cdc-acm: added sanity checking for probe() (bsc#993891). - config.conf: add bigmem flavour on ppc64 - cpumask, nodemask: implement cpumask/nodemask_pr_args() (bnc1003866). - cxgb4: Set VPD size so we can read both VPD structures (bsc#976867). - dm space map metadata: fix sm_bootstrap_get_nr_blocks() (FATE#313903). - dm thin: fix race condition when destroying thin pool workqueue (FATE#313903). - drivers: hv: vmbus: avoid scheduling in interrupt context in vmbus_initiate_unload() (bnc#986337). - drivers: hv: vmbus: avoid wait_for_completion() on crash (bnc#986337). - drivers: hv: vmbus: do not loose HVMSG_TIMER_EXPIRED messages (bnc#986337). - drivers: hv: vmbus: do not send CHANNELMSG_UNLOAD on pre-Win2012R2 hosts (bnc#986337). - drivers: hv: vmbus: handle various crash scenarios (bnc#986337). - drivers: hv: vmbus: remove code duplication in message handling (bnc#986337). - drivers: hv: vss: run only on supported host versions (bnc#986337). - fs/cifs: cifs_get_root shouldn't use path with tree name (bsc#963655, bsc#979681). - fs/cifs: Compare prepaths when comparing superblocks (bsc#799133). - fs/cifs: Fix memory leaks in cifs_do_mount() (bsc#799133). - fs/cifs: Fix regression which breaks DFS mounting (bsc#799133). - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - fs/cifs: make share unaccessible at root level mountable (bsc#799133). - fs/cifs: Move check for prefix path to within cifs_get_root() (bsc#799133). - fs/select: add vmalloc fallback for select(2) (bsc#1000189). - hv: do not lose pending heartbeat vmbus packets (bnc#1006919). - i2c: i801: add Intel Lewisburg device IDs (fate#319286). - i40e: fix an uninitialized variable bug (bsc#909484 FATE#317397). - include/linux/mmdebug.h: should include linux/bug.h (bnc#971975 VM performance -- git fixes). - increase CONFIG_NR_IRQS 512 -> 2048 reportedly irq error with multiple nvme and tg3 in the same machine is resolved by increasing CONFIG_NR_IRQS (bsc#998399) - introduce SIZE_MAX (bsc#1000189). - ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too (bsc#865783). - kabi: Import kabi files from 3.0.101-80 - kabi-fix for flock_owner addition (bsc#998689). - kabi, unix: properly account for FDs passed over unix sockets (bnc#839104). - kaweth: fix firmware download (bsc#993890). - kaweth: fix oops upon failed memory allocation (bsc#993890). - kvm: x86: only channel 0 of the i8254 is linked to the HPET (bsc#960689). - kvm: x86: SYSENTER emulation is broken (bsc#994618). - libata: support the ata host which implements a queue depth less than 32 (bsc#871728) - libfc: sanity check cpu number extracted from xid (bsc#988440). - lib/vsprintf: implement bitmap printing through '%*pb[l]' (bnc#1003866). - lpfc: call lpfc_sli_validate_fcp_iocb() with the hbalock held (bsc#951392). - bigmem: make bigmem patches configurable (bsc#928138,fate#319026). - md: check command validity early in md_ioctl() (bsc#1004520). - md: Drop sending a change uevent when stopping (bsc#1003568). - md: fix problem when adding device to read-only array with bitmap (bnc#771065). - md: lockless I/O submission for RAID1 (bsc#982783). - md/raid10: always set reshape_safe when initializing reshape_position (fate#311379). - md/raid10: Fix memory leak when raid10 reshape completes (fate#311379). - mm: fix sleeping function warning from __put_anon_vma (bnc#1005857). - mm/memory.c: actually remap enough memory (bnc#1005903). - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445). - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations (bnc#763198). - Move patches that create ppc64-bigmem to the powerpc section. Add comments that outline the procedure and warn the unsuspecting. - move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) (bsc#984194). - mpt2sas, mpt3sas: Fix panic when aer correct error occurred (bsc#997708). - mshyperv: fix recognition of Hyper-V guest crash MSR's (bnc#986337). - net: add pfmemalloc check in sk_add_backlog() (bnc#920016). - netback: fix flipping mode (bsc#996664). - netfilter: ipv4: defrag: set local_df flag on defragmented skb (bsc#907611). - netvsc: fix incorrect receive checksum offloading (bnc#1006917). - nfs4: reset states to use open_stateid when returning delegation voluntarily (bsc#1007944). - nfs: Do not disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261). - nfs: Do not drop directory dentry which is in use (bsc#993127). - nfs: Do not write enable new pages while an invalidation is proceeding (bsc#999584). - nfs: Fix an LOCK/OPEN race when unlinking an open file (bsc#956514). - nfs: Fix a regression in the read() syscall (bsc#999584). - nfs: Fix races in nfs_revalidate_mapping (bsc#999584). - nfs: fix the handling of NFS_INO_INVALID_DATA flag in nfs_revalidate_mapping (bsc#999584). - nfs: Fix writeback performance issue on cache invalidation (bsc#999584). - nfs: Refresh open-owner id when server says SEQID is bad (bsc#989261). - nfsv4.1: Fix an NFSv4.1 state renewal regression (bnc#863873). - nfsv4: add flock_owner to open context (bnc#998689). - nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (bnc#998689). - nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (bnc#998689). - nfsv4: do not check MAY_WRITE access bit in OPEN (bsc#985206). - nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (bnc#998689). - nfsv4: fix broken patch relating to v4 read delegations (bsc#956514, bsc#989261, bsc#979595). - nfsv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl (bsc#982218). - oom: print nodemask in the oom report (bnc#1003866). - pci: Add pci_set_vpd_size() to set VPD size (bsc#976867). - pciback: fix conf_space read/write overlap check. - pciback: return proper values during BAR sizing. - pci_ids: Add PCI device ID functions 3 and 4 for newer F15h models (fate#321400). - pm / hibernate: Fix rtree_next_node() to avoid walking off list ends (bnc#860441). - powerpc/64: Fix incorrect return value from __copy_tofrom_user (bsc#1005896). - powerpc: Add ability to build little endian kernels (bsc#967716). - powerpc: add kernel parameter iommu_alloc_quiet (bsc#994926). - powerpc: Avoid load of static chain register when calling nested functions through a pointer on 64bit (bsc#967716). - powerpc: blacklist fixes for unsupported subarchitectures ppc32 only: 6e0fdf9af216 powerpc: fix typo 'CONFIG_PMAC' obscure hardware: f7e9e3583625 powerpc: Fix missing L2 cache size in /sys/devices/system/cpu - powerpc: Build fix for powerpc KVM (bsc#928138,fate#319026). - powerpc: Do not build assembly files with ABIv2 (bsc#967716). - powerpc: Do not use ELFv2 ABI to build the kernel (bsc#967716). - powerpc: dtc is required to build dtb files (bsc#967716). - powerpc: Fix 64 bit builds with binutils 2.24 (bsc#967716). - powerpc: Fix error when cross building TAGS & cscope (bsc#967716). - powerpc: Make the vdso32 also build big-endian (bsc#967716). - powerpc: Make VSID_BITS* dependency explicit (bsc#928138,fate#319026). - powerpc/mm: Add 64TB support (bsc#928138,fate#319026). - powerpc/mm: Change the swap encoding in pte (bsc#973203). - powerpc/mm: Convert virtual address to vpn (bsc#928138,fate#319026). - powerpc/mm: Fix hash computation function (bsc#928138,fate#319026). - powerpc/mm: Increase the slice range to 64TB (bsc#928138,fate#319026). - powerpc/mm: Make KERN_VIRT_SIZE not dependend on PGTABLE_RANGE (bsc#928138,fate#319026). - powerpc/mm: Make some of the PGTABLE_RANGE dependency explicit (bsc#928138,fate#319026). - powerpc/mm: Replace open coded CONTEXT_BITS value (bsc#928138,fate#319026). - powerpc/mm: Simplify hpte_decode (bsc#928138,fate#319026). - powerpc/mm: Update VSID allocation documentation (bsc#928138,fate#319026). - powerpc/mm: Use 32bit array for slb cache (bsc#928138,fate#319026). - powerpc/mm: Use hpt_va to compute virtual address (bsc#928138,fate#319026). - powerpc/mm: Use the required number of VSID bits in slbmte (bsc#928138,fate#319026). - powerpc: Move kdump default base address to half RMO size on 64bit (bsc#1003344). - powerpc: Remove altivec fix for gcc versions before 4.0 (bsc#967716). - powerpc: Remove buggy 9-year-old test for binutils < 2.12.1 (bsc#967716). - powerpc: Rename USER_ESID_BITS* to ESID_BITS* (bsc#928138,fate#319026). - powerpc: Require gcc 4.0 on 64-bit (bsc#967716). - powerpc: Update kernel VSID range (bsc#928138,fate#319026). - ppp: defer netns reference release for ppp channel (bsc#980371). - qlcnic: fix a timeout loop (bsc#909350 FATE#317546) - random32: add prandom_u32_max (bsc#989152). - remove problematic preprocessor constructs (bsc#928138,fate#319026). - REVERT fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - rpm/constraints.in: Bump x86 disk space requirement to 20GB Clamav tends to run out of space nowadays. - rpm/package-descriptions: add -bigmem description - s390/cio: fix accidental interrupt enabling during resume (bnc#1003677, LTC#147606). - s390/dasd: fix hanging device after clear subchannel (bnc#994436, LTC#144640). - s390/time: LPAR offset handling (bnc#1003677, LTC#146920). - s390/time: move PTFF definitions (bnc#1003677, LTC#146920). - sata: Adding Intel Lewisburg device IDs for SATA (fate#319286). - sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (bnc#1001419). - sched/core: Fix a race between try_to_wake_up() and a woken up task (bnc#1002165). - sched: Fix possible divide by zero in avg_atom() calculation (bsc#996329). - scripts/bigmem-generate-ifdef-guard: auto-regen patches.suse/ppc64-bigmem-introduce-CONFIG_BIGMEM - scripts/bigmem-generate-ifdef-guard: Include this script to regenerate patches.suse/ppc64-bigmem-introduce-CONFIG_BIGMEM - scripts/bigmem-generate-ifdef-guard: make executable - scsi_dh_rdac: retry inquiry for UNIT ATTENTION (bsc#934760). - scsi: do not print 'reservation conflict' for TEST UNIT READY (bsc#984102). - scsi: ibmvfc: add FC Class 3 Error Recovery support (bsc#984992). - scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989) - scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in PRLI (bsc#984992). - scsi_scan: Send TEST UNIT READY to LUN0 before LUN scanning (bnc#843236,bsc#989779). - scsi: zfcp: spin_lock_irqsave() is not nestable (bsc#1003677,LTC#147374). - Set CONFIG_DEBUG_INFO=y and CONFIG_DEBUG_INFO_REDUCED=n on all platforms The specfile adjusts the config if necessary, but a new version of run_oldconfig.sh requires the settings to be present in the repository. - sfc: on MC reset, clear PIO buffer linkage in TXQs (bsc#909618 FATE#317521). - sort hyperv patches properly in series.conf - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race (bnc#803320). - tg3: Avoid NULL pointer dereference in tg3_io_error_detected() (bsc#908458 FATE#317507). - tmpfs: change final i_blocks BUG to WARNING (bsc#991923). - tty: Signal SIGHUP before hanging up ldisc (bnc#989764). - Update patches.xen/xen3-auto-arch-x86.diff (bsc#929141, a.o.). - usb: fix typo in wMaxPacketSize validation (bsc#991665). - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices (bsc#922634). - usb: hub: Fix unbalanced reference count/memory leak/deadlocks (bsc#968010). - usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665). - vlan: do not deliver frames for unknown vlans to protocols (bsc#979514). - vlan: mask vlan prio bits (bsc#979514). - vmxnet3: Wake queue from reset work (bsc#999907). - x86, amd_nb: Clarify F15h, model 30h GART and L3 support (fate#321400). - x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and sync_regs (bsc#909077). - x86/cpu/amd: Set X86_FEATURE_EXTD_APICID for future processors (fate#321400). - x86/gart: Check for GART support before accessing GART registers (fate#321400). - x86/MCE/intel: Cleanup CMCI storm logic (bsc#929141). - xenbus: inspect the correct type in xenbus_dev_request_and_reply(). - xen: x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - xfs: Avoid grabbing ilock when file size is not changed (bsc#983535). - xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565). - zfcp: close window with unblocked rport during rport gone (bnc#1003677, LTC#144310). - zfcp: fix D_ID field with actual value on tracing SAN responses (bnc#1003677, LTC#144312). - zfcp: fix ELS/GS request&response length for hardware data router (bnc#1003677, LTC#144308). - zfcp: fix payload trace length for SAN request&response (bnc#1003677, LTC#144312). - zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace (bnc#1003677, LTC#144312). - zfcp: restore tracing of handle for port and LUN with HBA records (bnc#1003677, LTC#144312). - zfcp: retain trace level for SCSI and HBA FSF response records (bnc#1003677, LTC#144312). - zfcp: trace full payload of all SAN records (req,resp,iels) (bnc#1003677, LTC#144312). - zfcp: trace on request for open and close of WKA port (bnc#1003677, LTC#144312). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-kernel-12869=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-kernel-12869=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-12869=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-12869=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch): kernel-docs-3.0.101-88.3 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): kernel-default-3.0.101-88.1 kernel-default-base-3.0.101-88.1 kernel-default-devel-3.0.101-88.1 kernel-source-3.0.101-88.1 kernel-syms-3.0.101-88.1 kernel-trace-3.0.101-88.1 kernel-trace-base-3.0.101-88.1 kernel-trace-devel-3.0.101-88.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): kernel-ec2-3.0.101-88.1 kernel-ec2-base-3.0.101-88.1 kernel-ec2-devel-3.0.101-88.1 kernel-xen-3.0.101-88.1 kernel-xen-base-3.0.101-88.1 kernel-xen-devel-3.0.101-88.1 - SUSE Linux Enterprise Server 11-SP4 (s390x): kernel-default-man-3.0.101-88.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64): kernel-bigmem-3.0.101-88.1 kernel-bigmem-base-3.0.101-88.1 kernel-bigmem-devel-3.0.101-88.1 kernel-ppc64-3.0.101-88.1 kernel-ppc64-base-3.0.101-88.1 kernel-ppc64-devel-3.0.101-88.1 - SUSE Linux Enterprise Server 11-SP4 (i586): kernel-pae-3.0.101-88.1 kernel-pae-base-3.0.101-88.1 kernel-pae-devel-3.0.101-88.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-88.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-88.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-trace-extra-3.0.101-88.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-88.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-88.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-88.1 kernel-default-debugsource-3.0.101-88.1 kernel-trace-debuginfo-3.0.101-88.1 kernel-trace-debugsource-3.0.101-88.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64): kernel-default-devel-debuginfo-3.0.101-88.1 kernel-trace-devel-debuginfo-3.0.101-88.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-88.1 kernel-ec2-debugsource-3.0.101-88.1 kernel-xen-debuginfo-3.0.101-88.1 kernel-xen-debugsource-3.0.101-88.1 kernel-xen-devel-debuginfo-3.0.101-88.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): kernel-bigmem-debuginfo-3.0.101-88.1 kernel-bigmem-debugsource-3.0.101-88.1 kernel-ppc64-debuginfo-3.0.101-88.1 kernel-ppc64-debugsource-3.0.101-88.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586): kernel-pae-debuginfo-3.0.101-88.1 kernel-pae-debugsource-3.0.101-88.1 kernel-pae-devel-debuginfo-3.0.101-88.1 References: https://www.suse.com/security/cve/CVE-2013-4312.html https://www.suse.com/security/cve/CVE-2015-7513.html https://www.suse.com/security/cve/CVE-2015-8956.html https://www.suse.com/security/cve/CVE-2016-0823.html https://www.suse.com/security/cve/CVE-2016-3841.html https://www.suse.com/security/cve/CVE-2016-4998.html https://www.suse.com/security/cve/CVE-2016-5696.html https://www.suse.com/security/cve/CVE-2016-6480.html https://www.suse.com/security/cve/CVE-2016-6828.html https://www.suse.com/security/cve/CVE-2016-7042.html https://www.suse.com/security/cve/CVE-2016-7097.html https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-7425.html https://bugzilla.suse.com/1000189 https://bugzilla.suse.com/1001419 https://bugzilla.suse.com/1002165 https://bugzilla.suse.com/1003077 https://bugzilla.suse.com/1003344 https://bugzilla.suse.com/1003568 https://bugzilla.suse.com/1003677 https://bugzilla.suse.com/1003866 https://bugzilla.suse.com/1003925 https://bugzilla.suse.com/1004517 https://bugzilla.suse.com/1004520 https://bugzilla.suse.com/1005857 https://bugzilla.suse.com/1005896 https://bugzilla.suse.com/1005903 https://bugzilla.suse.com/1006917 https://bugzilla.suse.com/1006919 https://bugzilla.suse.com/1007944 https://bugzilla.suse.com/763198 https://bugzilla.suse.com/771065 https://bugzilla.suse.com/799133 https://bugzilla.suse.com/803320 https://bugzilla.suse.com/839104 https://bugzilla.suse.com/843236 https://bugzilla.suse.com/860441 https://bugzilla.suse.com/863873 https://bugzilla.suse.com/865783 https://bugzilla.suse.com/871728 https://bugzilla.suse.com/907611 https://bugzilla.suse.com/908458 https://bugzilla.suse.com/908684 https://bugzilla.suse.com/909077 https://bugzilla.suse.com/909350 https://bugzilla.suse.com/909484 https://bugzilla.suse.com/909618 https://bugzilla.suse.com/909994 https://bugzilla.suse.com/911687 https://bugzilla.suse.com/915183 https://bugzilla.suse.com/920016 https://bugzilla.suse.com/922634 https://bugzilla.suse.com/922947 https://bugzilla.suse.com/928138 https://bugzilla.suse.com/929141 https://bugzilla.suse.com/934760 https://bugzilla.suse.com/951392 https://bugzilla.suse.com/956514 https://bugzilla.suse.com/960689 https://bugzilla.suse.com/963655 https://bugzilla.suse.com/967716 https://bugzilla.suse.com/968010 https://bugzilla.suse.com/968014 https://bugzilla.suse.com/971975 https://bugzilla.suse.com/971989 https://bugzilla.suse.com/973203 https://bugzilla.suse.com/974620 https://bugzilla.suse.com/976867 https://bugzilla.suse.com/977687 https://bugzilla.suse.com/979514 https://bugzilla.suse.com/979595 https://bugzilla.suse.com/979681 https://bugzilla.suse.com/980371 https://bugzilla.suse.com/982218 https://bugzilla.suse.com/982783 https://bugzilla.suse.com/983535 https://bugzilla.suse.com/983619 https://bugzilla.suse.com/984102 https://bugzilla.suse.com/984194 https://bugzilla.suse.com/984992 https://bugzilla.suse.com/985206 https://bugzilla.suse.com/986337 https://bugzilla.suse.com/986362 https://bugzilla.suse.com/986365 https://bugzilla.suse.com/986445 https://bugzilla.suse.com/987565 https://bugzilla.suse.com/988440 https://bugzilla.suse.com/989152 https://bugzilla.suse.com/989261 https://bugzilla.suse.com/989764 https://bugzilla.suse.com/989779 https://bugzilla.suse.com/991608 https://bugzilla.suse.com/991665 https://bugzilla.suse.com/991923 https://bugzilla.suse.com/992566 https://bugzilla.suse.com/993127 https://bugzilla.suse.com/993890 https://bugzilla.suse.com/993891 https://bugzilla.suse.com/994296 https://bugzilla.suse.com/994436 https://bugzilla.suse.com/994618 https://bugzilla.suse.com/994759 https://bugzilla.suse.com/994926 https://bugzilla.suse.com/995968 https://bugzilla.suse.com/996329 https://bugzilla.suse.com/996664 https://bugzilla.suse.com/997708 https://bugzilla.suse.com/998399 https://bugzilla.suse.com/998689 https://bugzilla.suse.com/999584 https://bugzilla.suse.com/999600 https://bugzilla.suse.com/999907 https://bugzilla.suse.com/999932 From sle-security-updates at lists.suse.com Fri Dec 2 13:06:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Dec 2016 21:06:54 +0100 (CET) Subject: SUSE-SU-2016:2988-1: important: Security update for qemu Message-ID: <20161202200654.EFEC8FFC5@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2988-1 Rating: important References: #1000345 #1001151 #1002116 #1002550 #1002557 #1003878 #1003893 #1003894 #1004702 #1004707 #1006536 #1006538 #1007391 #1007450 #1007454 #1007493 #1007494 #1007495 #996524 #998516 #999661 Cross-References: CVE-2016-7161 CVE-2016-7170 CVE-2016-7421 CVE-2016-7466 CVE-2016-7908 CVE-2016-7909 CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9102 CVE-2016-9103 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 19 vulnerabilities and has two fixes is now available. Description: This update for qemu fixes the following issues: - Patch queue updated from https://gitlab.suse.de/virtualization/qemu.git SLE12-SP1 - Change package post script udevadm trigger calls to be device specific (bsc#1002116) - Address various security/stability issues * Fix OOB access in xlnx.xpx-ethernetlite emulation (CVE-2016-7161 bsc#1001151) * Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516) * Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345) * Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661) * Fix DOS in ColdFire Fast Ethernet Controller emulation (CVE-2016-7908 bsc#1002550) * Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878) * Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894) * Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494) * Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893) * Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454) * Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450) * Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495) * Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707) * Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557) * Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391) * Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538) * Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536) * Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493) * Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702) - Fix case of disk corruption with migration due to improper internal state tracking (bsc#996524) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1748=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1748=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): qemu-2.3.1-24.6 qemu-block-curl-2.3.1-24.6 qemu-block-curl-debuginfo-2.3.1-24.6 qemu-debugsource-2.3.1-24.6 qemu-guest-agent-2.3.1-24.6 qemu-guest-agent-debuginfo-2.3.1-24.6 qemu-lang-2.3.1-24.6 qemu-tools-2.3.1-24.6 qemu-tools-debuginfo-2.3.1-24.6 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): qemu-kvm-2.3.1-24.6 - SUSE Linux Enterprise Server 12-SP1 (ppc64le): qemu-ppc-2.3.1-24.6 qemu-ppc-debuginfo-2.3.1-24.6 - SUSE Linux Enterprise Server 12-SP1 (x86_64): qemu-block-rbd-2.3.1-24.6 qemu-block-rbd-debuginfo-2.3.1-24.6 qemu-x86-2.3.1-24.6 - SUSE Linux Enterprise Server 12-SP1 (noarch): qemu-ipxe-1.0.0-24.6 qemu-seabios-1.8.1-24.6 qemu-sgabios-8-24.6 qemu-vgabios-1.8.1-24.6 - SUSE Linux Enterprise Server 12-SP1 (s390x): qemu-s390-2.3.1-24.6 qemu-s390-debuginfo-2.3.1-24.6 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): qemu-ipxe-1.0.0-24.6 qemu-seabios-1.8.1-24.6 qemu-sgabios-8-24.6 qemu-vgabios-1.8.1-24.6 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): qemu-2.3.1-24.6 qemu-block-curl-2.3.1-24.6 qemu-block-curl-debuginfo-2.3.1-24.6 qemu-debugsource-2.3.1-24.6 qemu-kvm-2.3.1-24.6 qemu-tools-2.3.1-24.6 qemu-tools-debuginfo-2.3.1-24.6 qemu-x86-2.3.1-24.6 References: https://www.suse.com/security/cve/CVE-2016-7161.html https://www.suse.com/security/cve/CVE-2016-7170.html https://www.suse.com/security/cve/CVE-2016-7421.html https://www.suse.com/security/cve/CVE-2016-7466.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8577.html https://www.suse.com/security/cve/CVE-2016-8578.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9101.html https://www.suse.com/security/cve/CVE-2016-9102.html https://www.suse.com/security/cve/CVE-2016-9103.html https://www.suse.com/security/cve/CVE-2016-9104.html https://www.suse.com/security/cve/CVE-2016-9105.html https://www.suse.com/security/cve/CVE-2016-9106.html https://bugzilla.suse.com/1000345 https://bugzilla.suse.com/1001151 https://bugzilla.suse.com/1002116 https://bugzilla.suse.com/1002550 https://bugzilla.suse.com/1002557 https://bugzilla.suse.com/1003878 https://bugzilla.suse.com/1003893 https://bugzilla.suse.com/1003894 https://bugzilla.suse.com/1004702 https://bugzilla.suse.com/1004707 https://bugzilla.suse.com/1006536 https://bugzilla.suse.com/1006538 https://bugzilla.suse.com/1007391 https://bugzilla.suse.com/1007450 https://bugzilla.suse.com/1007454 https://bugzilla.suse.com/1007493 https://bugzilla.suse.com/1007494 https://bugzilla.suse.com/1007495 https://bugzilla.suse.com/996524 https://bugzilla.suse.com/998516 https://bugzilla.suse.com/999661 From sle-security-updates at lists.suse.com Mon Dec 5 05:07:26 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Dec 2016 13:07:26 +0100 (CET) Subject: SUSE-SU-2016:3001-1: moderate: Security update for libX11 Message-ID: <20161205120726.3DFC2FFC5@maintenance.suse.de> SUSE Security Update: Security update for libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3001-1 Rating: moderate References: #1002991 Cross-References: CVE-2016-7942 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: libX11 was updated to fix a memory leak that was introduced with the security fix for CVE-2016-7942. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1749=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1749=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1749=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1749=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1749=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1749=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1749=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libX11-debugsource-1.6.2-11.1 libX11-devel-1.6.2-11.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libX11-debugsource-1.6.2-11.1 libX11-devel-1.6.2-11.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libX11-6-1.6.2-11.1 libX11-6-debuginfo-1.6.2-11.1 libX11-debugsource-1.6.2-11.1 libX11-xcb1-1.6.2-11.1 libX11-xcb1-debuginfo-1.6.2-11.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): libX11-data-1.6.2-11.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libX11-6-1.6.2-11.1 libX11-6-debuginfo-1.6.2-11.1 libX11-debugsource-1.6.2-11.1 libX11-xcb1-1.6.2-11.1 libX11-xcb1-debuginfo-1.6.2-11.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libX11-6-32bit-1.6.2-11.1 libX11-6-debuginfo-32bit-1.6.2-11.1 libX11-xcb1-32bit-1.6.2-11.1 libX11-xcb1-debuginfo-32bit-1.6.2-11.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): libX11-data-1.6.2-11.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libX11-6-1.6.2-11.1 libX11-6-debuginfo-1.6.2-11.1 libX11-debugsource-1.6.2-11.1 libX11-xcb1-1.6.2-11.1 libX11-xcb1-debuginfo-1.6.2-11.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libX11-6-32bit-1.6.2-11.1 libX11-6-debuginfo-32bit-1.6.2-11.1 libX11-xcb1-32bit-1.6.2-11.1 libX11-xcb1-debuginfo-32bit-1.6.2-11.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): libX11-data-1.6.2-11.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): libX11-data-1.6.2-11.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libX11-6-1.6.2-11.1 libX11-6-32bit-1.6.2-11.1 libX11-6-debuginfo-1.6.2-11.1 libX11-6-debuginfo-32bit-1.6.2-11.1 libX11-debugsource-1.6.2-11.1 libX11-xcb1-1.6.2-11.1 libX11-xcb1-32bit-1.6.2-11.1 libX11-xcb1-debuginfo-1.6.2-11.1 libX11-xcb1-debuginfo-32bit-1.6.2-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): libX11-data-1.6.2-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libX11-6-1.6.2-11.1 libX11-6-32bit-1.6.2-11.1 libX11-6-debuginfo-1.6.2-11.1 libX11-6-debuginfo-32bit-1.6.2-11.1 libX11-debugsource-1.6.2-11.1 libX11-xcb1-1.6.2-11.1 libX11-xcb1-32bit-1.6.2-11.1 libX11-xcb1-debuginfo-1.6.2-11.1 libX11-xcb1-debuginfo-32bit-1.6.2-11.1 References: https://www.suse.com/security/cve/CVE-2016-7942.html https://bugzilla.suse.com/1002991 From sle-security-updates at lists.suse.com Mon Dec 5 10:07:45 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Dec 2016 18:07:45 +0100 (CET) Subject: SUSE-SU-2016:3010-1: important: Security update for java-1_6_0-ibm Message-ID: <20161205170745.333EAFFC5@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3010-1 Rating: important References: #1009280 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5597 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_6_0-ibm fixes the following issues: - Version update to 6.0-16.35 (bsc#1009280) fixing the following CVE's: CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2016-1752=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.35-43.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-43.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-43.2 - SUSE Linux Enterprise Module for Legacy Software 12 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.35-43.2 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1009280 From sle-security-updates at lists.suse.com Mon Dec 5 13:07:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 5 Dec 2016 21:07:09 +0100 (CET) Subject: SUSE-SU-2016:3014-1: important: Security update for MozillaFirefox, mozilla-nss Message-ID: <20161205200709.BD140FFCE@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3014-1 Rating: important References: #1009026 #1010395 #1010401 #1010402 #1010404 #1010410 #1010422 #1010427 #1010517 #992549 Cross-References: CVE-2016-5285 CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9064 CVE-2016-9066 CVE-2016-9074 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has two fixes is now available. Description: This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5 (bsc#1009026): - CVE-2016-5297: Incorrect argument length checking in Javascript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3: - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed: - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) The Mozilla Firefox changelog was amended to document patched dropped in a previous update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1754=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1754=1 - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1754=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1754=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1754=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1754=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1754=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1754=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1754=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-devel-45.5.0esr-88.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-devel-3.21.3-50.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-devel-45.5.0esr-88.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-devel-3.21.3-50.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-32bit-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-debuginfo-32bit-3.21.3-50.1 libfreebl3-hmac-3.21.3-50.1 libfreebl3-hmac-32bit-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-32bit-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-debuginfo-32bit-3.21.3-50.1 libsoftokn3-hmac-3.21.3-50.1 libsoftokn3-hmac-32bit-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-32bit-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-32bit-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-32bit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-hmac-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-hmac-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-hmac-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-hmac-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libfreebl3-32bit-3.21.3-50.1 libfreebl3-debuginfo-32bit-3.21.3-50.1 libfreebl3-hmac-32bit-3.21.3-50.1 libsoftokn3-32bit-3.21.3-50.1 libsoftokn3-debuginfo-32bit-3.21.3-50.1 libsoftokn3-hmac-32bit-3.21.3-50.1 mozilla-nss-32bit-3.21.3-50.1 mozilla-nss-certs-32bit-3.21.3-50.1 mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debuginfo-32bit-3.21.3-50.1 mozilla-nss-sysinit-32bit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-hmac-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-hmac-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libfreebl3-32bit-3.21.3-50.1 libfreebl3-debuginfo-32bit-3.21.3-50.1 libfreebl3-hmac-32bit-3.21.3-50.1 libsoftokn3-32bit-3.21.3-50.1 libsoftokn3-debuginfo-32bit-3.21.3-50.1 libsoftokn3-hmac-32bit-3.21.3-50.1 mozilla-nss-32bit-3.21.3-50.1 mozilla-nss-certs-32bit-3.21.3-50.1 mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debuginfo-32bit-3.21.3-50.1 mozilla-nss-sysinit-32bit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-hmac-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-hmac-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libfreebl3-32bit-3.21.3-50.1 libfreebl3-debuginfo-32bit-3.21.3-50.1 libfreebl3-hmac-32bit-3.21.3-50.1 libsoftokn3-32bit-3.21.3-50.1 libsoftokn3-debuginfo-32bit-3.21.3-50.1 libsoftokn3-hmac-32bit-3.21.3-50.1 mozilla-nss-32bit-3.21.3-50.1 mozilla-nss-certs-32bit-3.21.3-50.1 mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debuginfo-32bit-3.21.3-50.1 mozilla-nss-sysinit-32bit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-32bit-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-debuginfo-32bit-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-32bit-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-debuginfo-32bit-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-32bit-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-32bit-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-32bit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): MozillaFirefox-45.5.0esr-88.1 MozillaFirefox-debuginfo-45.5.0esr-88.1 MozillaFirefox-debugsource-45.5.0esr-88.1 MozillaFirefox-translations-45.5.0esr-88.1 libfreebl3-3.21.3-50.1 libfreebl3-32bit-3.21.3-50.1 libfreebl3-debuginfo-3.21.3-50.1 libfreebl3-debuginfo-32bit-3.21.3-50.1 libsoftokn3-3.21.3-50.1 libsoftokn3-32bit-3.21.3-50.1 libsoftokn3-debuginfo-3.21.3-50.1 libsoftokn3-debuginfo-32bit-3.21.3-50.1 mozilla-nss-3.21.3-50.1 mozilla-nss-32bit-3.21.3-50.1 mozilla-nss-certs-3.21.3-50.1 mozilla-nss-certs-32bit-3.21.3-50.1 mozilla-nss-certs-debuginfo-3.21.3-50.1 mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debuginfo-3.21.3-50.1 mozilla-nss-debuginfo-32bit-3.21.3-50.1 mozilla-nss-debugsource-3.21.3-50.1 mozilla-nss-sysinit-3.21.3-50.1 mozilla-nss-sysinit-32bit-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-3.21.3-50.1 mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1 mozilla-nss-tools-3.21.3-50.1 mozilla-nss-tools-debuginfo-3.21.3-50.1 References: https://www.suse.com/security/cve/CVE-2016-5285.html https://www.suse.com/security/cve/CVE-2016-5290.html https://www.suse.com/security/cve/CVE-2016-5291.html https://www.suse.com/security/cve/CVE-2016-5296.html https://www.suse.com/security/cve/CVE-2016-5297.html https://www.suse.com/security/cve/CVE-2016-9064.html https://www.suse.com/security/cve/CVE-2016-9066.html https://www.suse.com/security/cve/CVE-2016-9074.html https://bugzilla.suse.com/1009026 https://bugzilla.suse.com/1010395 https://bugzilla.suse.com/1010401 https://bugzilla.suse.com/1010402 https://bugzilla.suse.com/1010404 https://bugzilla.suse.com/1010410 https://bugzilla.suse.com/1010422 https://bugzilla.suse.com/1010427 https://bugzilla.suse.com/1010517 https://bugzilla.suse.com/992549 From sle-security-updates at lists.suse.com Wed Dec 7 09:08:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 17:08:31 +0100 (CET) Subject: SUSE-SU-2016:3039-1: important: Security update for the Linux Kernel Message-ID: <20161207160831.559FBFFD6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3039-1 Rating: important References: #1008831 #1011685 #1012754 Cross-References: CVE-2016-8632 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various critical security fixes. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012754). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1762=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1762=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1762=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1762=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1762=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1762=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): kernel-default-debuginfo-3.12.67-60.64.21.1 kernel-default-debugsource-3.12.67-60.64.21.1 kernel-default-extra-3.12.67-60.64.21.1 kernel-default-extra-debuginfo-3.12.67-60.64.21.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): kernel-obs-build-3.12.67-60.64.21.1 kernel-obs-build-debugsource-3.12.67-60.64.21.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (noarch): kernel-docs-3.12.67-60.64.21.3 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): kernel-default-3.12.67-60.64.21.1 kernel-default-base-3.12.67-60.64.21.1 kernel-default-base-debuginfo-3.12.67-60.64.21.1 kernel-default-debuginfo-3.12.67-60.64.21.1 kernel-default-debugsource-3.12.67-60.64.21.1 kernel-default-devel-3.12.67-60.64.21.1 kernel-syms-3.12.67-60.64.21.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): kernel-xen-3.12.67-60.64.21.1 kernel-xen-base-3.12.67-60.64.21.1 kernel-xen-base-debuginfo-3.12.67-60.64.21.1 kernel-xen-debuginfo-3.12.67-60.64.21.1 kernel-xen-debugsource-3.12.67-60.64.21.1 kernel-xen-devel-3.12.67-60.64.21.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): kernel-devel-3.12.67-60.64.21.1 kernel-macros-3.12.67-60.64.21.1 kernel-source-3.12.67-60.64.21.1 - SUSE Linux Enterprise Server 12-SP1 (s390x): kernel-default-man-3.12.67-60.64.21.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.67-60.64.21.1 kernel-ec2-debuginfo-3.12.67-60.64.21.1 kernel-ec2-debugsource-3.12.67-60.64.21.1 kernel-ec2-devel-3.12.67-60.64.21.1 kernel-ec2-extra-3.12.67-60.64.21.1 kernel-ec2-extra-debuginfo-3.12.67-60.64.21.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_67-60_64_21-default-1-2.1 kgraft-patch-3_12_67-60_64_21-xen-1-2.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): kernel-default-3.12.67-60.64.21.1 kernel-default-debuginfo-3.12.67-60.64.21.1 kernel-default-debugsource-3.12.67-60.64.21.1 kernel-default-devel-3.12.67-60.64.21.1 kernel-default-extra-3.12.67-60.64.21.1 kernel-default-extra-debuginfo-3.12.67-60.64.21.1 kernel-syms-3.12.67-60.64.21.1 kernel-xen-3.12.67-60.64.21.1 kernel-xen-debuginfo-3.12.67-60.64.21.1 kernel-xen-debugsource-3.12.67-60.64.21.1 kernel-xen-devel-3.12.67-60.64.21.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): kernel-devel-3.12.67-60.64.21.1 kernel-macros-3.12.67-60.64.21.1 kernel-source-3.12.67-60.64.21.1 References: https://www.suse.com/security/cve/CVE-2016-8632.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1008831 https://bugzilla.suse.com/1011685 https://bugzilla.suse.com/1012754 From sle-security-updates at lists.suse.com Wed Dec 7 10:07:55 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 18:07:55 +0100 (CET) Subject: SUSE-SU-2016:3040-1: important: Security update for java-1_6_0-ibm Message-ID: <20161207170755.D0FE6FFD6@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3040-1 Rating: important References: #1009280 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5597 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_6_0-ibm fixes the following issues: - Version update to 6.0-16.35 (bsc#1009280) fixing the following CVE's: CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-java-1_6_0-ibm-12872=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-java-1_6_0-ibm-12872=1 - SUSE Manager 2.1: zypper in -t patch sleman21-java-1_6_0-ibm-12872=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_6_0-ibm-12872=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-java-1_6_0-ibm-12872=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_6_0-ibm-12872=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): java-1_6_0-ibm-1.6.0_sr16.35-78.2 java-1_6_0-ibm-devel-1.6.0_sr16.35-78.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-78.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-78.2 java-1_6_0-ibm-plugin-1.6.0_sr16.35-78.2 - SUSE Manager Proxy 2.1 (x86_64): java-1_6_0-ibm-1.6.0_sr16.35-78.2 java-1_6_0-ibm-devel-1.6.0_sr16.35-78.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-78.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-78.2 java-1_6_0-ibm-plugin-1.6.0_sr16.35-78.2 - SUSE Manager 2.1 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.35-78.2 java-1_6_0-ibm-devel-1.6.0_sr16.35-78.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-78.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-78.2 - SUSE Manager 2.1 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.35-78.2 java-1_6_0-ibm-devel-1.6.0_sr16.35-78.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-78.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.35-78.2 java-1_6_0-ibm-devel-1.6.0_sr16.35-78.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-78.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.35-78.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_6_0-ibm-1.6.0_sr16.35-78.2 java-1_6_0-ibm-alsa-1.6.0_sr16.35-78.2 java-1_6_0-ibm-devel-1.6.0_sr16.35-78.2 java-1_6_0-ibm-fonts-1.6.0_sr16.35-78.2 java-1_6_0-ibm-jdbc-1.6.0_sr16.35-78.2 java-1_6_0-ibm-plugin-1.6.0_sr16.35-78.2 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1009280 From sle-security-updates at lists.suse.com Wed Dec 7 10:08:22 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 18:08:22 +0100 (CET) Subject: SUSE-SU-2016:3041-1: important: Security update for java-1_7_1-ibm Message-ID: <20161207170822.31671FFD6@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3041-1 Rating: important References: #1009280 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5597 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: - Version update to 7.1-3.60 (bsc#1009280) fixing the following CVE's: CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-java-1_7_1-ibm-12873=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-java-1_7_1-ibm-12873=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.60-19.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.60-19.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.60-19.2 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.60-19.2 java-1_7_1-ibm-plugin-1.7.1_sr3.60-19.2 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1009280 From sle-security-updates at lists.suse.com Wed Dec 7 12:07:13 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 20:07:13 +0100 (CET) Subject: SUSE-SU-2016:3043-1: important: Security update for java-1_7_1-ibm Message-ID: <20161207190713.BBC72FFD4@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3043-1 Rating: important References: #1009280 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5597 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: - Version update to 7.1-3.60 (bsc#1009280) Fixing the following CVE's: CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1770=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1770=1 - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1770=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1770=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1770=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1770=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server for SAP 12 (x86_64): java-1_7_1-ibm-1.7.1_sr3.60-31.2 java-1_7_1-ibm-alsa-1.7.1_sr3.60-31.2 java-1_7_1-ibm-devel-1.7.1_sr3.60-31.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.60-31.2 java-1_7_1-ibm-plugin-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server 12-SP2 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr3.60-31.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server 12-SP2 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.60-31.2 java-1_7_1-ibm-plugin-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.60-31.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server 12-SP1 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.60-31.2 java-1_7_1-ibm-plugin-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.60-31.2 java-1_7_1-ibm-devel-1.7.1_sr3.60-31.2 java-1_7_1-ibm-jdbc-1.7.1_sr3.60-31.2 - SUSE Linux Enterprise Server 12-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.60-31.2 java-1_7_1-ibm-plugin-1.7.1_sr3.60-31.2 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1009280 From sle-security-updates at lists.suse.com Wed Dec 7 12:07:43 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 20:07:43 +0100 (CET) Subject: SUSE-SU-2016:3044-1: important: Security update for xen Message-ID: <20161207190743.1F93BFFD4@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3044-1 Rating: important References: #1000106 #1000893 #1003030 #1003032 #1005004 #1005005 #1007157 #1009100 #1009103 #1009107 #1009109 #1009111 #1011652 #990843 Cross-References: CVE-2016-6351 CVE-2016-7777 CVE-2016-7908 CVE-2016-7909 CVE-2016-8667 CVE-2016-8669 CVE-2016-8910 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9386 CVE-2016-9637 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: xen was updated to fix several security issues. These security issues were fixed: - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652). - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with ESP/NCR53C9x controller emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the host via vectors involving DMA read into ESP command buffer (bsc#990843) This non-security issue was fixed: - bsc#1000893: virsh setmem didn't allow to set current guest memory to max limit Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-xen-12874=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-xen-12874=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): xen-devel-4.1.6_08-32.1 xen-kmp-default-4.1.6_08_3.0.101_0.7.44-32.1 xen-kmp-trace-4.1.6_08_3.0.101_0.7.44-32.1 xen-libs-4.1.6_08-32.1 xen-tools-domU-4.1.6_08-32.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (x86_64): xen-4.1.6_08-32.1 xen-doc-html-4.1.6_08-32.1 xen-doc-pdf-4.1.6_08-32.1 xen-libs-32bit-4.1.6_08-32.1 xen-tools-4.1.6_08-32.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): xen-kmp-pae-4.1.6_08_3.0.101_0.7.44-32.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64): xen-debuginfo-4.1.6_08-32.1 xen-debugsource-4.1.6_08-32.1 References: https://www.suse.com/security/cve/CVE-2016-6351.html https://www.suse.com/security/cve/CVE-2016-7777.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9379.html https://www.suse.com/security/cve/CVE-2016-9380.html https://www.suse.com/security/cve/CVE-2016-9381.html https://www.suse.com/security/cve/CVE-2016-9382.html https://www.suse.com/security/cve/CVE-2016-9383.html https://www.suse.com/security/cve/CVE-2016-9386.html https://www.suse.com/security/cve/CVE-2016-9637.html https://bugzilla.suse.com/1000106 https://bugzilla.suse.com/1000893 https://bugzilla.suse.com/1003030 https://bugzilla.suse.com/1003032 https://bugzilla.suse.com/1005004 https://bugzilla.suse.com/1005005 https://bugzilla.suse.com/1007157 https://bugzilla.suse.com/1009100 https://bugzilla.suse.com/1009103 https://bugzilla.suse.com/1009107 https://bugzilla.suse.com/1009109 https://bugzilla.suse.com/1009111 https://bugzilla.suse.com/1011652 https://bugzilla.suse.com/990843 From sle-security-updates at lists.suse.com Wed Dec 7 12:10:52 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 20:10:52 +0100 (CET) Subject: SUSE-SU-2016:3046-1: moderate: Security update for w3m Message-ID: <20161207191052.757D6FFD2@maintenance.suse.de> SUSE Security Update: Security update for w3m ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3046-1 Rating: moderate References: #1011269 #1011270 #1011271 #1011272 #1011283 #1011284 #1011285 #1011286 #1011287 #1011288 #1011289 #1011290 #1011291 #1011292 #1011293 #1012020 #1012021 #1012022 #1012023 #1012024 #1012025 #1012026 #1012027 #1012028 #1012029 #1012030 #1012031 #1012032 Cross-References: CVE-2010-2074 CVE-2016-9422 CVE-2016-9423 CVE-2016-9424 CVE-2016-9425 CVE-2016-9434 CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438 CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442 CVE-2016-9443 CVE-2016-9621 CVE-2016-9622 CVE-2016-9623 CVE-2016-9624 CVE-2016-9625 CVE-2016-9626 CVE-2016-9627 CVE-2016-9628 CVE-2016-9629 CVE-2016-9630 CVE-2016-9631 CVE-2016-9632 CVE-2016-9633 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 28 vulnerabilities is now available. Description: This update for w3m fixes the following issues: - update to debian git version (bsc#1011293) addressed security issues: CVE-2016-9621: w3m: global-buffer-overflow write (bsc#1012020) CVE-2016-9622: w3m: null deref (bsc#1012021) CVE-2016-9623: w3m: null deref (bsc#1012022) CVE-2016-9624: w3m: near-null deref (bsc#1012023) CVE-2016-9625: w3m: stack overflow (bsc#1012024) CVE-2016-9626: w3m: stack overflow (bsc#1012025) CVE-2016-9627: w3m: heap overflow read + deref (bsc#1012026) CVE-2016-9628: w3m: null deref (bsc#1012027) CVE-2016-9629: w3m: null deref (bsc#1012028) CVE-2016-9630: w3m: global-buffer-overflow read (bsc#1012029) CVE-2016-9631: w3m: null deref (bsc#1012030) CVE-2016-9632: w3m: global-buffer-overflow read (bsc#1012031) CVE-2016-9633: w3m: OOM (bsc#1012032) CVE-2016-9434: w3m: null deref (bsc#1011283) CVE-2016-9435: w3m: use uninit value (bsc#1011284) CVE-2016-9436: w3m: use uninit value (bsc#1011285) CVE-2016-9437: w3m: write to rodata (bsc#1011286) CVE-2016-9438: w3m: null deref (bsc#1011287) CVE-2016-9439: w3m: stack overflow (bsc#1011288) CVE-2016-9440: w3m: near-null deref (bsc#1011289) CVE-2016-9441: w3m: near-null deref (bsc#1011290) CVE-2016-9442: w3m: potential heap buffer corruption (bsc#1011291) CVE-2016-9443: w3m: null deref (bsc#1011292) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-w3m-12875=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-w3m-12875=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): w3m-0.5.3.git20161120-4.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): w3m-debuginfo-0.5.3.git20161120-4.1 w3m-debugsource-0.5.3.git20161120-4.1 References: https://www.suse.com/security/cve/CVE-2010-2074.html https://www.suse.com/security/cve/CVE-2016-9422.html https://www.suse.com/security/cve/CVE-2016-9423.html https://www.suse.com/security/cve/CVE-2016-9424.html https://www.suse.com/security/cve/CVE-2016-9425.html https://www.suse.com/security/cve/CVE-2016-9434.html https://www.suse.com/security/cve/CVE-2016-9435.html https://www.suse.com/security/cve/CVE-2016-9436.html https://www.suse.com/security/cve/CVE-2016-9437.html https://www.suse.com/security/cve/CVE-2016-9438.html https://www.suse.com/security/cve/CVE-2016-9439.html https://www.suse.com/security/cve/CVE-2016-9440.html https://www.suse.com/security/cve/CVE-2016-9441.html https://www.suse.com/security/cve/CVE-2016-9442.html https://www.suse.com/security/cve/CVE-2016-9443.html https://www.suse.com/security/cve/CVE-2016-9621.html https://www.suse.com/security/cve/CVE-2016-9622.html https://www.suse.com/security/cve/CVE-2016-9623.html https://www.suse.com/security/cve/CVE-2016-9624.html https://www.suse.com/security/cve/CVE-2016-9625.html https://www.suse.com/security/cve/CVE-2016-9626.html https://www.suse.com/security/cve/CVE-2016-9627.html https://www.suse.com/security/cve/CVE-2016-9628.html https://www.suse.com/security/cve/CVE-2016-9629.html https://www.suse.com/security/cve/CVE-2016-9630.html https://www.suse.com/security/cve/CVE-2016-9631.html https://www.suse.com/security/cve/CVE-2016-9632.html https://www.suse.com/security/cve/CVE-2016-9633.html https://bugzilla.suse.com/1011269 https://bugzilla.suse.com/1011270 https://bugzilla.suse.com/1011271 https://bugzilla.suse.com/1011272 https://bugzilla.suse.com/1011283 https://bugzilla.suse.com/1011284 https://bugzilla.suse.com/1011285 https://bugzilla.suse.com/1011286 https://bugzilla.suse.com/1011287 https://bugzilla.suse.com/1011288 https://bugzilla.suse.com/1011289 https://bugzilla.suse.com/1011290 https://bugzilla.suse.com/1011291 https://bugzilla.suse.com/1011292 https://bugzilla.suse.com/1011293 https://bugzilla.suse.com/1012020 https://bugzilla.suse.com/1012021 https://bugzilla.suse.com/1012022 https://bugzilla.suse.com/1012023 https://bugzilla.suse.com/1012024 https://bugzilla.suse.com/1012025 https://bugzilla.suse.com/1012026 https://bugzilla.suse.com/1012027 https://bugzilla.suse.com/1012028 https://bugzilla.suse.com/1012029 https://bugzilla.suse.com/1012030 https://bugzilla.suse.com/1012031 https://bugzilla.suse.com/1012032 From sle-security-updates at lists.suse.com Wed Dec 7 12:15:30 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 20:15:30 +0100 (CET) Subject: SUSE-SU-2016:3047-1: moderate: Security update for libXi Message-ID: <20161207191530.6E45CFFD4@maintenance.suse.de> SUSE Security Update: Security update for libXi ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3047-1 Rating: moderate References: #1002998 Cross-References: CVE-2016-7945 CVE-2016-7946 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: libXi was updated to fix two security issues. These security issues were fixed: - CVE-2016-7945: Integer overflows in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998). - CVE-2016-7946: Insufficient validation of data in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1767=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1767=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1767=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1767=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1767=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1767=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1767=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libXi-debugsource-1.7.4-17.1 libXi-devel-1.7.4-17.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libXi-debugsource-1.7.4-17.1 libXi-devel-1.7.4-17.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libXi-debugsource-1.7.4-17.1 libXi6-1.7.4-17.1 libXi6-debuginfo-1.7.4-17.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libXi-debugsource-1.7.4-17.1 libXi6-1.7.4-17.1 libXi6-debuginfo-1.7.4-17.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libXi6-32bit-1.7.4-17.1 libXi6-debuginfo-32bit-1.7.4-17.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libXi-debugsource-1.7.4-17.1 libXi6-1.7.4-17.1 libXi6-debuginfo-1.7.4-17.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libXi6-32bit-1.7.4-17.1 libXi6-debuginfo-32bit-1.7.4-17.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libXi-debugsource-1.7.4-17.1 libXi6-1.7.4-17.1 libXi6-32bit-1.7.4-17.1 libXi6-debuginfo-1.7.4-17.1 libXi6-debuginfo-32bit-1.7.4-17.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libXi-debugsource-1.7.4-17.1 libXi6-1.7.4-17.1 libXi6-32bit-1.7.4-17.1 libXi6-debuginfo-1.7.4-17.1 libXi6-debuginfo-32bit-1.7.4-17.1 References: https://www.suse.com/security/cve/CVE-2016-7945.html https://www.suse.com/security/cve/CVE-2016-7946.html https://bugzilla.suse.com/1002998 From sle-security-updates at lists.suse.com Wed Dec 7 13:07:02 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 21:07:02 +0100 (CET) Subject: SUSE-SU-2016:3048-1: important: Security update for MozillaFirefox Message-ID: <20161207200702.2B3A0F7B7@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3048-1 Rating: important References: #1012964 Cross-References: CVE-2016-9079 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for MozillaFirefox fixes security issues. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bbsc#1012964): - CVE-2016-9079: Use-after-free in SVG Animation could be used for code execution (MFSA 2016-92 bsc#1012964) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1771=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1771=1 - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1771=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1771=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1771=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1771=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1771=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1771=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1771=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-devel-45.5.1esr-93.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-devel-45.5.1esr-93.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): MozillaFirefox-45.5.1esr-93.1 MozillaFirefox-debuginfo-45.5.1esr-93.1 MozillaFirefox-debugsource-45.5.1esr-93.1 MozillaFirefox-translations-45.5.1esr-93.1 References: https://www.suse.com/security/cve/CVE-2016-9079.html https://bugzilla.suse.com/1012964 From sle-security-updates at lists.suse.com Wed Dec 7 15:07:03 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Dec 2016 23:07:03 +0100 (CET) Subject: SUSE-SU-2016:3049-1: important: Security update for the Linux Kernel Message-ID: <20161207220703.48FF5F7CA@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3049-1 Rating: important References: #1008831 #1011685 #1012754 Cross-References: CVE-2016-8632 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to receive critical security fixes. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012754). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1772=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1772=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1772=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1772=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1772=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1772=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1772=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): kernel-default-debuginfo-4.4.21-84.1 kernel-default-debugsource-4.4.21-84.1 kernel-default-extra-4.4.21-84.1 kernel-default-extra-debuginfo-4.4.21-84.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.4.21-84.1 kernel-obs-build-debugsource-4.4.21-84.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (noarch): kernel-docs-4.4.21-84.3 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): kernel-default-4.4.21-84.1 kernel-default-base-4.4.21-84.1 kernel-default-base-debuginfo-4.4.21-84.1 kernel-default-debuginfo-4.4.21-84.1 kernel-default-debugsource-4.4.21-84.1 kernel-default-devel-4.4.21-84.1 kernel-syms-4.4.21-84.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): kernel-devel-4.4.21-84.1 kernel-macros-4.4.21-84.1 kernel-source-4.4.21-84.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): kernel-default-4.4.21-84.1 kernel-default-base-4.4.21-84.1 kernel-default-base-debuginfo-4.4.21-84.1 kernel-default-debuginfo-4.4.21-84.1 kernel-default-debugsource-4.4.21-84.1 kernel-default-devel-4.4.21-84.1 kernel-syms-4.4.21-84.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): kernel-devel-4.4.21-84.1 kernel-macros-4.4.21-84.1 kernel-source-4.4.21-84.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_21-84-default-1-2.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.21-84.1 cluster-md-kmp-default-debuginfo-4.4.21-84.1 cluster-network-kmp-default-4.4.21-84.1 cluster-network-kmp-default-debuginfo-4.4.21-84.1 dlm-kmp-default-4.4.21-84.1 dlm-kmp-default-debuginfo-4.4.21-84.1 gfs2-kmp-default-4.4.21-84.1 gfs2-kmp-default-debuginfo-4.4.21-84.1 kernel-default-debuginfo-4.4.21-84.1 kernel-default-debugsource-4.4.21-84.1 ocfs2-kmp-default-4.4.21-84.1 ocfs2-kmp-default-debuginfo-4.4.21-84.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): kernel-default-4.4.21-84.1 kernel-default-debuginfo-4.4.21-84.1 kernel-default-debugsource-4.4.21-84.1 kernel-default-devel-4.4.21-84.1 kernel-default-extra-4.4.21-84.1 kernel-default-extra-debuginfo-4.4.21-84.1 kernel-syms-4.4.21-84.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): kernel-devel-4.4.21-84.1 kernel-macros-4.4.21-84.1 kernel-source-4.4.21-84.1 References: https://www.suse.com/security/cve/CVE-2016-8632.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1008831 https://bugzilla.suse.com/1011685 https://bugzilla.suse.com/1012754 From sle-security-updates at lists.suse.com Thu Dec 8 06:07:44 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Dec 2016 14:07:44 +0100 (CET) Subject: SUSE-SU-2016:3052-1: moderate: Security update for perl-SOAP-Lite Message-ID: <20161208130744.4ED67F7CC@maintenance.suse.de> SUSE Security Update: Security update for perl-SOAP-Lite ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3052-1 Rating: moderate References: #1011836 Cross-References: CVE-2015-8978 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for perl-SOAP-Lite fixes the following issue: Security issue fixed: - CVE-2015-8978: XML exponential entity expansion denial-of-service (bsc#1011836) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-perl-SOAP-Lite-12876=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): perl-SOAP-Lite-0.710.08-3.1 References: https://www.suse.com/security/cve/CVE-2015-8978.html https://bugzilla.suse.com/1011836 From sle-security-updates at lists.suse.com Thu Dec 8 06:08:14 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Dec 2016 14:08:14 +0100 (CET) Subject: SUSE-SU-2016:3053-1: moderate: Security update for w3m Message-ID: <20161208130814.E7436F7CC@maintenance.suse.de> SUSE Security Update: Security update for w3m ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3053-1 Rating: moderate References: #1011283 #1011284 #1011285 #1011286 #1011287 #1011288 #1011289 #1011290 #1011291 #1011292 #1011293 #1012021 #1012022 #1012023 #1012024 #1012025 #1012026 #1012027 #1012028 #1012029 #1012030 #1012031 #1012032 Cross-References: CVE-2016-9434 CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438 CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442 CVE-2016-9443 CVE-2016-9621 CVE-2016-9622 CVE-2016-9623 CVE-2016-9624 CVE-2016-9625 CVE-2016-9626 CVE-2016-9627 CVE-2016-9628 CVE-2016-9629 CVE-2016-9630 CVE-2016-9631 CVE-2016-9632 CVE-2016-9633 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 23 vulnerabilities is now available. Description: This update for w3m fixes the following issues: - update to debian git version (bsc#1011293) addressed security issues: CVE-2016-9622: w3m: null deref (bsc#1012021) CVE-2016-9623: w3m: null deref (bsc#1012022) CVE-2016-9624: w3m: near-null deref (bsc#1012023) CVE-2016-9625: w3m: stack overflow (bsc#1012024) CVE-2016-9626: w3m: stack overflow (bsc#1012025) CVE-2016-9627: w3m: heap overflow read + deref (bsc#1012026) CVE-2016-9628: w3m: null deref (bsc#1012027) CVE-2016-9629: w3m: null deref (bsc#1012028) CVE-2016-9630: w3m: global-buffer-overflow read (bsc#1012029) CVE-2016-9631: w3m: null deref (bsc#1012030) CVE-2016-9632: w3m: global-buffer-overflow read (bsc#1012031) CVE-2016-9633: w3m: OOM (bsc#1012032) CVE-2016-9434: w3m: null deref (bsc#1011283) CVE-2016-9435: w3m: use uninit value (bsc#1011284) CVE-2016-9436: w3m: use uninit value (bsc#1011285) CVE-2016-9437: w3m: write to rodata (bsc#1011286) CVE-2016-9438: w3m: null deref (bsc#1011287) CVE-2016-9439: w3m: stack overflow (bsc#1011288) CVE-2016-9440: w3m: near-null deref (bsc#1011289) CVE-2016-9441: w3m: near-null deref (bsc#1011290) CVE-2016-9442: w3m: potential heap buffer corruption (bsc#1011291) CVE-2016-9443: w3m: null deref (bsc#1011292) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1774=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1774=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1774=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1774=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1774=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): w3m-0.5.3.git20161120-160.1 w3m-debuginfo-0.5.3.git20161120-160.1 w3m-debugsource-0.5.3.git20161120-160.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): w3m-0.5.3.git20161120-160.1 w3m-debuginfo-0.5.3.git20161120-160.1 w3m-debugsource-0.5.3.git20161120-160.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): w3m-0.5.3.git20161120-160.1 w3m-debuginfo-0.5.3.git20161120-160.1 w3m-debugsource-0.5.3.git20161120-160.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): w3m-0.5.3.git20161120-160.1 w3m-debuginfo-0.5.3.git20161120-160.1 w3m-debugsource-0.5.3.git20161120-160.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): w3m-0.5.3.git20161120-160.1 w3m-debuginfo-0.5.3.git20161120-160.1 w3m-debugsource-0.5.3.git20161120-160.1 References: https://www.suse.com/security/cve/CVE-2016-9434.html https://www.suse.com/security/cve/CVE-2016-9435.html https://www.suse.com/security/cve/CVE-2016-9436.html https://www.suse.com/security/cve/CVE-2016-9437.html https://www.suse.com/security/cve/CVE-2016-9438.html https://www.suse.com/security/cve/CVE-2016-9439.html https://www.suse.com/security/cve/CVE-2016-9440.html https://www.suse.com/security/cve/CVE-2016-9441.html https://www.suse.com/security/cve/CVE-2016-9442.html https://www.suse.com/security/cve/CVE-2016-9443.html https://www.suse.com/security/cve/CVE-2016-9621.html https://www.suse.com/security/cve/CVE-2016-9622.html https://www.suse.com/security/cve/CVE-2016-9623.html https://www.suse.com/security/cve/CVE-2016-9624.html https://www.suse.com/security/cve/CVE-2016-9625.html https://www.suse.com/security/cve/CVE-2016-9626.html https://www.suse.com/security/cve/CVE-2016-9627.html https://www.suse.com/security/cve/CVE-2016-9628.html https://www.suse.com/security/cve/CVE-2016-9629.html https://www.suse.com/security/cve/CVE-2016-9630.html https://www.suse.com/security/cve/CVE-2016-9631.html https://www.suse.com/security/cve/CVE-2016-9632.html https://www.suse.com/security/cve/CVE-2016-9633.html https://bugzilla.suse.com/1011283 https://bugzilla.suse.com/1011284 https://bugzilla.suse.com/1011285 https://bugzilla.suse.com/1011286 https://bugzilla.suse.com/1011287 https://bugzilla.suse.com/1011288 https://bugzilla.suse.com/1011289 https://bugzilla.suse.com/1011290 https://bugzilla.suse.com/1011291 https://bugzilla.suse.com/1011292 https://bugzilla.suse.com/1011293 https://bugzilla.suse.com/1012021 https://bugzilla.suse.com/1012022 https://bugzilla.suse.com/1012023 https://bugzilla.suse.com/1012024 https://bugzilla.suse.com/1012025 https://bugzilla.suse.com/1012026 https://bugzilla.suse.com/1012027 https://bugzilla.suse.com/1012028 https://bugzilla.suse.com/1012029 https://bugzilla.suse.com/1012030 https://bugzilla.suse.com/1012031 https://bugzilla.suse.com/1012032 From sle-security-updates at lists.suse.com Thu Dec 8 06:12:41 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Dec 2016 14:12:41 +0100 (CET) Subject: SUSE-SU-2016:3054-1: moderate: Security update for xorg-x11-libX11 Message-ID: <20161208131241.16E43F7CC@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3054-1 Rating: moderate References: #1002991 Cross-References: CVE-2016-7942 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-libX11 fixes the following issues: - plug a memory leak (bsc#1002991, CVE-2016-7942) - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()) (bsc#1002991, CVE-2016-7942) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libX11-12877=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libX11-12877=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libX11-12877=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libX11-devel-7.4-5.11.65.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-libX11-devel-32bit-7.4-5.11.65.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libX11-7.4-5.11.65.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libX11-32bit-7.4-5.11.65.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libX11-x86-7.4-5.11.65.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libX11-debuginfo-7.4-5.11.65.1 xorg-x11-libX11-debugsource-7.4-5.11.65.1 References: https://www.suse.com/security/cve/CVE-2016-7942.html https://bugzilla.suse.com/1002991 From sle-security-updates at lists.suse.com Thu Dec 8 06:15:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Dec 2016 14:15:18 +0100 (CET) Subject: SUSE-SU-2016:3056-1: Security update for crowbar-barclamp-trove Message-ID: <20161208131518.88ABEF7CE@maintenance.suse.de> SUSE Security Update: Security update for crowbar-barclamp-trove ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3056-1 Rating: low References: #991729 Cross-References: CVE-2016-6829 Affected Products: SUSE OpenStack Cloud 5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for crowbar-barclamp-trove fixes the following issues: - Fix initial migration and schema revision. - Set the trove service password to random. (bsc#991729, CVE-2016-6829) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-crowbar-barclamp-trove-12878=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (noarch): crowbar-barclamp-trove-1.9+git.1473844105.932298f-9.1 References: https://www.suse.com/security/cve/CVE-2016-6829.html https://bugzilla.suse.com/991729 From sle-security-updates at lists.suse.com Thu Dec 8 06:16:00 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Dec 2016 14:16:00 +0100 (CET) Subject: SUSE-SU-2016:3057-1: moderate: Security update for gc Message-ID: <20161208131600.54A10F7CA@maintenance.suse.de> SUSE Security Update: Security update for gc ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3057-1 Rating: moderate References: #1011276 Cross-References: CVE-2016-9427 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gc fixes the following issues: - integer overflow in GC_MALLOC_ATOMIC() (CVE-2016-9427, bsc#1011276) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1775=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1775=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1775=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1775=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1775=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1775=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1775=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): gc-debugsource-7.2d-5.1 gc-devel-7.2d-5.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): gc-debugsource-7.2d-5.1 gc-devel-7.2d-5.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): gc-debugsource-7.2d-5.1 libgc1-7.2d-5.1 libgc1-debuginfo-7.2d-5.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): gc-debugsource-7.2d-5.1 libgc1-7.2d-5.1 libgc1-debuginfo-7.2d-5.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): gc-debugsource-7.2d-5.1 libgc1-7.2d-5.1 libgc1-debuginfo-7.2d-5.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): gc-debugsource-7.2d-5.1 libgc1-7.2d-5.1 libgc1-debuginfo-7.2d-5.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): gc-debugsource-7.2d-5.1 libgc1-7.2d-5.1 libgc1-debuginfo-7.2d-5.1 References: https://www.suse.com/security/cve/CVE-2016-9427.html https://bugzilla.suse.com/1011276 From sle-security-updates at lists.suse.com Fri Dec 9 05:07:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Dec 2016 13:07:11 +0100 (CET) Subject: SUSE-SU-2016:3063-1: important: Security update for the Linux Kernel Message-ID: <20161209120711.5EDAEFF05@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3063-1 Rating: important References: #1008831 #1011685 #1012754 Cross-References: CVE-2016-8632 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to receive critical security fixes. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012754). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1781=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1781=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1781=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (noarch): kernel-devel-3.12.60-52.60.1 kernel-macros-3.12.60-52.60.1 kernel-source-3.12.60-52.60.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): kernel-default-3.12.60-52.60.1 kernel-default-base-3.12.60-52.60.1 kernel-default-base-debuginfo-3.12.60-52.60.1 kernel-default-debuginfo-3.12.60-52.60.1 kernel-default-debugsource-3.12.60-52.60.1 kernel-default-devel-3.12.60-52.60.1 kernel-syms-3.12.60-52.60.1 kernel-xen-3.12.60-52.60.1 kernel-xen-base-3.12.60-52.60.1 kernel-xen-base-debuginfo-3.12.60-52.60.1 kernel-xen-debuginfo-3.12.60-52.60.1 kernel-xen-debugsource-3.12.60-52.60.1 kernel-xen-devel-3.12.60-52.60.1 kgraft-patch-3_12_60-52_60-default-1-2.1 kgraft-patch-3_12_60-52_60-xen-1-2.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): kernel-default-3.12.60-52.60.1 kernel-default-base-3.12.60-52.60.1 kernel-default-base-debuginfo-3.12.60-52.60.1 kernel-default-debuginfo-3.12.60-52.60.1 kernel-default-debugsource-3.12.60-52.60.1 kernel-default-devel-3.12.60-52.60.1 kernel-syms-3.12.60-52.60.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): kernel-devel-3.12.60-52.60.1 kernel-macros-3.12.60-52.60.1 kernel-source-3.12.60-52.60.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kernel-xen-3.12.60-52.60.1 kernel-xen-base-3.12.60-52.60.1 kernel-xen-base-debuginfo-3.12.60-52.60.1 kernel-xen-debuginfo-3.12.60-52.60.1 kernel-xen-debugsource-3.12.60-52.60.1 kernel-xen-devel-3.12.60-52.60.1 kgraft-patch-3_12_60-52_60-default-1-2.1 kgraft-patch-3_12_60-52_60-xen-1-2.1 - SUSE Linux Enterprise Server 12-LTSS (s390x): kernel-default-man-3.12.60-52.60.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.60-52.60.1 kernel-ec2-debuginfo-3.12.60-52.60.1 kernel-ec2-debugsource-3.12.60-52.60.1 kernel-ec2-devel-3.12.60-52.60.1 kernel-ec2-extra-3.12.60-52.60.1 kernel-ec2-extra-debuginfo-3.12.60-52.60.1 References: https://www.suse.com/security/cve/CVE-2016-8632.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1008831 https://bugzilla.suse.com/1011685 https://bugzilla.suse.com/1012754 From sle-security-updates at lists.suse.com Fri Dec 9 10:07:26 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Dec 2016 18:07:26 +0100 (CET) Subject: SUSE-SU-2016:3067-1: important: Security update for xen Message-ID: <20161209170726.81725FF05@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3067-1 Rating: important References: #1000106 #1003030 #1003032 #1004981 #1005004 #1005005 #1007157 #1007941 #1009100 #1009103 #1009104 #1009105 #1009107 #1009108 #1009109 #1009111 #1011652 Cross-References: CVE-2016-7777 CVE-2016-7908 CVE-2016-7909 CVE-2016-8667 CVE-2016-8669 CVE-2016-8910 CVE-2016-9377 CVE-2016-9378 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9384 CVE-2016-9385 CVE-2016-9386 CVE-2016-9637 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: xen was updated to version 4.7.1 to fix 17 security issues. These security issues were fixed: - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652). - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100). - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103). - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104). - CVE-2016-9384: Guest 32-bit ELF symbol table load leaking host data to unprivileged guest users (bsc#1009105). - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107). - CVE-2016-9377: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108). - CVE-2016-9378: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109). - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111). - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111). - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106). - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004). - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030). - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032). These non-security issues were fixed: - bsc#1004981: Xen RPM didn't contain debug hypervisor for EFI systems - bsc#1007941: Xen tools limited the number of vcpus to 256 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1785=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1785=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1785=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 x86_64): xen-debugsource-4.7.1_02-25.1 xen-devel-4.7.1_02-25.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): xen-4.7.1_02-25.1 xen-debugsource-4.7.1_02-25.1 xen-doc-html-4.7.1_02-25.1 xen-libs-32bit-4.7.1_02-25.1 xen-libs-4.7.1_02-25.1 xen-libs-debuginfo-32bit-4.7.1_02-25.1 xen-libs-debuginfo-4.7.1_02-25.1 xen-tools-4.7.1_02-25.1 xen-tools-debuginfo-4.7.1_02-25.1 xen-tools-domU-4.7.1_02-25.1 xen-tools-domU-debuginfo-4.7.1_02-25.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): xen-4.7.1_02-25.1 xen-debugsource-4.7.1_02-25.1 xen-libs-32bit-4.7.1_02-25.1 xen-libs-4.7.1_02-25.1 xen-libs-debuginfo-32bit-4.7.1_02-25.1 xen-libs-debuginfo-4.7.1_02-25.1 References: https://www.suse.com/security/cve/CVE-2016-7777.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9377.html https://www.suse.com/security/cve/CVE-2016-9378.html https://www.suse.com/security/cve/CVE-2016-9379.html https://www.suse.com/security/cve/CVE-2016-9380.html https://www.suse.com/security/cve/CVE-2016-9381.html https://www.suse.com/security/cve/CVE-2016-9382.html https://www.suse.com/security/cve/CVE-2016-9383.html https://www.suse.com/security/cve/CVE-2016-9384.html https://www.suse.com/security/cve/CVE-2016-9385.html https://www.suse.com/security/cve/CVE-2016-9386.html https://www.suse.com/security/cve/CVE-2016-9637.html https://bugzilla.suse.com/1000106 https://bugzilla.suse.com/1003030 https://bugzilla.suse.com/1003032 https://bugzilla.suse.com/1004981 https://bugzilla.suse.com/1005004 https://bugzilla.suse.com/1005005 https://bugzilla.suse.com/1007157 https://bugzilla.suse.com/1007941 https://bugzilla.suse.com/1009100 https://bugzilla.suse.com/1009103 https://bugzilla.suse.com/1009104 https://bugzilla.suse.com/1009105 https://bugzilla.suse.com/1009107 https://bugzilla.suse.com/1009108 https://bugzilla.suse.com/1009109 https://bugzilla.suse.com/1009111 https://bugzilla.suse.com/1011652 From sle-security-updates at lists.suse.com Fri Dec 9 10:10:37 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Dec 2016 18:10:37 +0100 (CET) Subject: SUSE-SU-2016:3068-1: important: Security update for java-1_7_0-ibm Message-ID: <20161209171037.4E096FF05@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3068-1 Rating: important References: #1009280 #992537 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5597 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_7_0-ibm fixes the following issues: - Version update to 7.0-9.60 (bsc#1009280, bsc#992537) fixing the following CVE's: CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-java-1_7_0-ibm-12879=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-java-1_7_0-ibm-12879=1 - SUSE Manager 2.1: zypper in -t patch sleman21-java-1_7_0-ibm-12879=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_7_0-ibm-12879=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-java-1_7_0-ibm-12879=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_7_0-ibm-12879=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): java-1_7_0-ibm-1.7.0_sr9.60-58.2 java-1_7_0-ibm-alsa-1.7.0_sr9.60-58.2 java-1_7_0-ibm-devel-1.7.0_sr9.60-58.2 java-1_7_0-ibm-jdbc-1.7.0_sr9.60-58.2 java-1_7_0-ibm-plugin-1.7.0_sr9.60-58.2 - SUSE Manager Proxy 2.1 (x86_64): java-1_7_0-ibm-1.7.0_sr9.60-58.2 java-1_7_0-ibm-alsa-1.7.0_sr9.60-58.2 java-1_7_0-ibm-devel-1.7.0_sr9.60-58.2 java-1_7_0-ibm-jdbc-1.7.0_sr9.60-58.2 java-1_7_0-ibm-plugin-1.7.0_sr9.60-58.2 - SUSE Manager 2.1 (s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.60-58.2 java-1_7_0-ibm-devel-1.7.0_sr9.60-58.2 java-1_7_0-ibm-jdbc-1.7.0_sr9.60-58.2 - SUSE Manager 2.1 (x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.60-58.2 java-1_7_0-ibm-plugin-1.7.0_sr9.60-58.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.60-58.2 java-1_7_0-ibm-devel-1.7.0_sr9.60-58.2 java-1_7_0-ibm-jdbc-1.7.0_sr9.60-58.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.60-58.2 java-1_7_0-ibm-plugin-1.7.0_sr9.60-58.2 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.60-58.2 java-1_7_0-ibm-devel-1.7.0_sr9.60-58.2 java-1_7_0-ibm-jdbc-1.7.0_sr9.60-58.2 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.60-58.2 java-1_7_0-ibm-plugin-1.7.0_sr9.60-58.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_7_0-ibm-1.7.0_sr9.60-58.2 java-1_7_0-ibm-alsa-1.7.0_sr9.60-58.2 java-1_7_0-ibm-devel-1.7.0_sr9.60-58.2 java-1_7_0-ibm-jdbc-1.7.0_sr9.60-58.2 java-1_7_0-ibm-plugin-1.7.0_sr9.60-58.2 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1009280 https://bugzilla.suse.com/992537 From sle-security-updates at lists.suse.com Fri Dec 9 10:11:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Dec 2016 18:11:18 +0100 (CET) Subject: SUSE-SU-2016:3069-1: important: Security update for the Linux Kernel Message-ID: <20161209171118.EB4C1F7C8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3069-1 Rating: important References: #1000189 #1001419 #1002165 #1004418 #732582 #839104 #843236 #909994 #911687 #915183 #920016 #934760 #951392 #956514 #960689 #963655 #971975 #971989 #974620 #976867 #977687 #979514 #979595 #979681 #980371 #982218 #982783 #983535 #983619 #984102 #984194 #984992 #985206 #986362 #986365 #986445 #987565 #988440 #989152 #989261 #989779 #991608 #991665 #991923 #992566 #993127 #993890 #993891 #994296 #994436 #994618 #994759 #994926 #996329 #996664 #997708 #998399 #999584 #999600 #999932 Cross-References: CVE-2013-4312 CVE-2015-7513 CVE-2016-0823 CVE-2016-3841 CVE-2016-4997 CVE-2016-4998 CVE-2016-5195 CVE-2016-5696 CVE-2016-6480 CVE-2016-6828 CVE-2016-7425 Affected Products: SUSE Linux Enterprise Real Time Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 49 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes. This feature was added: - Support for the 2017 Intel Purley platform. The following security bugs were fixed: - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566). - CVE-2016-6828: Use after free in tcp_xmit_retransmit_queue or other tcp_ functions (bsc#994296) - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bnc#991608) - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104). - CVE-2016-7425: A buffer overflow in the Linux Kernel in arcmsr_iop_message_xfer() could have caused kernel heap corruption and arbitraty kernel code execution (bsc#999932) The following non-security bugs were fixed: - ahci: Order SATA device IDs for codename Lewisburg. - AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs. - ALSA: hda - Add Intel Lewisburg device IDs Audio. - avoid dentry crash triggered by NFS (bsc#984194). - blktap2: eliminate deadlock potential from shutdown path (bsc#909994). - blktap2: eliminate race from deferred work queue handling (bsc#911687). - bonding: always set recv_probe to bond_arp_rcv in arp monitor (bsc#977687). - bonding: fix bond_arp_rcv setting and arp validate desync state (bsc#977687). - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction (bsc#983619). - btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600). - cdc-acm: added sanity checking for probe() (bsc#993891). - cxgb4: Set VPD size so we can read both VPD structures (bsc#976867). - Delete patches.fixes/net-fix-crash-due-to-wrong-dev-in-calling.patch. (bsc#979514) - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - fs/select: add vmalloc fallback for select(2) (bsc#1000189). - fs/select: introduce SIZE_MAX (bsc#1000189). - i2c: i801: add Intel Lewisburg device IDs. - include/linux/mmdebug.h: should include linux/bug.h (bnc#971975 VM performance -- git fixes). - increase CONFIG_NR_IRQS 512 -> 2048 reportedly irq error with multiple nvme and tg3 in the same machine is resolved by increasing CONFIG_NR_IRQS (bsc#998399) - kabi, unix: properly account for FDs passed over unix sockets (bnc#839104). - kaweth: fix firmware download (bsc#993890). - kaweth: fix oops upon failed memory allocation (bsc#993890). - KVM: x86: SYSENTER emulation is broken (bsc#994618). - libfc: sanity check cpu number extracted from xid (bsc#988440). - lpfc: call lpfc_sli_validate_fcp_iocb() with the hbalock held (bsc#951392). - md: lockless I/O submission for RAID1 (bsc#982783). - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445). - mpt2sas, mpt3sas: Fix panic when aer correct error occurred (bsc#997708). - net: add pfmemalloc check in sk_add_backlog() (bnc#920016). - netback: fix flipping mode (bsc#996664). - nfs: Do not drop directory dentry which is in use (bsc#993127). - nfs: Don't disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261). - nfs: Don't write enable new pages while an invalidation is proceeding (bsc#999584). - nfs: Fix a regression in the read() syscall (bsc#999584). - nfs: Fix races in nfs_revalidate_mapping (bsc#999584). - nfs: fix the handling of NFS_INO_INVALID_DATA flag in nfs_revalidate_mapping (bsc#999584). - nfs: Fix writeback performance issue on cache invalidation (bsc#999584). - nfs: Refresh open-owner id when server says SEQID is bad (bsc#989261). - nfsv4: do not check MAY_WRITE access bit in OPEN (bsc#985206). - nfsv4: fix broken patch relating to v4 read delegations (bsc#956514, bsc#989261, bsc#979595). - nfsv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl (bsc#982218). - pci: Add pci_set_vpd_size() to set VPD size (bsc#976867). - pciback: fix conf_space read/write overlap check. - powerpc: add kernel parameter iommu_alloc_quiet (bsc#994926). - ppp: defer netns reference release for ppp channel (bsc#980371). - random32: add prandom_u32_max (bsc#989152). - rpm/constraints.in: Bump x86 disk space requirement to 20GB Clamav tends to run out of space nowadays. - s390/dasd: fix hanging device after clear subchannel (bnc#994436). - sata: Adding Intel Lewisburg device IDs for SATA. - sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (bnc#1001419). - sched/core: Fix a race between try_to_wake_up() and a woken up task (bnc#1002165). - sched: Fix possible divide by zero in avg_atom() calculation (bsc#996329). - scsi_dh_rdac: retry inquiry for UNIT ATTENTION (bsc#934760). - scsi: do not print "reservation conflict" for TEST UNIT READY (bsc#984102). - scsi: ibmvfc: add FC Class 3 Error Recovery support (bsc#984992). - scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989) - scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in PRLI (bsc#984992). - scsi_scan: Send TEST UNIT READY to LUN0 before LUN scanning (bnc#843236,bsc#989779). - tmpfs: change final i_blocks BUG to WARNING (bsc#991923). - Update patches.drivers/fcoe-0102-fcoe-ensure-that-skb-placed-on-the-fip_recv_list- are.patch (add bsc#732582 reference). - USB: fix typo in wMaxPacketSize validation (bsc#991665). - USB: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665). - vlan: don't deliver frames for unknown vlans to protocols (bsc#979514). - vlan: mask vlan prio bits (bsc#979514). - xenbus: inspect the correct type in xenbus_dev_request_and_reply(). - xen: x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - xfs: Avoid grabbing ilock when file size is not changed (bsc#983535). - xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 11-SP4: zypper in -t patch slertesp4-kernel-source-12880=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-source-12880=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64): kernel-rt-3.0.101.rt130-65.1 kernel-rt-base-3.0.101.rt130-65.1 kernel-rt-devel-3.0.101.rt130-65.1 kernel-rt_trace-3.0.101.rt130-65.1 kernel-rt_trace-base-3.0.101.rt130-65.1 kernel-rt_trace-devel-3.0.101.rt130-65.1 kernel-source-rt-3.0.101.rt130-65.1 kernel-syms-rt-3.0.101.rt130-65.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): kernel-rt-debuginfo-3.0.101.rt130-65.1 kernel-rt-debugsource-3.0.101.rt130-65.1 kernel-rt_debug-debuginfo-3.0.101.rt130-65.1 kernel-rt_debug-debugsource-3.0.101.rt130-65.1 kernel-rt_trace-debuginfo-3.0.101.rt130-65.1 kernel-rt_trace-debugsource-3.0.101.rt130-65.1 References: https://www.suse.com/security/cve/CVE-2013-4312.html https://www.suse.com/security/cve/CVE-2015-7513.html https://www.suse.com/security/cve/CVE-2016-0823.html https://www.suse.com/security/cve/CVE-2016-3841.html https://www.suse.com/security/cve/CVE-2016-4997.html https://www.suse.com/security/cve/CVE-2016-4998.html https://www.suse.com/security/cve/CVE-2016-5195.html https://www.suse.com/security/cve/CVE-2016-5696.html https://www.suse.com/security/cve/CVE-2016-6480.html https://www.suse.com/security/cve/CVE-2016-6828.html https://www.suse.com/security/cve/CVE-2016-7425.html https://bugzilla.suse.com/1000189 https://bugzilla.suse.com/1001419 https://bugzilla.suse.com/1002165 https://bugzilla.suse.com/1004418 https://bugzilla.suse.com/732582 https://bugzilla.suse.com/839104 https://bugzilla.suse.com/843236 https://bugzilla.suse.com/909994 https://bugzilla.suse.com/911687 https://bugzilla.suse.com/915183 https://bugzilla.suse.com/920016 https://bugzilla.suse.com/934760 https://bugzilla.suse.com/951392 https://bugzilla.suse.com/956514 https://bugzilla.suse.com/960689 https://bugzilla.suse.com/963655 https://bugzilla.suse.com/971975 https://bugzilla.suse.com/971989 https://bugzilla.suse.com/974620 https://bugzilla.suse.com/976867 https://bugzilla.suse.com/977687 https://bugzilla.suse.com/979514 https://bugzilla.suse.com/979595 https://bugzilla.suse.com/979681 https://bugzilla.suse.com/980371 https://bugzilla.suse.com/982218 https://bugzilla.suse.com/982783 https://bugzilla.suse.com/983535 https://bugzilla.suse.com/983619 https://bugzilla.suse.com/984102 https://bugzilla.suse.com/984194 https://bugzilla.suse.com/984992 https://bugzilla.suse.com/985206 https://bugzilla.suse.com/986362 https://bugzilla.suse.com/986365 https://bugzilla.suse.com/986445 https://bugzilla.suse.com/987565 https://bugzilla.suse.com/988440 https://bugzilla.suse.com/989152 https://bugzilla.suse.com/989261 https://bugzilla.suse.com/989779 https://bugzilla.suse.com/991608 https://bugzilla.suse.com/991665 https://bugzilla.suse.com/991923 https://bugzilla.suse.com/992566 https://bugzilla.suse.com/993127 https://bugzilla.suse.com/993890 https://bugzilla.suse.com/993891 https://bugzilla.suse.com/994296 https://bugzilla.suse.com/994436 https://bugzilla.suse.com/994618 https://bugzilla.suse.com/994759 https://bugzilla.suse.com/994926 https://bugzilla.suse.com/996329 https://bugzilla.suse.com/996664 https://bugzilla.suse.com/997708 https://bugzilla.suse.com/998399 https://bugzilla.suse.com/999584 https://bugzilla.suse.com/999600 https://bugzilla.suse.com/999932 From sle-security-updates at lists.suse.com Sat Dec 10 15:07:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 10 Dec 2016 23:07:21 +0100 (CET) Subject: SUSE-SU-2016:3078-1: important: Security update for java-1_8_0-ibm Message-ID: <20161210220721.43BD3FEB5@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3078-1 Rating: important References: #1009280 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5597 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: - CVE-2016-5568: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT - CVE-2016-5556: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D - CVE-2016-5573: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot - CVE-2016-5597: Unspecified vulnerability allowed remote attackers to affect confidentiality via vectors related to Networking - CVE-2016-5554: Unspecified vulnerability allowed remote attackers to affect integrity via vectors related to JMX - CVE-2016-5542: Unspecified vulnerability allowed remote attackers to affect integrity via vectors related to Libraries Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1792=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1792=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1792=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1792=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr3.21-20.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr3.21-20.1 - SUSE Linux Enterprise Server 12-SP2 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr3.21-20.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr3.21-20.1 java-1_8_0-ibm-plugin-1.8.0_sr3.21-20.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr3.21-20.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr3.21-20.1 java-1_8_0-ibm-plugin-1.8.0_sr3.21-20.1 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1009280 From sle-security-updates at lists.suse.com Sat Dec 10 15:07:49 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 10 Dec 2016 23:07:49 +0100 (CET) Subject: SUSE-SU-2016:3079-1: important: Security update for tomcat Message-ID: <20161210220749.2A04BF7CA@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3079-1 Rating: important References: #1002639 #1004728 #1007853 #1007854 #1007855 #1007857 #1007858 #1010893 #1011805 #1011812 #974407 Cross-References: CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 Affected Products: SUSE Linux Enterprise Server 12-SP1 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has four fixes is now available. Description: This update for Tomcat provides the following fixes: Feature changes: The embedded Apache Commons DBCP component was updated to version 2.0. (bsc#1010893 fate#321029) Security fixes: - CVE-2016-0762: Realm Timing Attack (bsc#1007854) - CVE-2016-5018: Security Manager Bypass (bsc#1007855) - CVE-2016-6794: System Property Disclosure (bsc#1007857) - CVE-2016-6796: Manager Bypass (bsc#1007858) - CVE-2016-6797: Unrestricted Access to Global Resources (bsc#1007853) - CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener (bsc#1011805) - CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests (bsc#1011812) Bugs fixed: - Fixed StringIndexOutOfBoundsException in WebAppClassLoaderBase.filter(). (bsc#974407) - Fixed a deployment error in the examples webapp by changing the context.xml format to the new one introduced by Tomcat 8. (bsc#1004728) - Enabled optional setenv.sh script. See section '(3.4) Using the "setenv" script' in http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt. (bsc#1002639) - Fixed regression caused by CVE-2016-6816. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1791=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (noarch): tomcat-8.0.32-10.13.2 tomcat-admin-webapps-8.0.32-10.13.2 tomcat-docs-webapp-8.0.32-10.13.2 tomcat-el-3_0-api-8.0.32-10.13.2 tomcat-javadoc-8.0.32-10.13.2 tomcat-jsp-2_3-api-8.0.32-10.13.2 tomcat-lib-8.0.32-10.13.2 tomcat-servlet-3_1-api-8.0.32-10.13.2 tomcat-webapps-8.0.32-10.13.2 References: https://www.suse.com/security/cve/CVE-2016-0762.html https://www.suse.com/security/cve/CVE-2016-5018.html https://www.suse.com/security/cve/CVE-2016-6794.html https://www.suse.com/security/cve/CVE-2016-6796.html https://www.suse.com/security/cve/CVE-2016-6797.html https://www.suse.com/security/cve/CVE-2016-6816.html https://www.suse.com/security/cve/CVE-2016-8735.html https://bugzilla.suse.com/1002639 https://bugzilla.suse.com/1004728 https://bugzilla.suse.com/1007853 https://bugzilla.suse.com/1007854 https://bugzilla.suse.com/1007855 https://bugzilla.suse.com/1007857 https://bugzilla.suse.com/1007858 https://bugzilla.suse.com/1010893 https://bugzilla.suse.com/1011805 https://bugzilla.suse.com/1011812 https://bugzilla.suse.com/974407 From sle-security-updates at lists.suse.com Sat Dec 10 15:09:48 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 10 Dec 2016 23:09:48 +0100 (CET) Subject: SUSE-SU-2016:3080-1: important: Security update for MozillaFirefox, mozilla-nss Message-ID: <20161210220948.CE72EFEB5@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3080-1 Rating: important References: #1000751 #1009026 #1010395 #1010401 #1010402 #1010404 #1010410 #1010422 #1010427 #1010517 #1012964 #992549 Cross-References: CVE-2016-5285 CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9064 CVE-2016-9066 CVE-2016-9074 CVE-2016-9079 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has three fixes is now available. Description: This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bsc#1009026 bsc#1012964): - CVE-2016-9079: Use-after-free in SVG Animation (MFSA 2016-92 bsc#1012964) - CVE-2016-5297: Incorrect argument length checking in Javascript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3: - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed: - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) - font warning messages would flood console, now using fontconfig configuration from firefox-fontconfig instead of the system one (bsc#1000751) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-mfsa2016-90-12882=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-mfsa2016-90-12882=1 - SUSE Manager 2.1: zypper in -t patch sleman21-mfsa2016-90-12882=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-mfsa2016-90-12882=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-mfsa2016-90-12882=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-mfsa2016-90-12882=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-mfsa2016-90-12882=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mfsa2016-90-12882=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-mfsa2016-90-12882=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): MozillaFirefox-45.5.1esr-59.1 MozillaFirefox-translations-45.5.1esr-59.1 libfreebl3-3.21.3-39.1 libfreebl3-32bit-3.21.3-39.1 libsoftokn3-3.21.3-39.1 libsoftokn3-32bit-3.21.3-39.1 mozilla-nss-3.21.3-39.1 mozilla-nss-32bit-3.21.3-39.1 mozilla-nss-tools-3.21.3-39.1 - SUSE Manager Proxy 2.1 (x86_64): MozillaFirefox-45.5.1esr-59.1 MozillaFirefox-translations-45.5.1esr-59.1 libfreebl3-3.21.3-39.1 libfreebl3-32bit-3.21.3-39.1 libsoftokn3-3.21.3-39.1 libsoftokn3-32bit-3.21.3-39.1 mozilla-nss-3.21.3-39.1 mozilla-nss-32bit-3.21.3-39.1 mozilla-nss-tools-3.21.3-39.1 - SUSE Manager 2.1 (s390x x86_64): MozillaFirefox-45.5.1esr-59.1 MozillaFirefox-translations-45.5.1esr-59.1 libfreebl3-3.21.3-39.1 libfreebl3-32bit-3.21.3-39.1 libsoftokn3-3.21.3-39.1 libsoftokn3-32bit-3.21.3-39.1 mozilla-nss-3.21.3-39.1 mozilla-nss-32bit-3.21.3-39.1 mozilla-nss-tools-3.21.3-39.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-45.5.1esr-59.1 mozilla-nss-devel-3.21.3-39.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-45.5.1esr-59.1 MozillaFirefox-translations-45.5.1esr-59.1 libfreebl3-3.21.3-39.1 libsoftokn3-3.21.3-39.1 mozilla-nss-3.21.3-39.1 mozilla-nss-tools-3.21.3-39.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libfreebl3-32bit-3.21.3-39.1 libsoftokn3-32bit-3.21.3-39.1 mozilla-nss-32bit-3.21.3-39.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libfreebl3-x86-3.21.3-39.1 libsoftokn3-x86-3.21.3-39.1 mozilla-nss-x86-3.21.3-39.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): MozillaFirefox-45.5.1esr-59.1 MozillaFirefox-translations-45.5.1esr-59.1 libfreebl3-3.21.3-39.1 libsoftokn3-3.21.3-39.1 mozilla-nss-3.21.3-39.1 mozilla-nss-tools-3.21.3-39.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libfreebl3-32bit-3.21.3-39.1 libsoftokn3-32bit-3.21.3-39.1 mozilla-nss-32bit-3.21.3-39.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): MozillaFirefox-45.5.1esr-59.1 MozillaFirefox-translations-45.5.1esr-59.1 libfreebl3-3.21.3-39.1 libsoftokn3-3.21.3-39.1 mozilla-nss-3.21.3-39.1 mozilla-nss-tools-3.21.3-39.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-debuginfo-45.5.1esr-59.1 MozillaFirefox-debugsource-45.5.1esr-59.1 mozilla-nss-debuginfo-3.21.3-39.1 mozilla-nss-debugsource-3.21.3-39.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): MozillaFirefox-debuginfo-45.5.1esr-59.1 MozillaFirefox-debugsource-45.5.1esr-59.1 mozilla-nss-debuginfo-3.21.3-39.1 mozilla-nss-debugsource-3.21.3-39.1 References: https://www.suse.com/security/cve/CVE-2016-5285.html https://www.suse.com/security/cve/CVE-2016-5290.html https://www.suse.com/security/cve/CVE-2016-5291.html https://www.suse.com/security/cve/CVE-2016-5296.html https://www.suse.com/security/cve/CVE-2016-5297.html https://www.suse.com/security/cve/CVE-2016-9064.html https://www.suse.com/security/cve/CVE-2016-9066.html https://www.suse.com/security/cve/CVE-2016-9074.html https://www.suse.com/security/cve/CVE-2016-9079.html https://bugzilla.suse.com/1000751 https://bugzilla.suse.com/1009026 https://bugzilla.suse.com/1010395 https://bugzilla.suse.com/1010401 https://bugzilla.suse.com/1010402 https://bugzilla.suse.com/1010404 https://bugzilla.suse.com/1010410 https://bugzilla.suse.com/1010422 https://bugzilla.suse.com/1010427 https://bugzilla.suse.com/1010517 https://bugzilla.suse.com/1012964 https://bugzilla.suse.com/992549 From sle-security-updates at lists.suse.com Sat Dec 10 15:11:57 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 10 Dec 2016 23:11:57 +0100 (CET) Subject: SUSE-SU-2016:3081-1: important: Security update for tomcat Message-ID: <20161210221157.97085FEB5@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3081-1 Rating: important References: #1002639 #1007853 #1007854 #1007855 #1007857 #1007858 #1010893 #1011805 #1011812 Cross-References: CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has two fixes is now available. Description: This update for tomcat fixes the following issues: Feature changes: The embedded Apache Commons DBCP component was updated to version 2.0. (bsc#1010893 fate#321029) Security fixes: - CVE-2016-0762: Realm Timing Attack (bsc#1007854) - CVE-2016-5018: Security Manager Bypass (bsc#1007855) - CVE-2016-6794: System Property Disclosure (bsc#1007857) - CVE-2016-6796: Security Manager Bypass (bsc#1007858) - CVE-2016-6797: Unrestricted Access to Global Resources (bsc#1007853) - CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener (bsc#1011805) - CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests (bsc#1011812) Bug fixes: - Enabled optional setenv.sh script. See section '(3.4) Using the "setenv" script' in http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt. (bsc#1002639) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1790=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1790=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): tomcat-8.0.36-17.1 tomcat-admin-webapps-8.0.36-17.1 tomcat-docs-webapp-8.0.36-17.1 tomcat-el-3_0-api-8.0.36-17.1 tomcat-javadoc-8.0.36-17.1 tomcat-jsp-2_3-api-8.0.36-17.1 tomcat-lib-8.0.36-17.1 tomcat-servlet-3_1-api-8.0.36-17.1 tomcat-webapps-8.0.36-17.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): tomcat-8.0.36-17.1 tomcat-admin-webapps-8.0.36-17.1 tomcat-docs-webapp-8.0.36-17.1 tomcat-el-3_0-api-8.0.36-17.1 tomcat-javadoc-8.0.36-17.1 tomcat-jsp-2_3-api-8.0.36-17.1 tomcat-lib-8.0.36-17.1 tomcat-servlet-3_1-api-8.0.36-17.1 tomcat-webapps-8.0.36-17.1 References: https://www.suse.com/security/cve/CVE-2016-0762.html https://www.suse.com/security/cve/CVE-2016-5018.html https://www.suse.com/security/cve/CVE-2016-6794.html https://www.suse.com/security/cve/CVE-2016-6796.html https://www.suse.com/security/cve/CVE-2016-6797.html https://www.suse.com/security/cve/CVE-2016-6816.html https://www.suse.com/security/cve/CVE-2016-8735.html https://bugzilla.suse.com/1002639 https://bugzilla.suse.com/1007853 https://bugzilla.suse.com/1007854 https://bugzilla.suse.com/1007855 https://bugzilla.suse.com/1007857 https://bugzilla.suse.com/1007858 https://bugzilla.suse.com/1010893 https://bugzilla.suse.com/1011805 https://bugzilla.suse.com/1011812 From sle-security-updates at lists.suse.com Mon Dec 12 05:07:57 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 13:07:57 +0100 (CET) Subject: SUSE-SU-2016:3083-1: important: Security update for xen Message-ID: <20161212120757.A6995FFAC@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3083-1 Rating: important References: #1000106 #1003030 #1003032 #1003870 #1004016 #1005004 #1005005 #1007157 #1007160 #1009100 #1009103 #1009104 #1009107 #1009108 #1009109 #1009111 #1011652 Cross-References: CVE-2016-7777 CVE-2016-7908 CVE-2016-7909 CVE-2016-7995 CVE-2016-8576 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9377 CVE-2016-9378 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9385 CVE-2016-9386 CVE-2016-9637 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 19 vulnerabilities is now available. Description: This update for xen to version 4.5.5 fixes several issues. These security issues were fixed: - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9378: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9377: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-7995: A memory leak in ehci_process_itd allowed a privileged user inside guest to DoS the host (bsc#1003870). - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1004016). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1795=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1795=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1795=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (x86_64): xen-debugsource-4.5.5_02-22.3.1 xen-devel-4.5.5_02-22.3.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): xen-4.5.5_02-22.3.1 xen-debugsource-4.5.5_02-22.3.1 xen-doc-html-4.5.5_02-22.3.1 xen-kmp-default-4.5.5_02_k3.12.67_60.64.18-22.3.1 xen-kmp-default-debuginfo-4.5.5_02_k3.12.67_60.64.18-22.3.1 xen-libs-32bit-4.5.5_02-22.3.1 xen-libs-4.5.5_02-22.3.1 xen-libs-debuginfo-32bit-4.5.5_02-22.3.1 xen-libs-debuginfo-4.5.5_02-22.3.1 xen-tools-4.5.5_02-22.3.1 xen-tools-debuginfo-4.5.5_02-22.3.1 xen-tools-domU-4.5.5_02-22.3.1 xen-tools-domU-debuginfo-4.5.5_02-22.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): xen-4.5.5_02-22.3.1 xen-debugsource-4.5.5_02-22.3.1 xen-kmp-default-4.5.5_02_k3.12.67_60.64.18-22.3.1 xen-kmp-default-debuginfo-4.5.5_02_k3.12.67_60.64.18-22.3.1 xen-libs-32bit-4.5.5_02-22.3.1 xen-libs-4.5.5_02-22.3.1 xen-libs-debuginfo-32bit-4.5.5_02-22.3.1 xen-libs-debuginfo-4.5.5_02-22.3.1 References: https://www.suse.com/security/cve/CVE-2016-7777.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-7995.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9377.html https://www.suse.com/security/cve/CVE-2016-9378.html https://www.suse.com/security/cve/CVE-2016-9379.html https://www.suse.com/security/cve/CVE-2016-9380.html https://www.suse.com/security/cve/CVE-2016-9381.html https://www.suse.com/security/cve/CVE-2016-9382.html https://www.suse.com/security/cve/CVE-2016-9383.html https://www.suse.com/security/cve/CVE-2016-9385.html https://www.suse.com/security/cve/CVE-2016-9386.html https://www.suse.com/security/cve/CVE-2016-9637.html https://bugzilla.suse.com/1000106 https://bugzilla.suse.com/1003030 https://bugzilla.suse.com/1003032 https://bugzilla.suse.com/1003870 https://bugzilla.suse.com/1004016 https://bugzilla.suse.com/1005004 https://bugzilla.suse.com/1005005 https://bugzilla.suse.com/1007157 https://bugzilla.suse.com/1007160 https://bugzilla.suse.com/1009100 https://bugzilla.suse.com/1009103 https://bugzilla.suse.com/1009104 https://bugzilla.suse.com/1009107 https://bugzilla.suse.com/1009108 https://bugzilla.suse.com/1009109 https://bugzilla.suse.com/1009111 https://bugzilla.suse.com/1011652 From sle-security-updates at lists.suse.com Mon Dec 12 05:11:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 13:11:09 +0100 (CET) Subject: SUSE-SU-2016:3084-1: moderate: Security update for Docker and dependencies Message-ID: <20161212121109.4314FFFAC@maintenance.suse.de> SUSE Security Update: Security update for Docker and dependencies ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3084-1 Rating: moderate References: #1004490 #1006368 #1007249 #1009961 #974208 #978260 #983015 #987198 #988408 #989566 #995058 #995102 #995620 #996015 #999582 Cross-References: CVE-2016-8867 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that solves one vulnerability and has 14 fixes is now available. Description: This update for Docker and its dependencies fixes the following issues: - fix runc and containerd revisions (bsc#1009961) docker: - Updates version 1.11.2 to 1.12.3 (bsc#1004490, bsc#996015, bsc#995058) - Fix ambient capability usage in containers (bsc#1007249, CVE-2016-8867) - Change the internal mountpoint name to not use ":" as that character can be considered a special character by other tools. (bsc#999582) - Add dockerd(8) man page. - Package docker-proxy (which was split out of the docker binary in 1.12). (bsc#995620) - Docker "migrator" prevents installing "docker", if docker 1.9 was installed before but there were no images. (bsc#995102) - Specify an "OCI" runtime for our runc package explicitly. (bsc#978260) - Use gcc6-go instead of gcc5-go (bsc#988408) For a detailed description of all fixes and improvements, please refer to: https://github.com/docker/docker/releases/tag/v1.12.3 https://github.com/docker/docker/blob/v1.12.2/CHANGELOG.md https://github.com/docker/docker/releases/tag/v1.12.1 https://github.com/docker/docker/releases/tag/v1.12.0 containerd: - Update to current version required from Docker 1.12.3. - Add missing Requires(post): %fillup_prereq. (bsc#1006368) - Use gcc6-go instead of gcc5-go. (bsc#988408) runc: - Update to current version required from Docker 1.12.3. - Use gcc6-go instead of gcc5-go. (bsc#988408) rubygem-excon: - Updates version from 0.39.6 to 0.52.0. For a detailed description of all fixes and improvements, please refer to the installed changelog.txt. rubygem-docker-api: - Updated version from 1.17.0 to 1.31.0. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2016-1794=1 - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2016-1794=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): containerd-0.2.4+gitr565_0366d7e-9.1 containerd-debuginfo-0.2.4+gitr565_0366d7e-9.1 containerd-debugsource-0.2.4+gitr565_0366d7e-9.1 docker-1.12.3-81.2 docker-debuginfo-1.12.3-81.2 docker-debugsource-1.12.3-81.2 runc-0.1.1+gitr2816_02f8fa7-9.1 runc-debuginfo-0.1.1+gitr2816_02f8fa7-9.1 runc-debugsource-0.1.1+gitr2816_02f8fa7-9.1 - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): containerd-0.2.4+gitr565_0366d7e-9.1 containerd-debuginfo-0.2.4+gitr565_0366d7e-9.1 containerd-debugsource-0.2.4+gitr565_0366d7e-9.1 docker-1.12.3-81.2 docker-debuginfo-1.12.3-81.2 docker-debugsource-1.12.3-81.2 ruby2.1-rubygem-docker-api-1.31.0-11.2 ruby2.1-rubygem-excon-0.52.0-9.1 runc-0.1.1+gitr2816_02f8fa7-9.1 runc-debuginfo-0.1.1+gitr2816_02f8fa7-9.1 runc-debugsource-0.1.1+gitr2816_02f8fa7-9.1 References: https://www.suse.com/security/cve/CVE-2016-8867.html https://bugzilla.suse.com/1004490 https://bugzilla.suse.com/1006368 https://bugzilla.suse.com/1007249 https://bugzilla.suse.com/1009961 https://bugzilla.suse.com/974208 https://bugzilla.suse.com/978260 https://bugzilla.suse.com/983015 https://bugzilla.suse.com/987198 https://bugzilla.suse.com/988408 https://bugzilla.suse.com/989566 https://bugzilla.suse.com/995058 https://bugzilla.suse.com/995102 https://bugzilla.suse.com/995620 https://bugzilla.suse.com/996015 https://bugzilla.suse.com/999582 From sle-security-updates at lists.suse.com Mon Dec 12 11:07:33 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 19:07:33 +0100 (CET) Subject: SUSE-SU-2016:3093-1: important: Security update for Linux Kernel Live Patch 2 for SLE 12 SP1 Message-ID: <20161212180733.4625AFFAC@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 2 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3093-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.51-60_25 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1799=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_51-60_25-default-7-2.1 kgraft-patch-3_12_51-60_25-xen-7-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Mon Dec 12 11:08:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 19:08:21 +0100 (CET) Subject: SUSE-SU-2016:3094-1: important: Security update for Linux Kernel Live Patch 0 for SLE 12 SP1 Message-ID: <20161212180821.A4F0FFF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 0 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3094-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.49-11 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1797=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_49-11-default-8-23.2 kgraft-patch-3_12_49-11-xen-8-23.2 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Mon Dec 12 11:09:40 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 19:09:40 +0100 (CET) Subject: SUSE-SU-2016:3096-1: important: Security update for Linux Kernel Live Patch 6 for SLE 12 SP1 Message-ID: <20161212180940.81F76FF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 6 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3096-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.59-60_45 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1802=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_59-60_45-default-5-2.1 kgraft-patch-3_12_59-60_45-xen-5-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Mon Dec 12 11:10:39 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 19:10:39 +0100 (CET) Subject: SUSE-SU-2016:3098-1: important: Security update for Linux Kernel Live Patch 3 for SLE 12 SP1 Message-ID: <20161212181039.CF4EDFFAC@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 3 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3098-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.53-60_30 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1800=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_53-60_30-default-6-2.1 kgraft-patch-3_12_53-60_30-xen-6-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Mon Dec 12 11:14:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 19:14:11 +0100 (CET) Subject: SUSE-SU-2016:3100-1: important: Security update for Linux Kernel Live Patch 1 for SLE 12 SP1 Message-ID: <20161212181411.E838CFFAC@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 1 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3100-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.51-60_20 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1798=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_51-60_20-default-8-2.1 kgraft-patch-3_12_51-60_20-xen-8-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Mon Dec 12 11:22:19 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Dec 2016 19:22:19 +0100 (CET) Subject: SUSE-SU-2016:3104-1: important: Security update for Linux Kernel Live Patch 4 for SLE 12 SP1 Message-ID: <20161212182219.D7CBAFFAC@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 4 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3104-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.57-60_35 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1801=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_57-60_35-default-5-2.1 kgraft-patch-3_12_57-60_35-xen-5-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 05:07:49 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 13:07:49 +0100 (CET) Subject: SUSE-SU-2016:3105-1: important: Security update for MozillaFirefox, mozilla-nss Message-ID: <20161213120749.8BC1EFF6E@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3105-1 Rating: important References: #1000751 #1009026 #1010395 #1010401 #1010402 #1010404 #1010410 #1010422 #1010427 #1010517 #1012964 #992549 Cross-References: CVE-2016-5285 CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9064 CVE-2016-9066 CVE-2016-9074 CVE-2016-9079 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has three fixes is now available. Description: This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bsc#1009026): - CVE-2016-9079: Use-after-free in SVG Animation (bsc#1012964 MFSA 2016-92) - CVE-2016-5297: Incorrect argument length checking in Javascript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3: - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed: - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) - font warning messages would flood console, now using fontconfig configuration from firefox-fontconfig instead of the system one (bsc#1000751) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-mfs2016-90-12883=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-mfs2016-90-12883=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): MozillaFirefox-45.5.1esr-63.1 MozillaFirefox-translations-45.5.1esr-63.1 libfreebl3-3.21.3-30.1 mozilla-nss-3.21.3-30.1 mozilla-nss-devel-3.21.3-30.1 mozilla-nss-tools-3.21.3-30.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libfreebl3-32bit-3.21.3-30.1 mozilla-nss-32bit-3.21.3-30.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): MozillaFirefox-debuginfo-45.5.1esr-63.1 MozillaFirefox-debugsource-45.5.1esr-63.1 mozilla-nss-debuginfo-3.21.3-30.1 mozilla-nss-debugsource-3.21.3-30.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64): mozilla-nss-debuginfo-32bit-3.21.3-30.1 References: https://www.suse.com/security/cve/CVE-2016-5285.html https://www.suse.com/security/cve/CVE-2016-5290.html https://www.suse.com/security/cve/CVE-2016-5291.html https://www.suse.com/security/cve/CVE-2016-5296.html https://www.suse.com/security/cve/CVE-2016-5297.html https://www.suse.com/security/cve/CVE-2016-9064.html https://www.suse.com/security/cve/CVE-2016-9066.html https://www.suse.com/security/cve/CVE-2016-9074.html https://www.suse.com/security/cve/CVE-2016-9079.html https://bugzilla.suse.com/1000751 https://bugzilla.suse.com/1009026 https://bugzilla.suse.com/1010395 https://bugzilla.suse.com/1010401 https://bugzilla.suse.com/1010402 https://bugzilla.suse.com/1010404 https://bugzilla.suse.com/1010410 https://bugzilla.suse.com/1010422 https://bugzilla.suse.com/1010427 https://bugzilla.suse.com/1010517 https://bugzilla.suse.com/1012964 https://bugzilla.suse.com/992549 From sle-security-updates at lists.suse.com Tue Dec 13 05:10:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 13:10:11 +0100 (CET) Subject: SUSE-SU-2016:3107-1: moderate: Security update for libass Message-ID: <20161213121011.41CBEFF6E@maintenance.suse.de> SUSE Security Update: Security update for libass ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3107-1 Rating: moderate References: #1002982 Cross-References: CVE-2016-7969 CVE-2016-7970 CVE-2016-7971 CVE-2016-7972 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for libass fixes the following issues: CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972: Fixed multiple memory allocation issues found by fuzzing (bsc#1002982). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1804=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1804=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1804=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1804=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1804=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1804=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1804=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libass-debugsource-0.10.2-3.1 libass-devel-0.10.2-3.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libass-debugsource-0.10.2-3.1 libass-devel-0.10.2-3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libass-debugsource-0.10.2-3.1 libass5-0.10.2-3.1 libass5-debuginfo-0.10.2-3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libass-debugsource-0.10.2-3.1 libass5-0.10.2-3.1 libass5-debuginfo-0.10.2-3.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libass-debugsource-0.10.2-3.1 libass5-0.10.2-3.1 libass5-debuginfo-0.10.2-3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libass-debugsource-0.10.2-3.1 libass5-0.10.2-3.1 libass5-debuginfo-0.10.2-3.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libass-debugsource-0.10.2-3.1 libass5-0.10.2-3.1 libass5-debuginfo-0.10.2-3.1 References: https://www.suse.com/security/cve/CVE-2016-7969.html https://www.suse.com/security/cve/CVE-2016-7970.html https://www.suse.com/security/cve/CVE-2016-7971.html https://www.suse.com/security/cve/CVE-2016-7972.html https://bugzilla.suse.com/1002982 From sle-security-updates at lists.suse.com Tue Dec 13 08:07:17 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 16:07:17 +0100 (CET) Subject: SUSE-SU-2016:3109-1: important: Security update for Linux Kernel Live Patch 13 for SLE 12 Message-ID: <20161213150717.427D2FF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 13 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3109-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.55-52_45 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1809=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1809=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_55-52_45-default-4-2.1 kgraft-patch-3_12_55-52_45-xen-4-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_55-52_45-default-4-2.1 kgraft-patch-3_12_55-52_45-xen-4-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 08:08:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 16:08:09 +0100 (CET) Subject: SUSE-SU-2016:3110-1: moderate: Security update for xorg-x11-libXv Message-ID: <20161213150809.54E8DFF0F@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libXv ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3110-1 Rating: moderate References: #1003017 Cross-References: CVE-2016-5407 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-libXv fixes the following issues: - insufficient validation of data from the X server can cause memory corruption (bsc#1003017, CVE-2016-5407) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libXv-12884=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libXv-12884=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libXv-12884=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXv-devel-7.4-1.20.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXv-devel-32bit-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXv-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXv-32bit-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libXv-x86-7.4-1.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXv-debuginfo-7.4-1.20.1 xorg-x11-libXv-debugsource-7.4-1.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXv-debuginfo-32bit-7.4-1.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): xorg-x11-libXv-debuginfo-x86-7.4-1.20.1 References: https://www.suse.com/security/cve/CVE-2016-5407.html https://bugzilla.suse.com/1003017 From sle-security-updates at lists.suse.com Tue Dec 13 08:08:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 16:08:42 +0100 (CET) Subject: SUSE-SU-2016:3111-1: important: Security update for Linux Kernel Live Patch 9 for SLE 12 Message-ID: <20161213150842.5F03EFF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 9 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3111-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.51-52_31 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1806=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1806=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_51-52_31-default-7-2.1 kgraft-patch-3_12_51-52_31-xen-7-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_51-52_31-default-7-2.1 kgraft-patch-3_12_51-52_31-xen-7-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 08:09:23 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 16:09:23 +0100 (CET) Subject: SUSE-SU-2016:3112-1: important: Security update for Linux Kernel Live Patch 12 for SLE 12 Message-ID: <20161213150923.DCF3CFF0F@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 12 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3112-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.55-52_42 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1807=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1807=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_55-52_42-default-4-2.1 kgraft-patch-3_12_55-52_42-xen-4-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_55-52_42-default-4-2.1 kgraft-patch-3_12_55-52_42-xen-4-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 08:10:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 16:10:10 +0100 (CET) Subject: SUSE-SU-2016:3113-1: important: Security update for Linux Kernel Live Patch 14 for SLE 12 Message-ID: <20161213151011.034E0FF0F@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 14 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3113-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.60-52_49 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1808=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1808=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_60-52_49-default-4-2.1 kgraft-patch-3_12_60-52_49-xen-4-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_60-52_49-default-4-2.1 kgraft-patch-3_12_60-52_49-xen-4-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 08:11:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 16:11:21 +0100 (CET) Subject: SUSE-SU-2016:3115-1: moderate: Security update for xorg-x11-libXrender Message-ID: <20161213151121.F4211FF0F@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libXrender ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3115-1 Rating: moderate References: #1003002 Cross-References: CVE-2016-7949 CVE-2016-7950 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for xorg-x11-libXrender fixes the following issues: - insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002, CVE-2016-7949, CVE-2016-7950) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libXrender-12885=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libXrender-12885=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libXrender-12885=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXrender-devel-7.4-1.20.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXrender-devel-32bit-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXrender-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXrender-32bit-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libXrender-x86-7.4-1.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXrender-debuginfo-7.4-1.20.1 xorg-x11-libXrender-debugsource-7.4-1.20.1 References: https://www.suse.com/security/cve/CVE-2016-7949.html https://www.suse.com/security/cve/CVE-2016-7950.html https://bugzilla.suse.com/1003002 From sle-security-updates at lists.suse.com Tue Dec 13 09:07:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 17:07:11 +0100 (CET) Subject: SUSE-SU-2016:3116-1: important: Security update for Linux Kernel Live Patch 8 for SLE 12 SP1 Message-ID: <20161213160711.5BCC4FF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 8 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3116-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.62-60_64_8 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1813=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_62-60_64_8-default-3-2.1 kgraft-patch-3_12_62-60_64_8-xen-3-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 09:07:45 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 17:07:45 +0100 (CET) Subject: SUSE-SU-2016:3117-1: important: Security update for Linux Kernel Live Patch 5 for SLE 12 SP1 Message-ID: <20161213160745.14FCBFF0F@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 5 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3117-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.59-60_41 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1812=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_59-60_41-default-5-2.1 kgraft-patch-3_12_59-60_41-xen-5-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 10:07:51 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Dec 2016 18:07:51 +0100 (CET) Subject: SUSE-SU-2016:3119-1: important: Security update for Linux Kernel Live Patch 11 for SLE 12 Message-ID: <20161213170751.4AEDDFF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 11 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3119-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.51-52_39 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1814=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1814=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_51-52_39-default-6-2.1 kgraft-patch-3_12_51-52_39-xen-6-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_51-52_39-default-6-2.1 kgraft-patch-3_12_51-52_39-xen-6-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 13 18:07:06 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Dec 2016 02:07:06 +0100 (CET) Subject: SUSE-SU-2016:3146-1: important: Security update for the Linux Kernel Message-ID: <20161214010706.A1547FF0F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3146-1 Rating: important References: #1013533 #1013604 Cross-References: CVE-2016-9576 CVE-2016-9794 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The SUSE Linux Enterprise 12 SP 2 kernel was updated to fix two security issues. The following security bugs were fixed: - CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604). - CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1815=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1815=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1815=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1815=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1815=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1815=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1815=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): kernel-default-debuginfo-4.4.21-90.1 kernel-default-debugsource-4.4.21-90.1 kernel-default-extra-4.4.21-90.1 kernel-default-extra-debuginfo-4.4.21-90.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.4.21-90.1 kernel-obs-build-debugsource-4.4.21-90.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (noarch): kernel-docs-4.4.21-90.3 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): kernel-default-4.4.21-90.1 kernel-default-base-4.4.21-90.1 kernel-default-base-debuginfo-4.4.21-90.1 kernel-default-debuginfo-4.4.21-90.1 kernel-default-debugsource-4.4.21-90.1 kernel-default-devel-4.4.21-90.1 kernel-syms-4.4.21-90.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): kernel-devel-4.4.21-90.1 kernel-macros-4.4.21-90.1 kernel-source-4.4.21-90.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): kernel-default-4.4.21-90.1 kernel-default-base-4.4.21-90.1 kernel-default-base-debuginfo-4.4.21-90.1 kernel-default-debuginfo-4.4.21-90.1 kernel-default-debugsource-4.4.21-90.1 kernel-default-devel-4.4.21-90.1 kernel-syms-4.4.21-90.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): kernel-devel-4.4.21-90.1 kernel-macros-4.4.21-90.1 kernel-source-4.4.21-90.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_21-90-default-1-2.3 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.21-90.1 cluster-md-kmp-default-debuginfo-4.4.21-90.1 cluster-network-kmp-default-4.4.21-90.1 cluster-network-kmp-default-debuginfo-4.4.21-90.1 dlm-kmp-default-4.4.21-90.1 dlm-kmp-default-debuginfo-4.4.21-90.1 gfs2-kmp-default-4.4.21-90.1 gfs2-kmp-default-debuginfo-4.4.21-90.1 kernel-default-debuginfo-4.4.21-90.1 kernel-default-debugsource-4.4.21-90.1 ocfs2-kmp-default-4.4.21-90.1 ocfs2-kmp-default-debuginfo-4.4.21-90.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): kernel-default-4.4.21-90.1 kernel-default-debuginfo-4.4.21-90.1 kernel-default-debugsource-4.4.21-90.1 kernel-default-devel-4.4.21-90.1 kernel-default-extra-4.4.21-90.1 kernel-default-extra-debuginfo-4.4.21-90.1 kernel-syms-4.4.21-90.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): kernel-devel-4.4.21-90.1 kernel-macros-4.4.21-90.1 kernel-source-4.4.21-90.1 References: https://www.suse.com/security/cve/CVE-2016-9576.html https://www.suse.com/security/cve/CVE-2016-9794.html https://bugzilla.suse.com/1013533 https://bugzilla.suse.com/1013604 From sle-security-updates at lists.suse.com Wed Dec 14 07:07:39 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Dec 2016 15:07:39 +0100 (CET) Subject: SUSE-SU-2016:3148-1: critical: Security update for flash-player Message-ID: <20161214140739.2D429FF0F@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3148-1 Rating: critical References: #1015379 Cross-References: CVE-2016-7867 CVE-2016-7868 CVE-2016-7869 CVE-2016-7870 CVE-2016-7871 CVE-2016-7872 CVE-2016-7873 CVE-2016-7874 CVE-2016-7875 CVE-2016-7876 CVE-2016-7877 CVE-2016-7878 CVE-2016-7879 CVE-2016-7880 CVE-2016-7881 CVE-2016-7890 CVE-2016-7892 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for flash-player fixes the following issues: - Security update to 24.0.0.186 (bsc#1015379) APSB16-39: * These updates resolve use-after-free vulnerabilities that could have lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892). * These updates resolve buffer overflow vulnerabilities that could have lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870). * These updates resolve memory corruption vulnerabilities that could have lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876). * These updates resolve a security bypass vulnerability (CVE-2016-7890). - Keep standalone flashplayer at version 11, no newer version exists (INSECURE!). - Update EULA to version 24.0. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1816=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1816=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): flash-player-24.0.0.186-152.1 flash-player-gnome-24.0.0.186-152.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): flash-player-24.0.0.186-152.1 flash-player-gnome-24.0.0.186-152.1 References: https://www.suse.com/security/cve/CVE-2016-7867.html https://www.suse.com/security/cve/CVE-2016-7868.html https://www.suse.com/security/cve/CVE-2016-7869.html https://www.suse.com/security/cve/CVE-2016-7870.html https://www.suse.com/security/cve/CVE-2016-7871.html https://www.suse.com/security/cve/CVE-2016-7872.html https://www.suse.com/security/cve/CVE-2016-7873.html https://www.suse.com/security/cve/CVE-2016-7874.html https://www.suse.com/security/cve/CVE-2016-7875.html https://www.suse.com/security/cve/CVE-2016-7876.html https://www.suse.com/security/cve/CVE-2016-7877.html https://www.suse.com/security/cve/CVE-2016-7878.html https://www.suse.com/security/cve/CVE-2016-7879.html https://www.suse.com/security/cve/CVE-2016-7880.html https://www.suse.com/security/cve/CVE-2016-7881.html https://www.suse.com/security/cve/CVE-2016-7890.html https://www.suse.com/security/cve/CVE-2016-7892.html https://bugzilla.suse.com/1015379 From sle-security-updates at lists.suse.com Wed Dec 14 10:07:53 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Dec 2016 18:07:53 +0100 (CET) Subject: SUSE-SU-2016:3156-1: important: Security update for xen Message-ID: <20161214170753.D33ADFF0F@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3156-1 Rating: important References: #1000106 #1003030 #1003032 #1004016 #1005004 #1005005 #1007157 #1007160 #1009100 #1009103 #1009104 #1009107 #1009109 #1009111 #1011652 #953518 Cross-References: CVE-2016-7777 CVE-2016-7908 CVE-2016-7909 CVE-2016-8576 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9385 CVE-2016-9386 CVE-2016-9637 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1004016) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) These non-security issues were fixed: - bsc#953518: Unplug also SCSI disks in qemu-xen-traditional for upstream unplug protocol - bsc#953518: Unplug also SCSI disks in qemu-xen Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1825=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1825=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): xen-4.4.4_05-22.25.1 xen-debugsource-4.4.4_05-22.25.1 xen-doc-html-4.4.4_05-22.25.1 xen-kmp-default-4.4.4_05_k3.12.60_52.57-22.25.1 xen-kmp-default-debuginfo-4.4.4_05_k3.12.60_52.57-22.25.1 xen-libs-32bit-4.4.4_05-22.25.1 xen-libs-4.4.4_05-22.25.1 xen-libs-debuginfo-32bit-4.4.4_05-22.25.1 xen-libs-debuginfo-4.4.4_05-22.25.1 xen-tools-4.4.4_05-22.25.1 xen-tools-debuginfo-4.4.4_05-22.25.1 xen-tools-domU-4.4.4_05-22.25.1 xen-tools-domU-debuginfo-4.4.4_05-22.25.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): xen-4.4.4_05-22.25.1 xen-debugsource-4.4.4_05-22.25.1 xen-doc-html-4.4.4_05-22.25.1 xen-kmp-default-4.4.4_05_k3.12.60_52.57-22.25.1 xen-kmp-default-debuginfo-4.4.4_05_k3.12.60_52.57-22.25.1 xen-libs-32bit-4.4.4_05-22.25.1 xen-libs-4.4.4_05-22.25.1 xen-libs-debuginfo-32bit-4.4.4_05-22.25.1 xen-libs-debuginfo-4.4.4_05-22.25.1 xen-tools-4.4.4_05-22.25.1 xen-tools-debuginfo-4.4.4_05-22.25.1 xen-tools-domU-4.4.4_05-22.25.1 xen-tools-domU-debuginfo-4.4.4_05-22.25.1 References: https://www.suse.com/security/cve/CVE-2016-7777.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9379.html https://www.suse.com/security/cve/CVE-2016-9380.html https://www.suse.com/security/cve/CVE-2016-9381.html https://www.suse.com/security/cve/CVE-2016-9382.html https://www.suse.com/security/cve/CVE-2016-9383.html https://www.suse.com/security/cve/CVE-2016-9385.html https://www.suse.com/security/cve/CVE-2016-9386.html https://www.suse.com/security/cve/CVE-2016-9637.html https://bugzilla.suse.com/1000106 https://bugzilla.suse.com/1003030 https://bugzilla.suse.com/1003032 https://bugzilla.suse.com/1004016 https://bugzilla.suse.com/1005004 https://bugzilla.suse.com/1005005 https://bugzilla.suse.com/1007157 https://bugzilla.suse.com/1007160 https://bugzilla.suse.com/1009100 https://bugzilla.suse.com/1009103 https://bugzilla.suse.com/1009104 https://bugzilla.suse.com/1009107 https://bugzilla.suse.com/1009109 https://bugzilla.suse.com/1009111 https://bugzilla.suse.com/1011652 https://bugzilla.suse.com/953518 From sle-security-updates at lists.suse.com Thu Dec 15 08:07:23 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Dec 2016 16:07:23 +0100 (CET) Subject: SUSE-SU-2016:3161-1: moderate: Security update for pcre Message-ID: <20161215150723.EC2FEFF0F@maintenance.suse.de> SUSE Security Update: Security update for pcre ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3161-1 Rating: moderate References: #906574 #924960 #933288 #933878 #936227 #942865 #957566 #957567 #957598 #957600 #960837 #971741 #972127 Cross-References: CVE-2014-8964 CVE-2015-2325 CVE-2015-2327 CVE-2015-2328 CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 CVE-2015-8380 CVE-2015-8381 CVE-2015-8382 CVE-2015-8383 CVE-2015-8384 CVE-2015-8385 CVE-2015-8386 CVE-2015-8387 CVE-2015-8388 CVE-2015-8389 CVE-2015-8390 CVE-2015-8391 CVE-2015-8392 CVE-2015-8393 CVE-2015-8394 CVE-2015-8395 CVE-2016-1283 CVE-2016-3191 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise High Availability 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1827=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1827=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1827=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1827=1 - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1827=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1827=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1827=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1827=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1827=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1827=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1827=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1827=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1827=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libpcrecpp0-32bit-8.39-7.1 libpcrecpp0-8.39-7.1 libpcrecpp0-debuginfo-32bit-8.39-7.1 libpcrecpp0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libpcrecpp0-32bit-8.39-7.1 libpcrecpp0-8.39-7.1 libpcrecpp0-debuginfo-32bit-8.39-7.1 libpcrecpp0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libpcrecpp0-8.39-7.1 libpcrecpp0-debuginfo-8.39-7.1 libpcreposix0-8.39-7.1 libpcreposix0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 pcre-devel-8.39-7.1 pcre-devel-static-8.39-7.1 pcre-tools-8.39-7.1 pcre-tools-debuginfo-8.39-7.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libpcrecpp0-8.39-7.1 libpcrecpp0-debuginfo-8.39-7.1 libpcreposix0-8.39-7.1 libpcreposix0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 pcre-devel-8.39-7.1 pcre-devel-static-8.39-7.1 pcre-tools-8.39-7.1 pcre-tools-debuginfo-8.39-7.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): libpcre1-32bit-8.39-7.1 libpcre1-8.39-7.1 libpcre1-debuginfo-32bit-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libpcre1-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libpcre1-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libpcre1-32bit-8.39-7.1 libpcre1-debuginfo-32bit-8.39-7.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libpcre1-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libpcre1-32bit-8.39-7.1 libpcre1-debuginfo-32bit-8.39-7.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libpcre1-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libpcre1-32bit-8.39-7.1 libpcre1-debuginfo-32bit-8.39-7.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): libpcreposix0-8.39-7.1 libpcreposix0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise High Availability 12-SP1 (ppc64le s390x x86_64): libpcreposix0-8.39-7.1 libpcreposix0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libpcre1-32bit-8.39-7.1 libpcre1-8.39-7.1 libpcre1-debuginfo-32bit-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 libpcrecpp0-32bit-8.39-7.1 libpcrecpp0-8.39-7.1 libpcrecpp0-debuginfo-32bit-8.39-7.1 libpcrecpp0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libpcre1-32bit-8.39-7.1 libpcre1-8.39-7.1 libpcre1-debuginfo-32bit-8.39-7.1 libpcre1-debuginfo-8.39-7.1 libpcre16-0-8.39-7.1 libpcre16-0-debuginfo-8.39-7.1 libpcrecpp0-32bit-8.39-7.1 libpcrecpp0-8.39-7.1 libpcrecpp0-debuginfo-32bit-8.39-7.1 libpcrecpp0-debuginfo-8.39-7.1 pcre-debugsource-8.39-7.1 References: https://www.suse.com/security/cve/CVE-2014-8964.html https://www.suse.com/security/cve/CVE-2015-2325.html https://www.suse.com/security/cve/CVE-2015-2327.html https://www.suse.com/security/cve/CVE-2015-2328.html https://www.suse.com/security/cve/CVE-2015-3210.html https://www.suse.com/security/cve/CVE-2015-3217.html https://www.suse.com/security/cve/CVE-2015-5073.html https://www.suse.com/security/cve/CVE-2015-8380.html https://www.suse.com/security/cve/CVE-2015-8381.html https://www.suse.com/security/cve/CVE-2015-8382.html https://www.suse.com/security/cve/CVE-2015-8383.html https://www.suse.com/security/cve/CVE-2015-8384.html https://www.suse.com/security/cve/CVE-2015-8385.html https://www.suse.com/security/cve/CVE-2015-8386.html https://www.suse.com/security/cve/CVE-2015-8387.html https://www.suse.com/security/cve/CVE-2015-8388.html https://www.suse.com/security/cve/CVE-2015-8389.html https://www.suse.com/security/cve/CVE-2015-8390.html https://www.suse.com/security/cve/CVE-2015-8391.html https://www.suse.com/security/cve/CVE-2015-8392.html https://www.suse.com/security/cve/CVE-2015-8393.html https://www.suse.com/security/cve/CVE-2015-8394.html https://www.suse.com/security/cve/CVE-2015-8395.html https://www.suse.com/security/cve/CVE-2016-1283.html https://www.suse.com/security/cve/CVE-2016-3191.html https://bugzilla.suse.com/906574 https://bugzilla.suse.com/924960 https://bugzilla.suse.com/933288 https://bugzilla.suse.com/933878 https://bugzilla.suse.com/936227 https://bugzilla.suse.com/942865 https://bugzilla.suse.com/957566 https://bugzilla.suse.com/957567 https://bugzilla.suse.com/957598 https://bugzilla.suse.com/957600 https://bugzilla.suse.com/960837 https://bugzilla.suse.com/971741 https://bugzilla.suse.com/972127 From sle-security-updates at lists.suse.com Thu Dec 15 10:08:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Dec 2016 18:08:18 +0100 (CET) Subject: SUSE-SU-2016:3162-1: moderate: Security update for pacemaker Message-ID: <20161215170818.DBA42FFAC@maintenance.suse.de> SUSE Security Update: Security update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3162-1 Rating: moderate References: #1000743 #1002767 #1003565 #1007433 #1009076 #953192 #970733 #971129 #972187 #974108 #975079 #976271 #976865 #977258 #977675 #977800 #981489 #981731 #986056 #986201 #986265 #986644 #986676 #986931 #987348 Cross-References: CVE-2016-7035 CVE-2016-7797 Affected Products: SUSE Linux Enterprise High Availability Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has 23 fixes is now available. Description: This update for pacemaker fixes one security issue and several non-security issues. The following security issue has been fixed: - libcrmcommon: Fix improper IPC guarding. (bsc#1007433, CVE-2016-7035) The following non-security issues have been fixed: - Add logrotate to reqs of pacemaker-cli. - Add $remote_fs dependencies to the init scripts. - all: Clarify licensing and copyrights. - attrd,ipc: Prevent possible segfault on exit. (bsc#986056) - attrd, libcrmcommon: Validate attrd requests better. - attrd_updater: Fix usage of HAVE_ATOMIC_ATTRD. - cib/fencing: Set status callback before connecting to cluster. (bsc#974108) - ClusterMon: Fix to avoid matching other process with the same PID. - crmd: Acknowledge cancellation operations for remote connection resources. (bsc#976865) - crmd: Avoid timeout on older peers when cancelling a resource operation. - crmd: Record pending operations in the CIB before they are performed. (bsc#1003565) - crmd: Clear remote node operation history only when it comes up. - crmd: Clear remote node transient attributes on disconnect. (bsc#981489) - crmd: Don't abort transitions for CIB comment changes. - crmd: Ensure the R_SHUTDOWN is set whenever we ask the DC to shut us down. - crmd: Get full action information earlier. (bsc#981731) - crmd: Graceful proxy shutdown is now tested. (bsc#981489) - crmd: Keep a state of LRMD in the DC node latest. - crmd,lrmd,liblrmd: Use defined constants for lrmd IPC operations. (bsc#981489) - crmd: Mention that graceful remote shutdowns may cause connection failures. (bsc#981489) - crmd/pengine: Handle on-fail=ignore properly. (bsc#981731) - crmd/pengine: Implement on-fail=ignore without allow-fail. (bsc#981731) - crmd: Remove dead code. (bsc#981731) - crmd: Rename action number variable in process_graph_event(). (bsc#981731) - crmd: Resend the shutdown request if the DC forgets. - crmd: Respect start-failure-is-fatal even for artificially injected events. (bsc#981731) - crmd: Set remote flag when gracefully shutting down remote nodes. (bsc#981489) - crmd: Set the shutdown transient attribute in response to LRMD_IPC_OP_SHUTDOWN_REQ from remote nodes. (bsc#981489) - crmd: Support graceful pacemaker_remote stops. (bsc#981489) - crmd: Take start-delay into account for the timeout of the action timer. (bsc#977258) - crmd: Use defined constant for magic "direct nack" RC. (bsc#981731) - crmd: Use proper resource agent name when caching metadata. - crmd: When node load was reduced, crmd carries out a feasible action. - crm_mon: Avoid logging errors for any CIB changes that we don't care about. (bsc#986931) - crm_mon: Consistently print ms resource state. - crm_mon: Do not call setenv with null value. - crm_mon: Do not log errors for the known CIB changes that should be ignored. (bsc#986931) - crm_mon: Fix time formatting on x32. - cts: Avoid kill usage error if DummySD stop called when already stopped. - CTS: Get Reattach test working again and up-to-date. (bsc#953192) - cts: Simulate pacemaker_remote failure with kill. (bsc#981489) - fencing/fence_legacy: Search capable devices by querying them through "list" action for cluster-glue stonith agents. (bsc#986265) - fencing: Record the last known names of nodes to make sure fencing requested with nodeid works. (bsc#974108) - libais,libcluster,libcrmcommon,liblrmd: Don't use %z specifier. - libcib,libfencing,libtransition: Handle memory allocation errors without CRM_CHECK(). - lib: Correction of the deletion of the notice registration. - libcrmcommon: Correct directory name in log message. - libcrmcommon: Ensure crm_time_t structure is fully initialized by API calls. - libcrmcommon: Log XML comments correctly. - libcrmcommon: Properly handle XML comments when comparing v2 patchset diffs. - libcrmcommon: Really ensure crm_time_t structure is fully initialized by API calls. - libcrmcommon: Remove extraneous format specifier from log message. - libcrmcommon: Report errors consistently when waiting for data on connection. (bsc#986644) - libfencing: Report added node ID correctly. - liblrmd: Avoid memory leak when closing or deleting lrmd connections. - libpengine: Allow pe_order_same_node option for constraints. - libpengine: Log message when stonith disabled, not enabled. - libpengine: Only log startup-fencing warning once. - libtransition: Potential memory leak if unpacking action fails. - lrmd: Handle shutdown a little more cleanly. (bsc#981489) - lrmd,libcluster: Ensure g_hash_table_foreach() is never passed a null table. - lrmd,liblrmd: Add lrmd IPC operations for requesting and acknowledging shutdown. (bsc#981489) - lrmd: Make proxied IPC providers/clients opaque. (bsc#981489) - mcp: Improve comments for sysconfig options. - pacemaker_remote: Set LSB Provides header to the service name. - pacemaker_remote: Support graceful stops. (bsc#981489) - PE: Correctly update the dependent actions of un-runnable clones. - PE: Honor the shutdown transient attributes for remote nodes. (bsc#981489) - pengine: Avoid memory leak when invalid constraint involves set. - pengine: Avoid null dereference in new same-node ordering option. - pengine: Avoid transition loop for start-then-stop + unfencing. - pengine: Avoid use-after-free with location constraint + sets + templates. - pengine: Better error handling when unpacking sets in location constraints. - pengine: Consider resource failed if any of the configured monitor operations failed. (bsc#972187) - pengine: Correction of the record judgment of the failed information. - pengine: Do not fence a maintenance node if it shuts down cleanly. (bsc#1000743) - pengine: Correctly set the environment variable "OCF_RESKEY_CRM_meta_timeout" when "start-delay" is configured. (bsc#977258) - pengine: Only set unfencing constraints once. - pengine: Organize order of actions for master resources in anti-colocations. (bsc#977800) - pengine: Organize order of actions for slave resources in anti-colocations. (bsc#977800) - pengine: Properly order stop actions relative to stonith. - pengine: Respect asymmetrical ordering when trying to move resources. (bsc#977675) - pengine: Set OCF_RESKEY_CRM_meta_notify_active_* for multistate resources. - pengine,tools: Display pending resource state by default when it's available. (bsc#986201) - ping: Avoid temp files in fping_check. (bsc#987348) - ping: Avoid temporary files for fping check. (bsc#987348) - ping: Log sensible error when /tmp is full. (bsc#987348) - ping resource: Use fping6 for IPv6 hosts. (bsc#976271) - RA/SysInfo: Reset the node attribute "#health_disk" to "green" when there's sufficient free disk. (bsc#975079) - remote: Allow cluster and remote LRM API versions to diverge. (bsc#1009076) - remote: Correctly calculate the remaining timeouts when receiving messages. (bsc#986644) - resources: Use OCF version tagging correctly. - services: Correctly clean up service actions for non-dbus case. - spec: fence_pcmk only eligible for Pacemaker+CMAN. - stonithd: Correction of the wrong connection process name. - sysconfig: Minor tweaks (typo, wording). - tools: Avoid memory leaks in crm_resource --restart. - tools: Avoid memory leak when crm_mon unpacks constraints. - tools: Correctly count starting resources when doing crm_resource --restart. - tools: crm_resource -T option should not be hidden anymore. - tools: crm_standby --version/--help should work without cluster. - tools: Do not send command lines to syslog. (bsc#986676) - tools: Do not assume all resources restart on same node with crm_resource --restart. - tools: Don't require node to be known to crm_resource when deleting attribute. - tools: Properly handle crm_resource --restart with a resource in a group. - tools: Remember any existing target-role when doing crm_resource --restart. - various: Issues discovered via valgrind and coverity. Additionally, the following references have been added to the changelog: bsc#970733, fate#318381, bsc#1002767, CVE-2016-7797, bsc#971129 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability Extension 11-SP4: zypper in -t patch slehasp4-pacemaker-12889=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-pacemaker-12889=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586 ia64 ppc64 s390x x86_64): libpacemaker-devel-1.1.12-18.1 libpacemaker3-1.1.12-18.1 pacemaker-1.1.12-18.1 pacemaker-cli-1.1.12-18.1 pacemaker-remote-1.1.12-18.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): pacemaker-debuginfo-1.1.12-18.1 pacemaker-debugsource-1.1.12-18.1 References: https://www.suse.com/security/cve/CVE-2016-7035.html https://www.suse.com/security/cve/CVE-2016-7797.html https://bugzilla.suse.com/1000743 https://bugzilla.suse.com/1002767 https://bugzilla.suse.com/1003565 https://bugzilla.suse.com/1007433 https://bugzilla.suse.com/1009076 https://bugzilla.suse.com/953192 https://bugzilla.suse.com/970733 https://bugzilla.suse.com/971129 https://bugzilla.suse.com/972187 https://bugzilla.suse.com/974108 https://bugzilla.suse.com/975079 https://bugzilla.suse.com/976271 https://bugzilla.suse.com/976865 https://bugzilla.suse.com/977258 https://bugzilla.suse.com/977675 https://bugzilla.suse.com/977800 https://bugzilla.suse.com/981489 https://bugzilla.suse.com/981731 https://bugzilla.suse.com/986056 https://bugzilla.suse.com/986201 https://bugzilla.suse.com/986265 https://bugzilla.suse.com/986644 https://bugzilla.suse.com/986676 https://bugzilla.suse.com/986931 https://bugzilla.suse.com/987348 From sle-security-updates at lists.suse.com Thu Dec 15 19:06:53 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Dec 2016 03:06:53 +0100 (CET) Subject: SUSE-SU-2016:3169-1: important: Security update for Linux Kernel Live Patch 0 for SLE 12 SP2 Message-ID: <20161216020653.D9794FF6E@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 0 for SLE 12 SP2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3169-1 Rating: important References: #1008284 #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.4.21-69 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - A stability issue in the btrfs module was fixed (bsc#1008284) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1834=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_21-69-default-2-5.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1008284 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Fri Dec 16 06:09:13 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Dec 2016 14:09:13 +0100 (CET) Subject: SUSE-SU-2016:3172-1: moderate: Security update for xorg-x11-libXfixes Message-ID: <20161216130913.E4D48FF0F@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libXfixes ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3172-1 Rating: moderate References: #1002995 Cross-References: CVE-2016-7944 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-libXfixes fixes the following issues: - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995, CVE-2016-7944) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libXfixes-12891=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libXfixes-12891=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libXfixes-12891=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXfixes-devel-7.4-1.20.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXfixes-devel-32bit-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXfixes-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libXfixes-32bit-7.4-1.20.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libXfixes-x86-7.4-1.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libXfixes-debuginfo-7.4-1.20.1 xorg-x11-libXfixes-debugsource-7.4-1.20.1 References: https://www.suse.com/security/cve/CVE-2016-7944.html https://bugzilla.suse.com/1002995 From sle-security-updates at lists.suse.com Fri Dec 16 08:07:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Dec 2016 16:07:42 +0100 (CET) Subject: SUSE-SU-2016:3174-1: important: Security update for xen Message-ID: <20161216150742.9D012FF6E@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3174-1 Rating: important References: #1000106 #1000893 #1003030 #1003032 #1004016 #1005004 #1005005 #1007157 #1007160 #1009100 #1009103 #1009104 #1009107 #1009109 #1009111 #1011652 Cross-References: CVE-2016-7777 CVE-2016-7908 CVE-2016-7909 CVE-2016-8576 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9385 CVE-2016-9386 CVE-2016-9637 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1004016) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) This non-security issue wasfixed: - bsc#1000893: virsh setmem didn't allow to set current guest memory to max limit This update also delivers man-pages-supplement since some of the man-pages in there are now contained in the xen package itself. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xen-12892=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xen-12892=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xen-12892=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): xen-devel-4.4.4_10-43.5 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): xen-kmp-default-4.4.4_10_3.0.101_88-43.5 xen-libs-4.4.4_10-43.5 xen-tools-domU-4.4.4_10-43.5 - SUSE Linux Enterprise Server 11-SP4 (x86_64): xen-4.4.4_10-43.5 xen-doc-html-4.4.4_10-43.5 xen-libs-32bit-4.4.4_10-43.5 xen-tools-4.4.4_10-43.5 - SUSE Linux Enterprise Server 11-SP4 (i586): xen-kmp-pae-4.4.4_10_3.0.101_88-43.5 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): xen-debuginfo-4.4.4_10-43.5 xen-debugsource-4.4.4_10-43.5 References: https://www.suse.com/security/cve/CVE-2016-7777.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9379.html https://www.suse.com/security/cve/CVE-2016-9380.html https://www.suse.com/security/cve/CVE-2016-9381.html https://www.suse.com/security/cve/CVE-2016-9382.html https://www.suse.com/security/cve/CVE-2016-9383.html https://www.suse.com/security/cve/CVE-2016-9385.html https://www.suse.com/security/cve/CVE-2016-9386.html https://www.suse.com/security/cve/CVE-2016-9637.html https://bugzilla.suse.com/1000106 https://bugzilla.suse.com/1000893 https://bugzilla.suse.com/1003030 https://bugzilla.suse.com/1003032 https://bugzilla.suse.com/1004016 https://bugzilla.suse.com/1005004 https://bugzilla.suse.com/1005005 https://bugzilla.suse.com/1007157 https://bugzilla.suse.com/1007160 https://bugzilla.suse.com/1009100 https://bugzilla.suse.com/1009103 https://bugzilla.suse.com/1009104 https://bugzilla.suse.com/1009107 https://bugzilla.suse.com/1009109 https://bugzilla.suse.com/1009111 https://bugzilla.suse.com/1011652 From sle-security-updates at lists.suse.com Fri Dec 16 11:08:28 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Dec 2016 19:08:28 +0100 (CET) Subject: SUSE-SU-2016:3183-1: important: Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 Message-ID: <20161216180828.D7038FF0F@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3183-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.62-60_62 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1842=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_62-60_62-default-4-2.1 kgraft-patch-3_12_62-60_62-xen-4-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Fri Dec 16 12:10:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Dec 2016 20:10:18 +0100 (CET) Subject: SUSE-SU-2016:3188-1: important: Security update for the Linux Kernel Message-ID: <20161216191018.F04E7FFAC@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3188-1 Rating: important References: #1013533 #1013604 Cross-References: CVE-2016-9576 CVE-2016-9794 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The SUSE Linux Enterprise 12 SP 2 kernel was updated to fix two security issues. The following security bugs were fixed: - CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604). - CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1845=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1845=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1845=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1845=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1845=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1845=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): kernel-default-debuginfo-3.12.67-60.64.24.1 kernel-default-debugsource-3.12.67-60.64.24.1 kernel-default-extra-3.12.67-60.64.24.1 kernel-default-extra-debuginfo-3.12.67-60.64.24.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): kernel-obs-build-3.12.67-60.64.24.1 kernel-obs-build-debugsource-3.12.67-60.64.24.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (noarch): kernel-docs-3.12.67-60.64.24.3 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): kernel-default-3.12.67-60.64.24.1 kernel-default-base-3.12.67-60.64.24.1 kernel-default-base-debuginfo-3.12.67-60.64.24.1 kernel-default-debuginfo-3.12.67-60.64.24.1 kernel-default-debugsource-3.12.67-60.64.24.1 kernel-default-devel-3.12.67-60.64.24.1 kernel-syms-3.12.67-60.64.24.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): kernel-xen-3.12.67-60.64.24.1 kernel-xen-base-3.12.67-60.64.24.1 kernel-xen-base-debuginfo-3.12.67-60.64.24.1 kernel-xen-debuginfo-3.12.67-60.64.24.1 kernel-xen-debugsource-3.12.67-60.64.24.1 kernel-xen-devel-3.12.67-60.64.24.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): kernel-devel-3.12.67-60.64.24.1 kernel-macros-3.12.67-60.64.24.1 kernel-source-3.12.67-60.64.24.1 - SUSE Linux Enterprise Server 12-SP1 (s390x): kernel-default-man-3.12.67-60.64.24.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.67-60.64.24.1 kernel-ec2-debuginfo-3.12.67-60.64.24.1 kernel-ec2-debugsource-3.12.67-60.64.24.1 kernel-ec2-devel-3.12.67-60.64.24.1 kernel-ec2-extra-3.12.67-60.64.24.1 kernel-ec2-extra-debuginfo-3.12.67-60.64.24.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_67-60_64_24-default-1-2.1 kgraft-patch-3_12_67-60_64_24-xen-1-2.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): kernel-devel-3.12.67-60.64.24.1 kernel-macros-3.12.67-60.64.24.1 kernel-source-3.12.67-60.64.24.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): kernel-default-3.12.67-60.64.24.1 kernel-default-debuginfo-3.12.67-60.64.24.1 kernel-default-debugsource-3.12.67-60.64.24.1 kernel-default-devel-3.12.67-60.64.24.1 kernel-default-extra-3.12.67-60.64.24.1 kernel-default-extra-debuginfo-3.12.67-60.64.24.1 kernel-syms-3.12.67-60.64.24.1 kernel-xen-3.12.67-60.64.24.1 kernel-xen-debuginfo-3.12.67-60.64.24.1 kernel-xen-debugsource-3.12.67-60.64.24.1 kernel-xen-devel-3.12.67-60.64.24.1 References: https://www.suse.com/security/cve/CVE-2016-9576.html https://www.suse.com/security/cve/CVE-2016-9794.html https://bugzilla.suse.com/1013533 https://bugzilla.suse.com/1013604 From sle-security-updates at lists.suse.com Fri Dec 16 14:07:13 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Dec 2016 22:07:13 +0100 (CET) Subject: SUSE-SU-2016:3189-1: moderate: Security update for xorg-x11-libs Message-ID: <20161216210713.D14E0FFAC@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libs ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3189-1 Rating: moderate References: #1002998 #1003000 #1003012 #1003023 Cross-References: CVE-2016-7945 CVE-2016-7946 CVE-2016-7947 CVE-2016-7948 CVE-2016-7951 CVE-2016-7952 CVE-2016-7953 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for xorg-x11-libs fixes the following issues: - insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023, CVE-2016-7953) - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012, CVE-2016-7951, CVE-2016-7952) - insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000, CVE-2016-7947, CVE-2016-7948) - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). (bsc#1002998, CVE-2016-7945, CVE-2016-7946) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libs-12894=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libs-12894=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libs-12894=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-devel-7.4-8.26.49.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-devel-32bit-7.4-8.26.49.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libs-7.4-8.26.49.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libs-32bit-7.4-8.26.49.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libs-x86-7.4-8.26.49.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libs-debuginfo-7.4-8.26.49.1 xorg-x11-libs-debugsource-7.4-8.26.49.1 References: https://www.suse.com/security/cve/CVE-2016-7945.html https://www.suse.com/security/cve/CVE-2016-7946.html https://www.suse.com/security/cve/CVE-2016-7947.html https://www.suse.com/security/cve/CVE-2016-7948.html https://www.suse.com/security/cve/CVE-2016-7951.html https://www.suse.com/security/cve/CVE-2016-7952.html https://www.suse.com/security/cve/CVE-2016-7953.html https://bugzilla.suse.com/1002998 https://bugzilla.suse.com/1003000 https://bugzilla.suse.com/1003012 https://bugzilla.suse.com/1003023 From sle-security-updates at lists.suse.com Mon Dec 19 13:07:22 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Dec 2016 21:07:22 +0100 (CET) Subject: SUSE-SU-2016:3193-1: moderate: Security update for ntp Message-ID: <20161219200722.0D3BDFF91@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3193-1 Rating: moderate References: #1009434 #1011377 #1011390 #1011395 #1011398 #1011404 #1011406 #1011411 #1011417 #943216 #956365 #981252 #988028 #992038 #992606 Cross-References: CVE-2015-5219 CVE-2015-8139 CVE-2015-8140 CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7429 CVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310 CVE-2016-9311 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has three fixes is now available. Description: This update for ntp fixes the following issues: - Simplify ntpd's search for its own executable to prevent AppArmor warnings (bsc#956365). Security issues fixed (update to 4.2.8p9): - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6 unauthenticated trap information disclosure and DDoS vector. - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay Prevention DoS. - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval Enforcement DoS. - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero Origin Timestamp Bypass. - CVE-2016-7434, bsc#1011398: Null pointer dereference in _IO_str_init_static_internal(). - CVE-2016-7429, bsc#1011404: Interface selection attack. - CVE-2016-7426, bsc#1011406: Client rate limiting and server responses. - CVE-2016-7433, bsc#1011411: Reboot sync calculation problem. - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). - CVE-2015-8140: ntpq vulnerable to replay attacks. - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). Non-security issues fixed: - Fix a spurious error message. - Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog. - Fix a regression in "trap" (bsc#981252). - Reduce the number of netlink groups to listen on for changes to the local network setup (bsc#992606). - Fix segfault in "sntp -a" (bsc#1009434). - Silence an OpenSSL version warning (bsc#992038). - Make the resolver task change user and group IDs to the same values as the main task. (bsc#988028) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ntp-12895=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ntp-12895=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-4.2.8p9-57.2 ntp-doc-4.2.8p9-57.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-debuginfo-4.2.8p9-57.2 ntp-debugsource-4.2.8p9-57.2 References: https://www.suse.com/security/cve/CVE-2015-5219.html https://www.suse.com/security/cve/CVE-2015-8139.html https://www.suse.com/security/cve/CVE-2015-8140.html https://www.suse.com/security/cve/CVE-2016-7426.html https://www.suse.com/security/cve/CVE-2016-7427.html https://www.suse.com/security/cve/CVE-2016-7428.html https://www.suse.com/security/cve/CVE-2016-7429.html https://www.suse.com/security/cve/CVE-2016-7431.html https://www.suse.com/security/cve/CVE-2016-7433.html https://www.suse.com/security/cve/CVE-2016-7434.html https://www.suse.com/security/cve/CVE-2016-9310.html https://www.suse.com/security/cve/CVE-2016-9311.html https://bugzilla.suse.com/1009434 https://bugzilla.suse.com/1011377 https://bugzilla.suse.com/1011390 https://bugzilla.suse.com/1011395 https://bugzilla.suse.com/1011398 https://bugzilla.suse.com/1011404 https://bugzilla.suse.com/1011406 https://bugzilla.suse.com/1011411 https://bugzilla.suse.com/1011417 https://bugzilla.suse.com/943216 https://bugzilla.suse.com/956365 https://bugzilla.suse.com/981252 https://bugzilla.suse.com/988028 https://bugzilla.suse.com/992038 https://bugzilla.suse.com/992606 From sle-security-updates at lists.suse.com Mon Dec 19 13:10:34 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Dec 2016 21:10:34 +0100 (CET) Subject: SUSE-SU-2016:3195-1: moderate: Security update for ntp Message-ID: <20161219201034.A8126FF6E@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3195-1 Rating: moderate References: #1009434 #1011377 #1011390 #1011395 #1011398 #1011404 #1011406 #1011411 #1011417 #943216 #956365 #981252 #988028 #992038 #992606 Cross-References: CVE-2015-5219 CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7429 CVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310 CVE-2016-9311 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 5 fixes is now available. Description: This update for ntp fixes the following issues: ntp was updated to 4.2.8p9. Security issues fixed: - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6 unauthenticated trap information disclosure and DDoS vector. - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay Prevention DoS. - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval Enforcement DoS. - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero Origin Timestamp Bypass. - CVE-2016-7434, bsc#1011398: Null pointer dereference in _IO_str_init_static_internal(). - CVE-2016-7429, bsc#1011404: Interface selection attack. - CVE-2016-7426, bsc#1011406: Client rate limiting and server responses. - CVE-2016-7433, bsc#1011411: Reboot sync calculation problem. - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). Non-security issues fixed: - Fix a spurious error message. - Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog. - Fix a regression in "trap" (bsc#981252). - Reduce the number of netlink groups to listen on for changes to the local network setup (bsc#992606). - Fix segfault in "sntp -a" (bsc#1009434). - Silence an OpenSSL version warning (bsc#992038). - Make the resolver task change user and group IDs to the same values as the main task. (bsc#988028) - Simplify ntpd's search for its own executable to prevent AppArmor warnings (bsc#956365). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1853=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1853=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1853=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1853=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1853=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): ntp-4.2.8p9-55.1 ntp-debuginfo-4.2.8p9-55.1 ntp-debugsource-4.2.8p9-55.1 ntp-doc-4.2.8p9-55.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): ntp-4.2.8p9-55.1 ntp-debuginfo-4.2.8p9-55.1 ntp-debugsource-4.2.8p9-55.1 ntp-doc-4.2.8p9-55.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): ntp-4.2.8p9-55.1 ntp-debuginfo-4.2.8p9-55.1 ntp-debugsource-4.2.8p9-55.1 ntp-doc-4.2.8p9-55.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): ntp-4.2.8p9-55.1 ntp-debuginfo-4.2.8p9-55.1 ntp-debugsource-4.2.8p9-55.1 ntp-doc-4.2.8p9-55.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): ntp-4.2.8p9-55.1 ntp-debuginfo-4.2.8p9-55.1 ntp-debugsource-4.2.8p9-55.1 ntp-doc-4.2.8p9-55.1 References: https://www.suse.com/security/cve/CVE-2015-5219.html https://www.suse.com/security/cve/CVE-2016-7426.html https://www.suse.com/security/cve/CVE-2016-7427.html https://www.suse.com/security/cve/CVE-2016-7428.html https://www.suse.com/security/cve/CVE-2016-7429.html https://www.suse.com/security/cve/CVE-2016-7431.html https://www.suse.com/security/cve/CVE-2016-7433.html https://www.suse.com/security/cve/CVE-2016-7434.html https://www.suse.com/security/cve/CVE-2016-9310.html https://www.suse.com/security/cve/CVE-2016-9311.html https://bugzilla.suse.com/1009434 https://bugzilla.suse.com/1011377 https://bugzilla.suse.com/1011390 https://bugzilla.suse.com/1011395 https://bugzilla.suse.com/1011398 https://bugzilla.suse.com/1011404 https://bugzilla.suse.com/1011406 https://bugzilla.suse.com/1011411 https://bugzilla.suse.com/1011417 https://bugzilla.suse.com/943216 https://bugzilla.suse.com/956365 https://bugzilla.suse.com/981252 https://bugzilla.suse.com/988028 https://bugzilla.suse.com/992038 https://bugzilla.suse.com/992606 From sle-security-updates at lists.suse.com Mon Dec 19 13:13:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Dec 2016 21:13:10 +0100 (CET) Subject: SUSE-SU-2016:3196-1: moderate: Security update for ntp Message-ID: <20161219201310.EED11FF91@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3196-1 Rating: moderate References: #1009434 #1011377 #1011390 #1011395 #1011398 #1011404 #1011406 #1011411 #1011417 #943216 #956365 #981252 #988028 #992038 #992606 Cross-References: CVE-2015-5219 CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7429 CVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310 CVE-2016-9311 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 5 fixes is now available. Description: This update for ntp fixes the following issues: ntp was updated to 4.2.8p9. Security issues fixed: - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6 unauthenticated trap information disclosure and DDoS vector. - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay Prevention DoS. - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval Enforcement DoS. - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero Origin Timestamp Bypass. - CVE-2016-7434, bsc#1011398: Null pointer dereference in _IO_str_init_static_internal(). - CVE-2016-7429, bsc#1011404: Interface selection attack. - CVE-2016-7426, bsc#1011406: Client rate limiting and server responses. - CVE-2016-7433, bsc#1011411: Reboot sync calculation problem. - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). Non-security issues fixed: - Fix a spurious error message. - Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog. - Fix a regression in "trap" (bsc#981252). - Reduce the number of netlink groups to listen on for changes to the local network setup (bsc#992606). - Fix segfault in "sntp -a" (bsc#1009434). - Silence an OpenSSL version warning (bsc#992038). - Make the resolver task change user and group IDs to the same values as the main task. (bsc#988028) - Simplify ntpd's search for its own executable to prevent AppArmor warnings (bsc#956365). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1852=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1852=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): ntp-4.2.8p9-46.18.1 ntp-debuginfo-4.2.8p9-46.18.1 ntp-debugsource-4.2.8p9-46.18.1 ntp-doc-4.2.8p9-46.18.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): ntp-4.2.8p9-46.18.1 ntp-debuginfo-4.2.8p9-46.18.1 ntp-debugsource-4.2.8p9-46.18.1 ntp-doc-4.2.8p9-46.18.1 References: https://www.suse.com/security/cve/CVE-2015-5219.html https://www.suse.com/security/cve/CVE-2016-7426.html https://www.suse.com/security/cve/CVE-2016-7427.html https://www.suse.com/security/cve/CVE-2016-7428.html https://www.suse.com/security/cve/CVE-2016-7429.html https://www.suse.com/security/cve/CVE-2016-7431.html https://www.suse.com/security/cve/CVE-2016-7433.html https://www.suse.com/security/cve/CVE-2016-7434.html https://www.suse.com/security/cve/CVE-2016-9310.html https://www.suse.com/security/cve/CVE-2016-9311.html https://bugzilla.suse.com/1009434 https://bugzilla.suse.com/1011377 https://bugzilla.suse.com/1011390 https://bugzilla.suse.com/1011395 https://bugzilla.suse.com/1011398 https://bugzilla.suse.com/1011404 https://bugzilla.suse.com/1011406 https://bugzilla.suse.com/1011411 https://bugzilla.suse.com/1011417 https://bugzilla.suse.com/943216 https://bugzilla.suse.com/956365 https://bugzilla.suse.com/981252 https://bugzilla.suse.com/988028 https://bugzilla.suse.com/992038 https://bugzilla.suse.com/992606 From sle-security-updates at lists.suse.com Tue Dec 20 08:07:35 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Dec 2016 16:07:35 +0100 (CET) Subject: SUSE-SU-2016:3197-1: important: Security update for Linux Kernel Live Patch 15 for SLE 12 Message-ID: <20161220150735.8EA46FF91@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 15 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3197-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.60-52_54 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1855=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1855=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_60-52_54-default-4-2.1 kgraft-patch-3_12_60-52_54-xen-4-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_60-52_54-default-4-2.1 kgraft-patch-3_12_60-52_54-xen-4-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Tue Dec 20 09:07:47 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Dec 2016 17:07:47 +0100 (CET) Subject: SUSE-SU-2016:3199-1: important: Security update for dnsmasq Message-ID: <20161220160747.1C0EFFF6E@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3199-1 Rating: important References: #983273 Cross-References: CVE-2015-8899 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dnsmasq fixes the following issues: - CVE-2015-8899: Denial of service between local and remote dns entries (bsc#983273) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-dnsmasq-12899=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-dnsmasq-12899=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): dnsmasq-2.71-0.16.3 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): dnsmasq-debuginfo-2.71-0.16.3 dnsmasq-debugsource-2.71-0.16.3 References: https://www.suse.com/security/cve/CVE-2015-8899.html https://bugzilla.suse.com/983273 From sle-security-updates at lists.suse.com Tue Dec 20 14:07:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Dec 2016 22:07:09 +0100 (CET) Subject: SUSE-SU-2016:3203-1: important: Security update for the Linux Kernel Message-ID: <20161220210709.C58AAFF73@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3203-1 Rating: important References: #1013533 #1013604 Cross-References: CVE-2016-9576 CVE-2016-9794 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The SUSE Linux Enterprise 11 SP4 kernel was updated to fix two security issues. The following security bugs were fixed: - CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604). - CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-linux-kernel-12901=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-linux-kernel-12901=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-linux-kernel-12901=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-linux-kernel-12901=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch): kernel-docs-3.0.101-91.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): kernel-default-3.0.101-91.1 kernel-default-base-3.0.101-91.1 kernel-default-devel-3.0.101-91.1 kernel-source-3.0.101-91.1 kernel-syms-3.0.101-91.1 kernel-trace-3.0.101-91.1 kernel-trace-base-3.0.101-91.1 kernel-trace-devel-3.0.101-91.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): kernel-ec2-3.0.101-91.1 kernel-ec2-base-3.0.101-91.1 kernel-ec2-devel-3.0.101-91.1 kernel-xen-3.0.101-91.1 kernel-xen-base-3.0.101-91.1 kernel-xen-devel-3.0.101-91.1 - SUSE Linux Enterprise Server 11-SP4 (s390x): kernel-default-man-3.0.101-91.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64): kernel-bigmem-3.0.101-91.1 kernel-bigmem-base-3.0.101-91.1 kernel-bigmem-devel-3.0.101-91.1 kernel-ppc64-3.0.101-91.1 kernel-ppc64-base-3.0.101-91.1 kernel-ppc64-devel-3.0.101-91.1 - SUSE Linux Enterprise Server 11-SP4 (i586): kernel-pae-3.0.101-91.1 kernel-pae-base-3.0.101-91.1 kernel-pae-devel-3.0.101-91.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-91.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-91.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-trace-extra-3.0.101-91.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-91.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-91.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-91.1 kernel-default-debugsource-3.0.101-91.1 kernel-trace-debuginfo-3.0.101-91.1 kernel-trace-debugsource-3.0.101-91.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64): kernel-default-devel-debuginfo-3.0.101-91.1 kernel-trace-devel-debuginfo-3.0.101-91.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-91.1 kernel-ec2-debugsource-3.0.101-91.1 kernel-xen-debuginfo-3.0.101-91.1 kernel-xen-debugsource-3.0.101-91.1 kernel-xen-devel-debuginfo-3.0.101-91.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): kernel-bigmem-debuginfo-3.0.101-91.1 kernel-bigmem-debugsource-3.0.101-91.1 kernel-ppc64-debuginfo-3.0.101-91.1 kernel-ppc64-debugsource-3.0.101-91.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586): kernel-pae-debuginfo-3.0.101-91.1 kernel-pae-debugsource-3.0.101-91.1 kernel-pae-devel-debuginfo-3.0.101-91.1 References: https://www.suse.com/security/cve/CVE-2016-9576.html https://www.suse.com/security/cve/CVE-2016-9794.html https://bugzilla.suse.com/1013533 https://bugzilla.suse.com/1013604 From sle-security-updates at lists.suse.com Wed Dec 21 09:07:25 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 17:07:25 +0100 (CET) Subject: SUSE-SU-2016:3205-1: important: Security update for Linux Kernel Live Patch 9 for SLE 12 SP1 Message-ID: <20161221160725.25477F7BF@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 9 for SLE 12 SP1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3205-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.67-60_64_18 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1865=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_67-60_64_18-default-2-2.1 kgraft-patch-3_12_67-60_64_18-xen-2-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Wed Dec 21 09:08:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 17:08:05 +0100 (CET) Subject: SUSE-SU-2016:3206-1: important: Security update for Linux Kernel Live Patch 1 for SLE 12 SP2 Message-ID: <20161221160805.1908AFF73@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 1 for SLE 12 SP2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3206-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.21-81 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1864=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-4_4_21-81-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Wed Dec 21 11:08:17 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 19:08:17 +0100 (CET) Subject: SUSE-SU-2016:3207-1: important: Security update for xen Message-ID: <20161221180817.2F590FF73@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3207-1 Rating: important References: #1012651 #1014298 #1016340 Cross-References: CVE-2016-10013 CVE-2016-10024 CVE-2016-9932 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for xen fixes the following issues: - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1867=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1867=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1867=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (x86_64): xen-debugsource-4.5.5_04-22.6.1 xen-devel-4.5.5_04-22.6.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): xen-4.5.5_04-22.6.1 xen-debugsource-4.5.5_04-22.6.1 xen-doc-html-4.5.5_04-22.6.1 xen-kmp-default-4.5.5_04_k3.12.67_60.64.24-22.6.1 xen-kmp-default-debuginfo-4.5.5_04_k3.12.67_60.64.24-22.6.1 xen-libs-32bit-4.5.5_04-22.6.1 xen-libs-4.5.5_04-22.6.1 xen-libs-debuginfo-32bit-4.5.5_04-22.6.1 xen-libs-debuginfo-4.5.5_04-22.6.1 xen-tools-4.5.5_04-22.6.1 xen-tools-debuginfo-4.5.5_04-22.6.1 xen-tools-domU-4.5.5_04-22.6.1 xen-tools-domU-debuginfo-4.5.5_04-22.6.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): xen-4.5.5_04-22.6.1 xen-debugsource-4.5.5_04-22.6.1 xen-kmp-default-4.5.5_04_k3.12.67_60.64.24-22.6.1 xen-kmp-default-debuginfo-4.5.5_04_k3.12.67_60.64.24-22.6.1 xen-libs-32bit-4.5.5_04-22.6.1 xen-libs-4.5.5_04-22.6.1 xen-libs-debuginfo-32bit-4.5.5_04-22.6.1 xen-libs-debuginfo-4.5.5_04-22.6.1 References: https://www.suse.com/security/cve/CVE-2016-10013.html https://www.suse.com/security/cve/CVE-2016-10024.html https://www.suse.com/security/cve/CVE-2016-9932.html https://bugzilla.suse.com/1012651 https://bugzilla.suse.com/1014298 https://bugzilla.suse.com/1016340 From sle-security-updates at lists.suse.com Wed Dec 21 11:09:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 19:09:05 +0100 (CET) Subject: SUSE-SU-2016:3208-1: important: Security update for xen Message-ID: <20161221180905.0328AFF73@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3208-1 Rating: important References: #1012651 #1014298 #1014300 #1016340 Cross-References: CVE-2016-10013 CVE-2016-10024 CVE-2016-10025 CVE-2016-9932 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for xen fixes the following issues: - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1866=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1866=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1866=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 x86_64): xen-debugsource-4.7.1_04-28.1 xen-devel-4.7.1_04-28.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): xen-4.7.1_04-28.1 xen-debugsource-4.7.1_04-28.1 xen-doc-html-4.7.1_04-28.1 xen-libs-32bit-4.7.1_04-28.1 xen-libs-4.7.1_04-28.1 xen-libs-debuginfo-32bit-4.7.1_04-28.1 xen-libs-debuginfo-4.7.1_04-28.1 xen-tools-4.7.1_04-28.1 xen-tools-debuginfo-4.7.1_04-28.1 xen-tools-domU-4.7.1_04-28.1 xen-tools-domU-debuginfo-4.7.1_04-28.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): xen-4.7.1_04-28.1 xen-debugsource-4.7.1_04-28.1 xen-libs-32bit-4.7.1_04-28.1 xen-libs-4.7.1_04-28.1 xen-libs-debuginfo-32bit-4.7.1_04-28.1 xen-libs-debuginfo-4.7.1_04-28.1 References: https://www.suse.com/security/cve/CVE-2016-10013.html https://www.suse.com/security/cve/CVE-2016-10024.html https://www.suse.com/security/cve/CVE-2016-10025.html https://www.suse.com/security/cve/CVE-2016-9932.html https://bugzilla.suse.com/1012651 https://bugzilla.suse.com/1014298 https://bugzilla.suse.com/1014300 https://bugzilla.suse.com/1016340 From sle-security-updates at lists.suse.com Wed Dec 21 12:07:19 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 20:07:19 +0100 (CET) Subject: SUSE-SU-2016:3209-1: moderate: Security update for zlib Message-ID: <20161221190719.5D3E7FF36@maintenance.suse.de> SUSE Security Update: Security update for zlib ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3209-1 Rating: moderate References: #1003577 #1003579 #1003580 #1013882 Cross-References: CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for zlib fixes the following issues: * Incompatible declarations for external linkage function deflate (bnc#1003577) * CVE-2016-9842: Undefined Left Shift of Negative Number (bnc#1003580) * CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bnc#1003579) * CVE-2016-9843: Big-endian out-of-bounds pointer Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-zlib-12902=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-zlib-12902=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-zlib-12902=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): zlib-devel-1.2.7-0.14.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): zlib-devel-32bit-1.2.7-0.14.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): zlib-1.2.7-0.14.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): zlib-32bit-1.2.7-0.14.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): zlib-x86-1.2.7-0.14.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): zlib-debuginfo-1.2.7-0.14.1 zlib-debugsource-1.2.7-0.14.1 References: https://www.suse.com/security/cve/CVE-2016-9840.html https://www.suse.com/security/cve/CVE-2016-9841.html https://www.suse.com/security/cve/CVE-2016-9842.html https://www.suse.com/security/cve/CVE-2016-9843.html https://bugzilla.suse.com/1003577 https://bugzilla.suse.com/1003579 https://bugzilla.suse.com/1003580 https://bugzilla.suse.com/1013882 From sle-security-updates at lists.suse.com Wed Dec 21 12:08:22 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 20:08:22 +0100 (CET) Subject: SUSE-SU-2016:3210-1: important: Security update for MozillaFirefox Message-ID: <20161221190822.91D93FF36@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3210-1 Rating: important References: #1000751 #1015422 Cross-References: CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: MozillaFirefox 45 ESR was updated to 45.6 to fix the following issues: * MFSA 2016-95/CVE-2016-9897: Memory corruption in libGLES * MFSA 2016-95/CVE-2016-9901: Data from Pocket server improperly sanitized before execution * MFSA 2016-95/CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees * MFSA 2016-95/CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements * MFSA 2016-95/CVE-2016-9904: Cross-origin information leak in shared atoms * MFSA 2016-95/CVE-2016-9905: Crash in EnumerateSubDocuments * MFSA 2016-95/CVE-2016-9895: CSP bypass using marquee tag * MFSA 2016-95/CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs * MFSA 2016-95/CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 * MFSA 2016-95/CVE-2016-9902: Pocket extension does not validate the origin of events Please see https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ for more information. Also the following bug was fixed: - Fix fontconfig issue (bsc#1000751) on 32bit systems as well. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-MozillaFirefox-12903=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-MozillaFirefox-12903=1 - SUSE Manager 2.1: zypper in -t patch sleman21-MozillaFirefox-12903=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-MozillaFirefox-12903=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-MozillaFirefox-12903=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-MozillaFirefox-12903=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-MozillaFirefox-12903=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-12903=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-MozillaFirefox-12903=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): MozillaFirefox-45.6.0esr-62.1 MozillaFirefox-translations-45.6.0esr-62.1 - SUSE Manager Proxy 2.1 (x86_64): MozillaFirefox-45.6.0esr-62.1 MozillaFirefox-translations-45.6.0esr-62.1 - SUSE Manager 2.1 (s390x x86_64): MozillaFirefox-45.6.0esr-62.1 MozillaFirefox-translations-45.6.0esr-62.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-45.6.0esr-62.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-45.6.0esr-62.1 MozillaFirefox-translations-45.6.0esr-62.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): MozillaFirefox-45.6.0esr-62.1 MozillaFirefox-translations-45.6.0esr-62.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): MozillaFirefox-45.6.0esr-62.1 MozillaFirefox-translations-45.6.0esr-62.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-debuginfo-45.6.0esr-62.1 MozillaFirefox-debugsource-45.6.0esr-62.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): MozillaFirefox-debuginfo-45.6.0esr-62.1 MozillaFirefox-debugsource-45.6.0esr-62.1 References: https://www.suse.com/security/cve/CVE-2016-9893.html https://www.suse.com/security/cve/CVE-2016-9895.html https://www.suse.com/security/cve/CVE-2016-9897.html https://www.suse.com/security/cve/CVE-2016-9898.html https://www.suse.com/security/cve/CVE-2016-9899.html https://www.suse.com/security/cve/CVE-2016-9900.html https://www.suse.com/security/cve/CVE-2016-9901.html https://www.suse.com/security/cve/CVE-2016-9902.html https://www.suse.com/security/cve/CVE-2016-9904.html https://www.suse.com/security/cve/CVE-2016-9905.html https://bugzilla.suse.com/1000751 https://bugzilla.suse.com/1015422 From sle-security-updates at lists.suse.com Wed Dec 21 12:09:04 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 20:09:04 +0100 (CET) Subject: SUSE-SU-2016:3211-1: moderate: Security update for gd Message-ID: <20161221190904.31583FF36@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3211-1 Rating: moderate References: #1015187 Cross-References: CVE-2016-9933 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gd fixes the following issues: * CVE-2016-9933 possible stackoverflow on malicious truecolor images [bsc#1015187] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1868=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1868=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1868=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1868=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1868=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1868=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1868=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1868=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1868=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): gd-32bit-2.1.0-20.1 gd-debuginfo-32bit-2.1.0-20.1 gd-debugsource-2.1.0-20.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): gd-32bit-2.1.0-20.1 gd-debuginfo-32bit-2.1.0-20.1 gd-debugsource-2.1.0-20.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): gd-debuginfo-2.1.0-20.1 gd-debugsource-2.1.0-20.1 gd-devel-2.1.0-20.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): gd-debuginfo-2.1.0-20.1 gd-debugsource-2.1.0-20.1 gd-devel-2.1.0-20.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): gd-2.1.0-20.1 gd-debuginfo-2.1.0-20.1 gd-debugsource-2.1.0-20.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): gd-2.1.0-20.1 gd-debuginfo-2.1.0-20.1 gd-debugsource-2.1.0-20.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): gd-2.1.0-20.1 gd-debuginfo-2.1.0-20.1 gd-debugsource-2.1.0-20.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): gd-2.1.0-20.1 gd-32bit-2.1.0-20.1 gd-debuginfo-2.1.0-20.1 gd-debuginfo-32bit-2.1.0-20.1 gd-debugsource-2.1.0-20.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): gd-2.1.0-20.1 gd-32bit-2.1.0-20.1 gd-debuginfo-2.1.0-20.1 gd-debuginfo-32bit-2.1.0-20.1 gd-debugsource-2.1.0-20.1 References: https://www.suse.com/security/cve/CVE-2016-9933.html https://bugzilla.suse.com/1015187 From sle-security-updates at lists.suse.com Wed Dec 21 13:09:49 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Dec 2016 21:09:49 +0100 (CET) Subject: SUSE-SU-2016:3217-1: important: Security update for the Linux Kernel Message-ID: <20161221200949.A48BCFF36@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3217-1 Rating: important References: #1013533 #1013604 Cross-References: CVE-2016-9576 CVE-2016-9794 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to receive two security fixes. The following security bugs were fixed: - CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604). - CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1876=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1876=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1876=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kernel-default-3.12.60-52.63.1 kernel-default-base-3.12.60-52.63.1 kernel-default-base-debuginfo-3.12.60-52.63.1 kernel-default-debuginfo-3.12.60-52.63.1 kernel-default-debugsource-3.12.60-52.63.1 kernel-default-devel-3.12.60-52.63.1 kernel-syms-3.12.60-52.63.1 kernel-xen-3.12.60-52.63.1 kernel-xen-base-3.12.60-52.63.1 kernel-xen-base-debuginfo-3.12.60-52.63.1 kernel-xen-debuginfo-3.12.60-52.63.1 kernel-xen-debugsource-3.12.60-52.63.1 kernel-xen-devel-3.12.60-52.63.1 kgraft-patch-3_12_60-52_63-default-1-2.1 kgraft-patch-3_12_60-52_63-xen-1-2.1 - SUSE Linux Enterprise Server for SAP 12 (noarch): kernel-devel-3.12.60-52.63.1 kernel-macros-3.12.60-52.63.1 kernel-source-3.12.60-52.63.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): kernel-default-3.12.60-52.63.1 kernel-default-base-3.12.60-52.63.1 kernel-default-base-debuginfo-3.12.60-52.63.1 kernel-default-debuginfo-3.12.60-52.63.1 kernel-default-debugsource-3.12.60-52.63.1 kernel-default-devel-3.12.60-52.63.1 kernel-syms-3.12.60-52.63.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): kernel-devel-3.12.60-52.63.1 kernel-macros-3.12.60-52.63.1 kernel-source-3.12.60-52.63.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kernel-xen-3.12.60-52.63.1 kernel-xen-base-3.12.60-52.63.1 kernel-xen-base-debuginfo-3.12.60-52.63.1 kernel-xen-debuginfo-3.12.60-52.63.1 kernel-xen-debugsource-3.12.60-52.63.1 kernel-xen-devel-3.12.60-52.63.1 kgraft-patch-3_12_60-52_63-default-1-2.1 kgraft-patch-3_12_60-52_63-xen-1-2.1 - SUSE Linux Enterprise Server 12-LTSS (s390x): kernel-default-man-3.12.60-52.63.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.60-52.63.1 kernel-ec2-debuginfo-3.12.60-52.63.1 kernel-ec2-debugsource-3.12.60-52.63.1 kernel-ec2-devel-3.12.60-52.63.1 kernel-ec2-extra-3.12.60-52.63.1 kernel-ec2-extra-debuginfo-3.12.60-52.63.1 References: https://www.suse.com/security/cve/CVE-2016-9576.html https://www.suse.com/security/cve/CVE-2016-9794.html https://bugzilla.suse.com/1013533 https://bugzilla.suse.com/1013604 From sle-security-updates at lists.suse.com Wed Dec 21 17:08:45 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 01:08:45 +0100 (CET) Subject: SUSE-SU-2016:3221-1: important: Security update for xen Message-ID: <20161222000845.9ECC2FF36@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3221-1 Rating: important References: #1012651 #1014298 #1016340 Cross-References: CVE-2016-10013 CVE-2016-10024 CVE-2016-9932 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for xen fixes the following issues: - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xen-12905=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xen-12905=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xen-12905=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): xen-devel-4.4.4_12-46.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): xen-kmp-default-4.4.4_12_3.0.101_91-46.1 xen-libs-4.4.4_12-46.1 xen-tools-domU-4.4.4_12-46.1 - SUSE Linux Enterprise Server 11-SP4 (x86_64): xen-4.4.4_12-46.1 xen-doc-html-4.4.4_12-46.1 xen-libs-32bit-4.4.4_12-46.1 xen-tools-4.4.4_12-46.1 - SUSE Linux Enterprise Server 11-SP4 (i586): xen-kmp-pae-4.4.4_12_3.0.101_91-46.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): xen-debuginfo-4.4.4_12-46.1 xen-debugsource-4.4.4_12-46.1 References: https://www.suse.com/security/cve/CVE-2016-10013.html https://www.suse.com/security/cve/CVE-2016-10024.html https://www.suse.com/security/cve/CVE-2016-9932.html https://bugzilla.suse.com/1012651 https://bugzilla.suse.com/1014298 https://bugzilla.suse.com/1016340 From sle-security-updates at lists.suse.com Wed Dec 21 18:08:15 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 02:08:15 +0100 (CET) Subject: SUSE-SU-2016:3222-1: important: Security update for MozillaFirefox Message-ID: <20161222010815.53A41FF36@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3222-1 Rating: important References: #1015422 Cross-References: CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: MozillaFirefox 45 ESR was updated to 45.6 to fix the following issues: * MFSA 2016-95/CVE-2016-9897: Memory corruption in libGLES * MFSA 2016-95/CVE-2016-9901: Data from Pocket server improperly sanitized before execution * MFSA 2016-95/CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees * MFSA 2016-95/CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements * MFSA 2016-95/CVE-2016-9904: Cross-origin information leak in shared atoms * MFSA 2016-95/CVE-2016-9905: Crash in EnumerateSubDocuments * MFSA 2016-95/CVE-2016-9895: CSP bypass using marquee tag * MFSA 2016-95/CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs * MFSA 2016-95/CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 * MFSA 2016-95/CVE-2016-9902: Pocket extension does not validate the origin of events Please see https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ for more information. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1880=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1880=1 - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1880=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1880=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1880=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1880=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1880=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1880=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1880=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-devel-45.6.0esr-96.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-devel-45.6.0esr-96.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): MozillaFirefox-45.6.0esr-96.1 MozillaFirefox-debuginfo-45.6.0esr-96.1 MozillaFirefox-debugsource-45.6.0esr-96.1 MozillaFirefox-translations-45.6.0esr-96.1 References: https://www.suse.com/security/cve/CVE-2016-9893.html https://www.suse.com/security/cve/CVE-2016-9895.html https://www.suse.com/security/cve/CVE-2016-9897.html https://www.suse.com/security/cve/CVE-2016-9898.html https://www.suse.com/security/cve/CVE-2016-9899.html https://www.suse.com/security/cve/CVE-2016-9900.html https://www.suse.com/security/cve/CVE-2016-9901.html https://www.suse.com/security/cve/CVE-2016-9902.html https://www.suse.com/security/cve/CVE-2016-9904.html https://www.suse.com/security/cve/CVE-2016-9905.html https://bugzilla.suse.com/1015422 From sle-security-updates at lists.suse.com Wed Dec 21 18:08:43 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 02:08:43 +0100 (CET) Subject: SUSE-SU-2016:3223-1: important: Security update for MozillaFirefox Message-ID: <20161222010843.0BB96FF36@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3223-1 Rating: important References: #1000751 #1015422 Cross-References: CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: MozillaFirefox 45 ESR was updated to 45.6 to fix the following issues: * MFSA 2016-95/CVE-2016-9897: Memory corruption in libGLES * MFSA 2016-95/CVE-2016-9901: Data from Pocket server improperly sanitized before execution * MFSA 2016-95/CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees * MFSA 2016-95/CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements * MFSA 2016-95/CVE-2016-9904: Cross-origin information leak in shared atoms * MFSA 2016-95/CVE-2016-9905: Crash in EnumerateSubDocuments * MFSA 2016-95/CVE-2016-9895: CSP bypass using marquee tag * MFSA 2016-95/CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs * MFSA 2016-95/CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 * MFSA 2016-95/CVE-2016-9902: Pocket extension does not validate the origin of events Please see https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ for more information. - Fix fontconfig issue (bsc#1000751) on 32bit systems as well. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-MozillaFirefox-12907=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-MozillaFirefox-12907=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): MozillaFirefox-45.6.0esr-66.1 MozillaFirefox-translations-45.6.0esr-66.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): MozillaFirefox-debuginfo-45.6.0esr-66.1 MozillaFirefox-debugsource-45.6.0esr-66.1 References: https://www.suse.com/security/cve/CVE-2016-9893.html https://www.suse.com/security/cve/CVE-2016-9895.html https://www.suse.com/security/cve/CVE-2016-9897.html https://www.suse.com/security/cve/CVE-2016-9898.html https://www.suse.com/security/cve/CVE-2016-9899.html https://www.suse.com/security/cve/CVE-2016-9900.html https://www.suse.com/security/cve/CVE-2016-9901.html https://www.suse.com/security/cve/CVE-2016-9902.html https://www.suse.com/security/cve/CVE-2016-9904.html https://www.suse.com/security/cve/CVE-2016-9905.html https://bugzilla.suse.com/1000751 https://bugzilla.suse.com/1015422 From sle-security-updates at lists.suse.com Thu Dec 22 08:07:35 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 16:07:35 +0100 (CET) Subject: SUSE-SU-2016:3241-1: important: Security update for xen Message-ID: <20161222150735.7765BFF36@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3241-1 Rating: important References: #1012651 #1014298 #1016340 Cross-References: CVE-2016-10013 CVE-2016-10024 CVE-2016-9932 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for xen fixes the following issues: - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1885=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1885=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): xen-4.4.4_05-22.28.2 xen-debugsource-4.4.4_05-22.28.2 xen-doc-html-4.4.4_05-22.28.2 xen-kmp-default-4.4.4_05_k3.12.60_52.63-22.28.2 xen-kmp-default-debuginfo-4.4.4_05_k3.12.60_52.63-22.28.2 xen-libs-32bit-4.4.4_05-22.28.2 xen-libs-4.4.4_05-22.28.2 xen-libs-debuginfo-32bit-4.4.4_05-22.28.2 xen-libs-debuginfo-4.4.4_05-22.28.2 xen-tools-4.4.4_05-22.28.2 xen-tools-debuginfo-4.4.4_05-22.28.2 xen-tools-domU-4.4.4_05-22.28.2 xen-tools-domU-debuginfo-4.4.4_05-22.28.2 - SUSE Linux Enterprise Server 12-LTSS (x86_64): xen-4.4.4_05-22.28.2 xen-debugsource-4.4.4_05-22.28.2 xen-doc-html-4.4.4_05-22.28.2 xen-kmp-default-4.4.4_05_k3.12.60_52.63-22.28.2 xen-kmp-default-debuginfo-4.4.4_05_k3.12.60_52.63-22.28.2 xen-libs-32bit-4.4.4_05-22.28.2 xen-libs-4.4.4_05-22.28.2 xen-libs-debuginfo-32bit-4.4.4_05-22.28.2 xen-libs-debuginfo-4.4.4_05-22.28.2 xen-tools-4.4.4_05-22.28.2 xen-tools-debuginfo-4.4.4_05-22.28.2 xen-tools-domU-4.4.4_05-22.28.2 xen-tools-domU-debuginfo-4.4.4_05-22.28.2 References: https://www.suse.com/security/cve/CVE-2016-10013.html https://www.suse.com/security/cve/CVE-2016-10024.html https://www.suse.com/security/cve/CVE-2016-9932.html https://bugzilla.suse.com/1012651 https://bugzilla.suse.com/1014298 https://bugzilla.suse.com/1016340 From sle-security-updates at lists.suse.com Thu Dec 22 10:08:35 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 18:08:35 +0100 (CET) Subject: SUSE-SU-2016:3247-1: important: Security update for Linux Kernel Live Patch 16 for SLE 12 Message-ID: <20161222170835.02674FF36@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 16 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3247-1 Rating: important References: #1012183 #1012759 Cross-References: CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.60-52_57 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1892=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1892=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_60-52_57-default-2-2.1 kgraft-patch-3_12_60-52_57-xen-2-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_60-52_57-default-2-2.1 kgraft-patch-3_12_60-52_57-xen-2-2.1 References: https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Thu Dec 22 10:09:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 18:09:10 +0100 (CET) Subject: SUSE-SU-2016:3248-1: important: Security update for the Linux Kernel Message-ID: <20161222170910.C7834FF36@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3248-1 Rating: important References: #1013533 #1013604 Cross-References: CVE-2016-9576 CVE-2016-9794 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The SUSE Linux Enterprise 11 SP 3 kernel was updated to fix two security issues. The following security bugs were fixed: - CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604). - CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-kernel-12909=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-kernel-12909=1 - SUSE Manager 2.1: zypper in -t patch sleman21-kernel-12909=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-kernel-12909=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-12909=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-kernel-12909=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-kernel-12909=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): kernel-bigsmp-3.0.101-0.47.93.1 kernel-bigsmp-base-3.0.101-0.47.93.1 kernel-bigsmp-devel-3.0.101-0.47.93.1 kernel-default-3.0.101-0.47.93.1 kernel-default-base-3.0.101-0.47.93.1 kernel-default-devel-3.0.101-0.47.93.1 kernel-ec2-3.0.101-0.47.93.1 kernel-ec2-base-3.0.101-0.47.93.1 kernel-ec2-devel-3.0.101-0.47.93.1 kernel-source-3.0.101-0.47.93.1 kernel-syms-3.0.101-0.47.93.1 kernel-trace-3.0.101-0.47.93.1 kernel-trace-base-3.0.101-0.47.93.1 kernel-trace-devel-3.0.101-0.47.93.1 kernel-xen-3.0.101-0.47.93.1 kernel-xen-base-3.0.101-0.47.93.1 kernel-xen-devel-3.0.101-0.47.93.1 - SUSE Manager Proxy 2.1 (x86_64): kernel-bigsmp-3.0.101-0.47.93.1 kernel-bigsmp-base-3.0.101-0.47.93.1 kernel-bigsmp-devel-3.0.101-0.47.93.1 kernel-default-3.0.101-0.47.93.1 kernel-default-base-3.0.101-0.47.93.1 kernel-default-devel-3.0.101-0.47.93.1 kernel-ec2-3.0.101-0.47.93.1 kernel-ec2-base-3.0.101-0.47.93.1 kernel-ec2-devel-3.0.101-0.47.93.1 kernel-source-3.0.101-0.47.93.1 kernel-syms-3.0.101-0.47.93.1 kernel-trace-3.0.101-0.47.93.1 kernel-trace-base-3.0.101-0.47.93.1 kernel-trace-devel-3.0.101-0.47.93.1 kernel-xen-3.0.101-0.47.93.1 kernel-xen-base-3.0.101-0.47.93.1 kernel-xen-devel-3.0.101-0.47.93.1 - SUSE Manager 2.1 (s390x x86_64): kernel-default-3.0.101-0.47.93.1 kernel-default-base-3.0.101-0.47.93.1 kernel-default-devel-3.0.101-0.47.93.1 kernel-source-3.0.101-0.47.93.1 kernel-syms-3.0.101-0.47.93.1 kernel-trace-3.0.101-0.47.93.1 kernel-trace-base-3.0.101-0.47.93.1 kernel-trace-devel-3.0.101-0.47.93.1 - SUSE Manager 2.1 (x86_64): kernel-bigsmp-3.0.101-0.47.93.1 kernel-bigsmp-base-3.0.101-0.47.93.1 kernel-bigsmp-devel-3.0.101-0.47.93.1 kernel-ec2-3.0.101-0.47.93.1 kernel-ec2-base-3.0.101-0.47.93.1 kernel-ec2-devel-3.0.101-0.47.93.1 kernel-xen-3.0.101-0.47.93.1 kernel-xen-base-3.0.101-0.47.93.1 kernel-xen-devel-3.0.101-0.47.93.1 - SUSE Manager 2.1 (s390x): kernel-default-man-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.47.93.1 kernel-default-base-3.0.101-0.47.93.1 kernel-default-devel-3.0.101-0.47.93.1 kernel-source-3.0.101-0.47.93.1 kernel-syms-3.0.101-0.47.93.1 kernel-trace-3.0.101-0.47.93.1 kernel-trace-base-3.0.101-0.47.93.1 kernel-trace-devel-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.47.93.1 kernel-ec2-base-3.0.101-0.47.93.1 kernel-ec2-devel-3.0.101-0.47.93.1 kernel-xen-3.0.101-0.47.93.1 kernel-xen-base-3.0.101-0.47.93.1 kernel-xen-devel-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): kernel-bigsmp-3.0.101-0.47.93.1 kernel-bigsmp-base-3.0.101-0.47.93.1 kernel-bigsmp-devel-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x): kernel-default-man-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): kernel-pae-3.0.101-0.47.93.1 kernel-pae-base-3.0.101-0.47.93.1 kernel-pae-devel-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-bigsmp-extra-3.0.101-0.47.93.1 kernel-trace-extra-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-0.47.93.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-0.47.93.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): kernel-default-3.0.101-0.47.93.1 kernel-default-base-3.0.101-0.47.93.1 kernel-default-devel-3.0.101-0.47.93.1 kernel-ec2-3.0.101-0.47.93.1 kernel-ec2-base-3.0.101-0.47.93.1 kernel-ec2-devel-3.0.101-0.47.93.1 kernel-pae-3.0.101-0.47.93.1 kernel-pae-base-3.0.101-0.47.93.1 kernel-pae-devel-3.0.101-0.47.93.1 kernel-source-3.0.101-0.47.93.1 kernel-syms-3.0.101-0.47.93.1 kernel-trace-3.0.101-0.47.93.1 kernel-trace-base-3.0.101-0.47.93.1 kernel-trace-devel-3.0.101-0.47.93.1 kernel-xen-3.0.101-0.47.93.1 kernel-xen-base-3.0.101-0.47.93.1 kernel-xen-devel-3.0.101-0.47.93.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.47.93.1 kernel-default-debugsource-3.0.101-0.47.93.1 kernel-trace-debuginfo-3.0.101-0.47.93.1 kernel-trace-debugsource-3.0.101-0.47.93.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.47.93.1 kernel-ec2-debugsource-3.0.101-0.47.93.1 kernel-xen-debuginfo-3.0.101-0.47.93.1 kernel-xen-debugsource-3.0.101-0.47.93.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64): kernel-bigsmp-debuginfo-3.0.101-0.47.93.1 kernel-bigsmp-debugsource-3.0.101-0.47.93.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586): kernel-pae-debuginfo-3.0.101-0.47.93.1 kernel-pae-debugsource-3.0.101-0.47.93.1 References: https://www.suse.com/security/cve/CVE-2016-9576.html https://www.suse.com/security/cve/CVE-2016-9794.html https://bugzilla.suse.com/1013533 https://bugzilla.suse.com/1013604 From sle-security-updates at lists.suse.com Thu Dec 22 11:08:16 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 19:08:16 +0100 (CET) Subject: SUSE-SU-2016:3249-1: important: Security update for Linux Kernel Live Patch 10 for SLE 12 Message-ID: <20161222180816.0DE86FF36@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel Live Patch 10 for SLE 12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3249-1 Rating: important References: #1003253 #1012183 #1012759 Cross-References: CVE-2016-7117 CVE-2016-8655 CVE-2016-9555 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.51-52_34 fixes several issues. The following security bugs were fixed: - CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012759). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bsc#1012183). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003253). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1895=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1895=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): kgraft-patch-3_12_51-52_34-default-7-2.1 kgraft-patch-3_12_51-52_34-xen-7-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_51-52_34-default-7-2.1 kgraft-patch-3_12_51-52_34-xen-7-2.1 References: https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-8655.html https://www.suse.com/security/cve/CVE-2016-9555.html https://bugzilla.suse.com/1003253 https://bugzilla.suse.com/1012183 https://bugzilla.suse.com/1012759 From sle-security-updates at lists.suse.com Thu Dec 22 12:07:22 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 20:07:22 +0100 (CET) Subject: SUSE-SU-2016:3250-1: important: Security update for libgme Message-ID: <20161222190722.A7FA7FF36@maintenance.suse.de> SUSE Security Update: Security update for libgme ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3250-1 Rating: important References: #1015941 Cross-References: CVE-2016-9957 CVE-2016-9958 CVE-2016-9959 CVE-2016-9960 CVE-2016-9961 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for libgme fixes the following issues: - CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961: Various issues were fixed in the handling of SPC music files that could have been exploited for gaining privileges of desktop users. [bsc#1015941] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1898=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1898=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1898=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1898=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1898=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1898=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1898=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libgme-debugsource-0.6.0-5.1 libgme-devel-0.6.0-5.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libgme-debugsource-0.6.0-5.1 libgme-devel-0.6.0-5.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libgme-debugsource-0.6.0-5.1 libgme0-0.6.0-5.1 libgme0-debuginfo-0.6.0-5.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libgme-debugsource-0.6.0-5.1 libgme0-0.6.0-5.1 libgme0-debuginfo-0.6.0-5.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libgme-debugsource-0.6.0-5.1 libgme0-0.6.0-5.1 libgme0-debuginfo-0.6.0-5.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libgme-debugsource-0.6.0-5.1 libgme0-0.6.0-5.1 libgme0-debuginfo-0.6.0-5.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libgme-debugsource-0.6.0-5.1 libgme0-0.6.0-5.1 libgme0-debuginfo-0.6.0-5.1 References: https://www.suse.com/security/cve/CVE-2016-9957.html https://www.suse.com/security/cve/CVE-2016-9958.html https://www.suse.com/security/cve/CVE-2016-9959.html https://www.suse.com/security/cve/CVE-2016-9960.html https://www.suse.com/security/cve/CVE-2016-9961.html https://bugzilla.suse.com/1015941 From sle-security-updates at lists.suse.com Thu Dec 22 12:07:51 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 20:07:51 +0100 (CET) Subject: SUSE-SU-2016:3251-1: moderate: Security update for gd Message-ID: <20161222190751.A58F5F7BF@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3251-1 Rating: moderate References: #1015187 Cross-References: CVE-2016-9933 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gd fixes the following issues: * CVE-2016-9933 possible stackoverflow on malicious truecolor images [bsc#1015187] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-gd-12914=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-gd-12914=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-gd-12914=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): gd-devel-2.0.36.RC1-52.29.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): gd-2.0.36.RC1-52.29.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): gd-debuginfo-2.0.36.RC1-52.29.1 gd-debugsource-2.0.36.RC1-52.29.1 References: https://www.suse.com/security/cve/CVE-2016-9933.html https://bugzilla.suse.com/1015187 From sle-security-updates at lists.suse.com Thu Dec 22 12:08:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Dec 2016 20:08:18 +0100 (CET) Subject: SUSE-SU-2016:3252-1: important: Security update for the Linux Kernel Message-ID: <20161222190818.9D6FAF7BF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3252-1 Rating: important References: #1013533 #1013604 Cross-References: CVE-2016-9576 CVE-2016-9794 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The SUSE Linux Enterprise 11 SP 2 kernel was updated to fix two security issues. The following security bugs were fixed: - CVE-2016-9576: A use-after-free vulnerability in the SCSI generic driver allows users with write access to /dev/sg* or /dev/bsg* to elevate their privileges (bsc#1013604). - CVE-2016-9794: A use-after-free vulnerability in the ALSA pcm layer allowed local users to cause a denial of service, memory corruption or possibly even to elevate their privileges (bsc#1013533). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-kernel-12915=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-kernel-12915=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.7.47.1 kernel-default-base-3.0.101-0.7.47.1 kernel-default-devel-3.0.101-0.7.47.1 kernel-source-3.0.101-0.7.47.1 kernel-syms-3.0.101-0.7.47.1 kernel-trace-3.0.101-0.7.47.1 kernel-trace-base-3.0.101-0.7.47.1 kernel-trace-devel-3.0.101-0.7.47.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.7.47.1 kernel-ec2-base-3.0.101-0.7.47.1 kernel-ec2-devel-3.0.101-0.7.47.1 kernel-xen-3.0.101-0.7.47.1 kernel-xen-base-3.0.101-0.7.47.1 kernel-xen-devel-3.0.101-0.7.47.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x): kernel-default-man-3.0.101-0.7.47.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): kernel-pae-3.0.101-0.7.47.1 kernel-pae-base-3.0.101-0.7.47.1 kernel-pae-devel-3.0.101-0.7.47.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.7.47.1 kernel-default-debugsource-3.0.101-0.7.47.1 kernel-default-devel-debuginfo-3.0.101-0.7.47.1 kernel-trace-debuginfo-3.0.101-0.7.47.1 kernel-trace-debugsource-3.0.101-0.7.47.1 kernel-trace-devel-debuginfo-3.0.101-0.7.47.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.7.47.1 kernel-ec2-debugsource-3.0.101-0.7.47.1 kernel-xen-debuginfo-3.0.101-0.7.47.1 kernel-xen-debugsource-3.0.101-0.7.47.1 kernel-xen-devel-debuginfo-3.0.101-0.7.47.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586): kernel-pae-debuginfo-3.0.101-0.7.47.1 kernel-pae-debugsource-3.0.101-0.7.47.1 kernel-pae-devel-debuginfo-3.0.101-0.7.47.1 References: https://www.suse.com/security/cve/CVE-2016-9576.html https://www.suse.com/security/cve/CVE-2016-9794.html https://bugzilla.suse.com/1013533 https://bugzilla.suse.com/1013604 From sle-security-updates at lists.suse.com Fri Dec 23 08:07:50 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Dec 2016 16:07:50 +0100 (CET) Subject: SUSE-SU-2016:3256-1: moderate: Security update for ImageMagick Message-ID: <20161223150750.550D5FF36@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3256-1 Rating: moderate References: #1009318 #1011130 #1011136 #1013376 #1014159 Cross-References: CVE-2016-7530 CVE-2016-8707 CVE-2016-8866 CVE-2016-9556 CVE-2016-9559 CVE-2016-9773 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: * CVE-2016-9556: Possible Heap-overflow found by fuzzing [bsc#1011130] * CVE-2016-9559: Possible Null pointer access found by fuzzing [bsc#1011136] * CVE-2016-8707: Possible code execution in the tiff deflate convert code [bsc#1014159] * CVE-2016-9773: Possible Heap overflow in IsPixelGray [bsc#1013376] * CVE-2016-8866: Possible memory allocation failure in AcquireMagickMemory [bsc#1009318] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-ImageMagick-12917=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ImageMagick-12917=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ImageMagick-12917=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-6.4.3.6-7.60.1 ImageMagick-devel-6.4.3.6-7.60.1 libMagick++-devel-6.4.3.6-7.60.1 libMagick++1-6.4.3.6-7.60.1 libMagickWand1-6.4.3.6-7.60.1 perl-PerlMagick-6.4.3.6-7.60.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libMagickWand1-32bit-6.4.3.6-7.60.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libMagickCore1-6.4.3.6-7.60.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.60.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.60.1 ImageMagick-debugsource-6.4.3.6-7.60.1 References: https://www.suse.com/security/cve/CVE-2016-7530.html https://www.suse.com/security/cve/CVE-2016-8707.html https://www.suse.com/security/cve/CVE-2016-8866.html https://www.suse.com/security/cve/CVE-2016-9556.html https://www.suse.com/security/cve/CVE-2016-9559.html https://www.suse.com/security/cve/CVE-2016-9773.html https://bugzilla.suse.com/1009318 https://bugzilla.suse.com/1011130 https://bugzilla.suse.com/1011136 https://bugzilla.suse.com/1013376 https://bugzilla.suse.com/1014159 From sle-security-updates at lists.suse.com Fri Dec 23 08:09:03 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Dec 2016 16:09:03 +0100 (CET) Subject: SUSE-SU-2016:3257-1: important: Security update for dnsmasq Message-ID: <20161223150903.1359BF7BF@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3257-1 Rating: important References: #983273 Cross-References: CVE-2015-8899 Affected Products: SUSE OpenStack Cloud Compute 5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dnsmasq fixes the following issues: - CVE-2015-8899: Denial of service between local and remote dns entries (bsc#983273) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Compute 5: zypper in -t patch SUSE-SLE12-CLOUD-5-2016-1906=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud Compute 5 (x86_64): dnsmasq-debuginfo-2.71-6.3.1 dnsmasq-debugsource-2.71-6.3.1 dnsmasq-utils-2.71-6.3.1 dnsmasq-utils-debuginfo-2.71-6.3.1 References: https://www.suse.com/security/cve/CVE-2015-8899.html https://bugzilla.suse.com/983273 From sle-security-updates at lists.suse.com Fri Dec 23 08:09:34 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Dec 2016 16:09:34 +0100 (CET) Subject: SUSE-SU-2016:3258-1: important: Security update for ImageMagick Message-ID: <20161223150934.08FFDFF36@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3258-1 Rating: important References: #1009318 #1011130 #1011136 #1013376 #1014159 Cross-References: CVE-2014-9848 CVE-2016-8707 CVE-2016-8866 CVE-2016-9556 CVE-2016-9559 CVE-2016-9773 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: * CVE-2016-9556 Possible Heap-overflow found by fuzzing [bsc#1011130] * CVE-2016-9559 Possible Null pointer access found by fuzzing [bsc#1011136] * CVE-2016-8707 Possible code execution in Tiff conver utility [bsc#1014159] * CVE-2016-8866 Memory allocation failure in AcquireMagickMemory could lead to Heap overflow [bsc#1009318] * CVE-2016-9559 Possible Null pointer access found by fuzzing [bsc#1011136] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1905=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1905=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1905=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1905=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1905=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1905=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1905=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1905=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1905=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): ImageMagick-6.8.8.1-54.1 ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagick++-6_Q16-3-6.8.8.1-54.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-54.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-54.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): ImageMagick-6.8.8.1-54.1 ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagick++-6_Q16-3-6.8.8.1-54.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-54.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-54.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-54.1 ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 ImageMagick-devel-6.8.8.1-54.1 libMagick++-6_Q16-3-6.8.8.1-54.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-54.1 libMagick++-devel-6.8.8.1-54.1 perl-PerlMagick-6.8.8.1-54.1 perl-PerlMagick-debuginfo-6.8.8.1-54.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): ImageMagick-6.8.8.1-54.1 ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 ImageMagick-devel-6.8.8.1-54.1 libMagick++-6_Q16-3-6.8.8.1-54.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-54.1 libMagick++-devel-6.8.8.1-54.1 perl-PerlMagick-6.8.8.1-54.1 perl-PerlMagick-debuginfo-6.8.8.1-54.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagickCore-6_Q16-1-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-54.1 libMagickWand-6_Q16-1-6.8.8.1-54.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-54.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagickCore-6_Q16-1-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-54.1 libMagickWand-6_Q16-1-6.8.8.1-54.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-54.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagickCore-6_Q16-1-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-54.1 libMagickWand-6_Q16-1-6.8.8.1-54.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-54.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): ImageMagick-6.8.8.1-54.1 ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagick++-6_Q16-3-6.8.8.1-54.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-54.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-54.1 libMagickCore-6_Q16-1-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-54.1 libMagickWand-6_Q16-1-6.8.8.1-54.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-54.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): ImageMagick-6.8.8.1-54.1 ImageMagick-debuginfo-6.8.8.1-54.1 ImageMagick-debugsource-6.8.8.1-54.1 libMagick++-6_Q16-3-6.8.8.1-54.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-54.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-54.1 libMagickCore-6_Q16-1-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-54.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-54.1 libMagickWand-6_Q16-1-6.8.8.1-54.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-54.1 References: https://www.suse.com/security/cve/CVE-2014-9848.html https://www.suse.com/security/cve/CVE-2016-8707.html https://www.suse.com/security/cve/CVE-2016-8866.html https://www.suse.com/security/cve/CVE-2016-9556.html https://www.suse.com/security/cve/CVE-2016-9559.html https://www.suse.com/security/cve/CVE-2016-9773.html https://bugzilla.suse.com/1009318 https://bugzilla.suse.com/1011130 https://bugzilla.suse.com/1011136 https://bugzilla.suse.com/1013376 https://bugzilla.suse.com/1014159 From sle-security-updates at lists.suse.com Fri Dec 23 13:07:18 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Dec 2016 21:07:18 +0100 (CET) Subject: SUSE-SU-2016:3268-1: moderate: Security update for wget Message-ID: <20161223200718.1BEF6FF36@maintenance.suse.de> SUSE Security Update: Security update for wget ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3268-1 Rating: moderate References: #1005091 #1012677 #995964 Cross-References: CVE-2016-7098 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for wget fixes the following issues: Security issues fixed: - CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Non security issues fixed: - bsc#1005091: Don't call xfree() on string returned by usr_error() - bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1911=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1911=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1911=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1911=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1911=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): wget-1.14-17.1 wget-debuginfo-1.14-17.1 wget-debugsource-1.14-17.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): wget-1.14-17.1 wget-debuginfo-1.14-17.1 wget-debugsource-1.14-17.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): wget-1.14-17.1 wget-debuginfo-1.14-17.1 wget-debugsource-1.14-17.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): wget-1.14-17.1 wget-debuginfo-1.14-17.1 wget-debugsource-1.14-17.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): wget-1.14-17.1 wget-debuginfo-1.14-17.1 wget-debugsource-1.14-17.1 References: https://www.suse.com/security/cve/CVE-2016-7098.html https://bugzilla.suse.com/1005091 https://bugzilla.suse.com/1012677 https://bugzilla.suse.com/995964 From sle-security-updates at lists.suse.com Fri Dec 23 13:08:07 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Dec 2016 21:08:07 +0100 (CET) Subject: SUSE-SU-2016:3269-1: important: Security update for dnsmasq Message-ID: <20161223200807.B4819F7BF@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3269-1 Rating: important References: #983273 Cross-References: CVE-2015-8899 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dnsmasq fixes the following issues: - CVE-2015-8899: Denial of service between local and remote dns entries (bsc#983273) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2016-1912=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1912=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1912=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1912=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1912=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1912=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (x86_64): dnsmasq-debuginfo-2.71-13.1 dnsmasq-debugsource-2.71-13.1 dnsmasq-utils-2.71-13.1 dnsmasq-utils-debuginfo-2.71-13.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): dnsmasq-2.71-13.1 dnsmasq-debuginfo-2.71-13.1 dnsmasq-debugsource-2.71-13.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): dnsmasq-2.71-13.1 dnsmasq-debuginfo-2.71-13.1 dnsmasq-debugsource-2.71-13.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): dnsmasq-2.71-13.1 dnsmasq-debuginfo-2.71-13.1 dnsmasq-debugsource-2.71-13.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): dnsmasq-2.71-13.1 dnsmasq-debuginfo-2.71-13.1 dnsmasq-debugsource-2.71-13.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): dnsmasq-2.71-13.1 dnsmasq-debuginfo-2.71-13.1 dnsmasq-debugsource-2.71-13.1 References: https://www.suse.com/security/cve/CVE-2015-8899.html https://bugzilla.suse.com/983273 From sle-security-updates at lists.suse.com Tue Dec 27 07:07:08 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Dec 2016 15:07:08 +0100 (CET) Subject: SUSE-SU-2016:3270-1: important: Security update for openjpeg2 Message-ID: <20161227140708.1FCEDFF36@maintenance.suse.de> SUSE Security Update: Security update for openjpeg2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3270-1 Rating: important References: #1002414 #1007739 #1007740 #1007741 #1007742 #1007743 #1007744 #1007747 #1014543 #1014975 #999817 Cross-References: CVE-2016-7445 CVE-2016-8332 CVE-2016-9112 CVE-2016-9113 CVE-2016-9114 CVE-2016-9115 CVE-2016-9116 CVE-2016-9117 CVE-2016-9118 CVE-2016-9572 CVE-2016-9573 CVE-2016-9580 CVE-2016-9581 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for openjpeg2 fixes the following issues: * CVE-2016-9114: NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) could lead to crash [bsc#1007740] * CVE-2016-9115: Heap Buffer Overflow in function imagetotga of convert.c(jp2) [bsc#1007741] * CVE-2016-9580, CVE-2016-9581: Possible Heap buffer overflow via integer overflow and infite loop [bsc#1014975] * CVE-2016-9117: NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 [bsc#1007743] * CVE-2016-9118: Heap Buffer Overflow in function pnmtoimage of convert.c [bsc#1007744] * CVE-2016-9112: FPE(Floating Point Exception) in lib/openjp2/pi.c:523 [bsc#1007747] * CVE-2016-9116: NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) [bsc#1007742] * CVE-2016-9113: NULL point dereference in function imagetobmp of convertbmp.c could lead to crash [bsc#1007739] * CVE-2016-9572 CVE-2016-9573: Insuficient check in imagetopnm() could lead to heap buffer overflow [bsc#1014543] * CVE-2016-8332: Malicious file in OpenJPEG JPEG2000 format could lead to code execution [bsc#1002414] * CVE-2016-7445: Null pointer dereference in convert.c could lead to crash [bsc#999817] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1914=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1914=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1914=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libopenjp2-7-2.1.0-3.1 libopenjp2-7-debuginfo-2.1.0-3.1 openjpeg2-debuginfo-2.1.0-3.1 openjpeg2-debugsource-2.1.0-3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libopenjp2-7-2.1.0-3.1 libopenjp2-7-debuginfo-2.1.0-3.1 openjpeg2-debuginfo-2.1.0-3.1 openjpeg2-debugsource-2.1.0-3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libopenjp2-7-2.1.0-3.1 libopenjp2-7-debuginfo-2.1.0-3.1 openjpeg2-debuginfo-2.1.0-3.1 openjpeg2-debugsource-2.1.0-3.1 References: https://www.suse.com/security/cve/CVE-2016-7445.html https://www.suse.com/security/cve/CVE-2016-8332.html https://www.suse.com/security/cve/CVE-2016-9112.html https://www.suse.com/security/cve/CVE-2016-9113.html https://www.suse.com/security/cve/CVE-2016-9114.html https://www.suse.com/security/cve/CVE-2016-9115.html https://www.suse.com/security/cve/CVE-2016-9116.html https://www.suse.com/security/cve/CVE-2016-9117.html https://www.suse.com/security/cve/CVE-2016-9118.html https://www.suse.com/security/cve/CVE-2016-9572.html https://www.suse.com/security/cve/CVE-2016-9573.html https://www.suse.com/security/cve/CVE-2016-9580.html https://www.suse.com/security/cve/CVE-2016-9581.html https://bugzilla.suse.com/1002414 https://bugzilla.suse.com/1007739 https://bugzilla.suse.com/1007740 https://bugzilla.suse.com/1007741 https://bugzilla.suse.com/1007742 https://bugzilla.suse.com/1007743 https://bugzilla.suse.com/1007744 https://bugzilla.suse.com/1007747 https://bugzilla.suse.com/1014543 https://bugzilla.suse.com/1014975 https://bugzilla.suse.com/999817 From sle-security-updates at lists.suse.com Tue Dec 27 09:07:33 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Dec 2016 17:07:33 +0100 (CET) Subject: SUSE-SU-2016:3271-1: moderate: Security update for samba Message-ID: <20161227160733.45DD0F7CB@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3271-1 Rating: moderate References: #1009085 #1014437 #1014441 #1014442 Cross-References: CVE-2016-2123 CVE-2016-2125 CVE-2016-2126 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for samba fixes the following issues: Security issues fixed: - CVE-2016-2125: Don't send delegated credentials to all servers. (bsc#1014441). - CVE-2016-2126: Denial of service due to a client triggered crash in the winbindd parent process. (bsc#1014442). - CVE-2016-2123: Heap-based Buffer Overflow Remote Code Execution Vulnerability. (bsc#1014437). This component is not built into our packages, so we are not affected. Non security issues fixed: - s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1916=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1916=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1916=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1916=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1916=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libsmbclient-devel-4.4.2-31.1 libwbclient-devel-4.4.2-31.1 samba-debuginfo-4.4.2-31.1 samba-debugsource-4.4.2-31.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libdcerpc-binding0-4.4.2-31.1 libdcerpc-binding0-debuginfo-4.4.2-31.1 libdcerpc0-4.4.2-31.1 libdcerpc0-debuginfo-4.4.2-31.1 libndr-krb5pac0-4.4.2-31.1 libndr-krb5pac0-debuginfo-4.4.2-31.1 libndr-nbt0-4.4.2-31.1 libndr-nbt0-debuginfo-4.4.2-31.1 libndr-standard0-4.4.2-31.1 libndr-standard0-debuginfo-4.4.2-31.1 libndr0-4.4.2-31.1 libndr0-debuginfo-4.4.2-31.1 libnetapi0-4.4.2-31.1 libnetapi0-debuginfo-4.4.2-31.1 libsamba-credentials0-4.4.2-31.1 libsamba-credentials0-debuginfo-4.4.2-31.1 libsamba-errors0-4.4.2-31.1 libsamba-errors0-debuginfo-4.4.2-31.1 libsamba-hostconfig0-4.4.2-31.1 libsamba-hostconfig0-debuginfo-4.4.2-31.1 libsamba-passdb0-4.4.2-31.1 libsamba-passdb0-debuginfo-4.4.2-31.1 libsamba-util0-4.4.2-31.1 libsamba-util0-debuginfo-4.4.2-31.1 libsamdb0-4.4.2-31.1 libsamdb0-debuginfo-4.4.2-31.1 libsmbclient0-4.4.2-31.1 libsmbclient0-debuginfo-4.4.2-31.1 libsmbconf0-4.4.2-31.1 libsmbconf0-debuginfo-4.4.2-31.1 libsmbldap0-4.4.2-31.1 libsmbldap0-debuginfo-4.4.2-31.1 libtevent-util0-4.4.2-31.1 libtevent-util0-debuginfo-4.4.2-31.1 libwbclient0-4.4.2-31.1 libwbclient0-debuginfo-4.4.2-31.1 samba-4.4.2-31.1 samba-client-4.4.2-31.1 samba-client-debuginfo-4.4.2-31.1 samba-debuginfo-4.4.2-31.1 samba-debugsource-4.4.2-31.1 samba-libs-4.4.2-31.1 samba-libs-debuginfo-4.4.2-31.1 samba-winbind-4.4.2-31.1 samba-winbind-debuginfo-4.4.2-31.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): samba-doc-4.4.2-31.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libdcerpc-binding0-4.4.2-31.1 libdcerpc-binding0-debuginfo-4.4.2-31.1 libdcerpc0-4.4.2-31.1 libdcerpc0-debuginfo-4.4.2-31.1 libndr-krb5pac0-4.4.2-31.1 libndr-krb5pac0-debuginfo-4.4.2-31.1 libndr-nbt0-4.4.2-31.1 libndr-nbt0-debuginfo-4.4.2-31.1 libndr-standard0-4.4.2-31.1 libndr-standard0-debuginfo-4.4.2-31.1 libndr0-4.4.2-31.1 libndr0-debuginfo-4.4.2-31.1 libnetapi0-4.4.2-31.1 libnetapi0-debuginfo-4.4.2-31.1 libsamba-credentials0-4.4.2-31.1 libsamba-credentials0-debuginfo-4.4.2-31.1 libsamba-errors0-4.4.2-31.1 libsamba-errors0-debuginfo-4.4.2-31.1 libsamba-hostconfig0-4.4.2-31.1 libsamba-hostconfig0-debuginfo-4.4.2-31.1 libsamba-passdb0-4.4.2-31.1 libsamba-passdb0-debuginfo-4.4.2-31.1 libsamba-util0-4.4.2-31.1 libsamba-util0-debuginfo-4.4.2-31.1 libsamdb0-4.4.2-31.1 libsamdb0-debuginfo-4.4.2-31.1 libsmbclient0-4.4.2-31.1 libsmbclient0-debuginfo-4.4.2-31.1 libsmbconf0-4.4.2-31.1 libsmbconf0-debuginfo-4.4.2-31.1 libsmbldap0-4.4.2-31.1 libsmbldap0-debuginfo-4.4.2-31.1 libtevent-util0-4.4.2-31.1 libtevent-util0-debuginfo-4.4.2-31.1 libwbclient0-4.4.2-31.1 libwbclient0-debuginfo-4.4.2-31.1 samba-4.4.2-31.1 samba-client-4.4.2-31.1 samba-client-debuginfo-4.4.2-31.1 samba-debuginfo-4.4.2-31.1 samba-debugsource-4.4.2-31.1 samba-libs-4.4.2-31.1 samba-libs-debuginfo-4.4.2-31.1 samba-winbind-4.4.2-31.1 samba-winbind-debuginfo-4.4.2-31.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): samba-doc-4.4.2-31.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libdcerpc-binding0-32bit-4.4.2-31.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-31.1 libdcerpc0-32bit-4.4.2-31.1 libdcerpc0-debuginfo-32bit-4.4.2-31.1 libndr-krb5pac0-32bit-4.4.2-31.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-31.1 libndr-nbt0-32bit-4.4.2-31.1 libndr-nbt0-debuginfo-32bit-4.4.2-31.1 libndr-standard0-32bit-4.4.2-31.1 libndr-standard0-debuginfo-32bit-4.4.2-31.1 libndr0-32bit-4.4.2-31.1 libndr0-debuginfo-32bit-4.4.2-31.1 libnetapi0-32bit-4.4.2-31.1 libnetapi0-debuginfo-32bit-4.4.2-31.1 libsamba-credentials0-32bit-4.4.2-31.1 libsamba-credentials0-debuginfo-32bit-4.4.2-31.1 libsamba-errors0-32bit-4.4.2-31.1 libsamba-errors0-debuginfo-32bit-4.4.2-31.1 libsamba-hostconfig0-32bit-4.4.2-31.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-31.1 libsamba-passdb0-32bit-4.4.2-31.1 libsamba-passdb0-debuginfo-32bit-4.4.2-31.1 libsamba-util0-32bit-4.4.2-31.1 libsamba-util0-debuginfo-32bit-4.4.2-31.1 libsamdb0-32bit-4.4.2-31.1 libsamdb0-debuginfo-32bit-4.4.2-31.1 libsmbclient0-32bit-4.4.2-31.1 libsmbclient0-debuginfo-32bit-4.4.2-31.1 libsmbconf0-32bit-4.4.2-31.1 libsmbconf0-debuginfo-32bit-4.4.2-31.1 libsmbldap0-32bit-4.4.2-31.1 libsmbldap0-debuginfo-32bit-4.4.2-31.1 libtevent-util0-32bit-4.4.2-31.1 libtevent-util0-debuginfo-32bit-4.4.2-31.1 libwbclient0-32bit-4.4.2-31.1 libwbclient0-debuginfo-32bit-4.4.2-31.1 samba-client-32bit-4.4.2-31.1 samba-client-debuginfo-32bit-4.4.2-31.1 samba-libs-32bit-4.4.2-31.1 samba-libs-debuginfo-32bit-4.4.2-31.1 samba-winbind-32bit-4.4.2-31.1 samba-winbind-debuginfo-32bit-4.4.2-31.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): ctdb-4.4.2-31.1 ctdb-debuginfo-4.4.2-31.1 samba-debuginfo-4.4.2-31.1 samba-debugsource-4.4.2-31.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): samba-doc-4.4.2-31.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libdcerpc-binding0-32bit-4.4.2-31.1 libdcerpc-binding0-4.4.2-31.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-31.1 libdcerpc-binding0-debuginfo-4.4.2-31.1 libdcerpc0-32bit-4.4.2-31.1 libdcerpc0-4.4.2-31.1 libdcerpc0-debuginfo-32bit-4.4.2-31.1 libdcerpc0-debuginfo-4.4.2-31.1 libndr-krb5pac0-32bit-4.4.2-31.1 libndr-krb5pac0-4.4.2-31.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-31.1 libndr-krb5pac0-debuginfo-4.4.2-31.1 libndr-nbt0-32bit-4.4.2-31.1 libndr-nbt0-4.4.2-31.1 libndr-nbt0-debuginfo-32bit-4.4.2-31.1 libndr-nbt0-debuginfo-4.4.2-31.1 libndr-standard0-32bit-4.4.2-31.1 libndr-standard0-4.4.2-31.1 libndr-standard0-debuginfo-32bit-4.4.2-31.1 libndr-standard0-debuginfo-4.4.2-31.1 libndr0-32bit-4.4.2-31.1 libndr0-4.4.2-31.1 libndr0-debuginfo-32bit-4.4.2-31.1 libndr0-debuginfo-4.4.2-31.1 libnetapi0-32bit-4.4.2-31.1 libnetapi0-4.4.2-31.1 libnetapi0-debuginfo-32bit-4.4.2-31.1 libnetapi0-debuginfo-4.4.2-31.1 libsamba-credentials0-32bit-4.4.2-31.1 libsamba-credentials0-4.4.2-31.1 libsamba-credentials0-debuginfo-32bit-4.4.2-31.1 libsamba-credentials0-debuginfo-4.4.2-31.1 libsamba-errors0-32bit-4.4.2-31.1 libsamba-errors0-4.4.2-31.1 libsamba-errors0-debuginfo-32bit-4.4.2-31.1 libsamba-errors0-debuginfo-4.4.2-31.1 libsamba-hostconfig0-32bit-4.4.2-31.1 libsamba-hostconfig0-4.4.2-31.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-31.1 libsamba-hostconfig0-debuginfo-4.4.2-31.1 libsamba-passdb0-32bit-4.4.2-31.1 libsamba-passdb0-4.4.2-31.1 libsamba-passdb0-debuginfo-32bit-4.4.2-31.1 libsamba-passdb0-debuginfo-4.4.2-31.1 libsamba-util0-32bit-4.4.2-31.1 libsamba-util0-4.4.2-31.1 libsamba-util0-debuginfo-32bit-4.4.2-31.1 libsamba-util0-debuginfo-4.4.2-31.1 libsamdb0-32bit-4.4.2-31.1 libsamdb0-4.4.2-31.1 libsamdb0-debuginfo-32bit-4.4.2-31.1 libsamdb0-debuginfo-4.4.2-31.1 libsmbclient0-32bit-4.4.2-31.1 libsmbclient0-4.4.2-31.1 libsmbclient0-debuginfo-32bit-4.4.2-31.1 libsmbclient0-debuginfo-4.4.2-31.1 libsmbconf0-32bit-4.4.2-31.1 libsmbconf0-4.4.2-31.1 libsmbconf0-debuginfo-32bit-4.4.2-31.1 libsmbconf0-debuginfo-4.4.2-31.1 libsmbldap0-32bit-4.4.2-31.1 libsmbldap0-4.4.2-31.1 libsmbldap0-debuginfo-32bit-4.4.2-31.1 libsmbldap0-debuginfo-4.4.2-31.1 libtevent-util0-32bit-4.4.2-31.1 libtevent-util0-4.4.2-31.1 libtevent-util0-debuginfo-32bit-4.4.2-31.1 libtevent-util0-debuginfo-4.4.2-31.1 libwbclient0-32bit-4.4.2-31.1 libwbclient0-4.4.2-31.1 libwbclient0-debuginfo-32bit-4.4.2-31.1 libwbclient0-debuginfo-4.4.2-31.1 samba-4.4.2-31.1 samba-client-32bit-4.4.2-31.1 samba-client-4.4.2-31.1 samba-client-debuginfo-32bit-4.4.2-31.1 samba-client-debuginfo-4.4.2-31.1 samba-debuginfo-4.4.2-31.1 samba-debugsource-4.4.2-31.1 samba-libs-32bit-4.4.2-31.1 samba-libs-4.4.2-31.1 samba-libs-debuginfo-32bit-4.4.2-31.1 samba-libs-debuginfo-4.4.2-31.1 samba-winbind-32bit-4.4.2-31.1 samba-winbind-4.4.2-31.1 samba-winbind-debuginfo-32bit-4.4.2-31.1 samba-winbind-debuginfo-4.4.2-31.1 References: https://www.suse.com/security/cve/CVE-2016-2123.html https://www.suse.com/security/cve/CVE-2016-2125.html https://www.suse.com/security/cve/CVE-2016-2126.html https://bugzilla.suse.com/1009085 https://bugzilla.suse.com/1014437 https://bugzilla.suse.com/1014441 https://bugzilla.suse.com/1014442 From sle-security-updates at lists.suse.com Tue Dec 27 09:08:43 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Dec 2016 17:08:43 +0100 (CET) Subject: SUSE-SU-2016:3272-1: moderate: Security update for samba Message-ID: <20161227160843.087B1FF36@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3272-1 Rating: moderate References: #1001203 #1009085 #1014437 #1014441 #1014442 #975299 #986675 #991564 #994500 #997833 Cross-References: CVE-2016-2123 CVE-2016-2125 CVE-2016-2126 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise High Availability 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 7 fixes is now available. Description: This update for samba fixes the following issues: Security issues fixed: - CVE-2016-2125: Don't send delegated credentials to all servers. (bsc#1014441). - CVE-2016-2126: Denial of service due to a client triggered crash in the winbindd parent process. (bsc#1014442). - CVE-2016-2123: Heap-based Buffer Overflow Remote Code Execution Vulnerability. (bsc#1014437). The component affected is not built in our packages. Non security issues fixed: - s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085) - Add doc changes for net ads --no-dns-updates switch; (bsc#991564) - Include vfstest in samba-test; (bsc#1001203). - s3/winbindd: using default domain with user at domain.com format fails (bsc#997833). - Fix illegal memory access after memory has been deleted (bsc#975299). - Fix bug in tevent poll backend causing winbind to loop tightly (bsc#994500). - Various fixes for spnego/ntlm (bsc#986675). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1917=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1917=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1917=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1917=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1917=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1917=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1917=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1917=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): samba-test-devel-4.2.4-28.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): ctdb-debuginfo-4.2.4-28.3.1 ctdb-devel-4.2.4-28.3.1 libdcerpc-atsvc-devel-4.2.4-28.3.1 libdcerpc-atsvc0-4.2.4-28.3.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.3.1 libdcerpc-devel-4.2.4-28.3.1 libdcerpc-samr-devel-4.2.4-28.3.1 libdcerpc-samr0-4.2.4-28.3.1 libdcerpc-samr0-debuginfo-4.2.4-28.3.1 libgensec-devel-4.2.4-28.3.1 libndr-devel-4.2.4-28.3.1 libndr-krb5pac-devel-4.2.4-28.3.1 libndr-nbt-devel-4.2.4-28.3.1 libndr-standard-devel-4.2.4-28.3.1 libnetapi-devel-4.2.4-28.3.1 libregistry-devel-4.2.4-28.3.1 libsamba-credentials-devel-4.2.4-28.3.1 libsamba-hostconfig-devel-4.2.4-28.3.1 libsamba-passdb-devel-4.2.4-28.3.1 libsamba-policy-devel-4.2.4-28.3.1 libsamba-policy0-4.2.4-28.3.1 libsamba-policy0-debuginfo-4.2.4-28.3.1 libsamba-util-devel-4.2.4-28.3.1 libsamdb-devel-4.2.4-28.3.1 libsmbclient-devel-4.2.4-28.3.1 libsmbclient-raw-devel-4.2.4-28.3.1 libsmbconf-devel-4.2.4-28.3.1 libsmbldap-devel-4.2.4-28.3.1 libtevent-util-devel-4.2.4-28.3.1 libwbclient-devel-4.2.4-28.3.1 samba-core-devel-4.2.4-28.3.1 samba-debuginfo-4.2.4-28.3.1 samba-debugsource-4.2.4-28.3.1 samba-test-devel-4.2.4-28.3.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libdcerpc-atsvc0-4.2.4-28.3.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.3.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libdcerpc-atsvc0-4.2.4-28.3.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.3.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libdcerpc-binding0-4.2.4-28.3.1 libdcerpc-binding0-debuginfo-4.2.4-28.3.1 libdcerpc0-4.2.4-28.3.1 libdcerpc0-debuginfo-4.2.4-28.3.1 libgensec0-4.2.4-28.3.1 libgensec0-debuginfo-4.2.4-28.3.1 libndr-krb5pac0-4.2.4-28.3.1 libndr-krb5pac0-debuginfo-4.2.4-28.3.1 libndr-nbt0-4.2.4-28.3.1 libndr-nbt0-debuginfo-4.2.4-28.3.1 libndr-standard0-4.2.4-28.3.1 libndr-standard0-debuginfo-4.2.4-28.3.1 libndr0-4.2.4-28.3.1 libndr0-debuginfo-4.2.4-28.3.1 libnetapi0-4.2.4-28.3.1 libnetapi0-debuginfo-4.2.4-28.3.1 libregistry0-4.2.4-28.3.1 libregistry0-debuginfo-4.2.4-28.3.1 libsamba-credentials0-4.2.4-28.3.1 libsamba-credentials0-debuginfo-4.2.4-28.3.1 libsamba-hostconfig0-4.2.4-28.3.1 libsamba-hostconfig0-debuginfo-4.2.4-28.3.1 libsamba-passdb0-4.2.4-28.3.1 libsamba-passdb0-debuginfo-4.2.4-28.3.1 libsamba-util0-4.2.4-28.3.1 libsamba-util0-debuginfo-4.2.4-28.3.1 libsamdb0-4.2.4-28.3.1 libsamdb0-debuginfo-4.2.4-28.3.1 libsmbclient-raw0-4.2.4-28.3.1 libsmbclient-raw0-debuginfo-4.2.4-28.3.1 libsmbclient0-4.2.4-28.3.1 libsmbclient0-debuginfo-4.2.4-28.3.1 libsmbconf0-4.2.4-28.3.1 libsmbconf0-debuginfo-4.2.4-28.3.1 libsmbldap0-4.2.4-28.3.1 libsmbldap0-debuginfo-4.2.4-28.3.1 libtevent-util0-4.2.4-28.3.1 libtevent-util0-debuginfo-4.2.4-28.3.1 libwbclient0-4.2.4-28.3.1 libwbclient0-debuginfo-4.2.4-28.3.1 samba-4.2.4-28.3.1 samba-client-4.2.4-28.3.1 samba-client-debuginfo-4.2.4-28.3.1 samba-debuginfo-4.2.4-28.3.1 samba-debugsource-4.2.4-28.3.1 samba-libs-4.2.4-28.3.1 samba-libs-debuginfo-4.2.4-28.3.1 samba-winbind-4.2.4-28.3.1 samba-winbind-debuginfo-4.2.4-28.3.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libdcerpc-binding0-32bit-4.2.4-28.3.1 libdcerpc-binding0-debuginfo-32bit-4.2.4-28.3.1 libdcerpc0-32bit-4.2.4-28.3.1 libdcerpc0-debuginfo-32bit-4.2.4-28.3.1 libgensec0-32bit-4.2.4-28.3.1 libgensec0-debuginfo-32bit-4.2.4-28.3.1 libndr-krb5pac0-32bit-4.2.4-28.3.1 libndr-krb5pac0-debuginfo-32bit-4.2.4-28.3.1 libndr-nbt0-32bit-4.2.4-28.3.1 libndr-nbt0-debuginfo-32bit-4.2.4-28.3.1 libndr-standard0-32bit-4.2.4-28.3.1 libndr-standard0-debuginfo-32bit-4.2.4-28.3.1 libndr0-32bit-4.2.4-28.3.1 libndr0-debuginfo-32bit-4.2.4-28.3.1 libnetapi0-32bit-4.2.4-28.3.1 libnetapi0-debuginfo-32bit-4.2.4-28.3.1 libsamba-credentials0-32bit-4.2.4-28.3.1 libsamba-credentials0-debuginfo-32bit-4.2.4-28.3.1 libsamba-hostconfig0-32bit-4.2.4-28.3.1 libsamba-hostconfig0-debuginfo-32bit-4.2.4-28.3.1 libsamba-passdb0-32bit-4.2.4-28.3.1 libsamba-passdb0-debuginfo-32bit-4.2.4-28.3.1 libsamba-util0-32bit-4.2.4-28.3.1 libsamba-util0-debuginfo-32bit-4.2.4-28.3.1 libsamdb0-32bit-4.2.4-28.3.1 libsamdb0-debuginfo-32bit-4.2.4-28.3.1 libsmbclient-raw0-32bit-4.2.4-28.3.1 libsmbclient-raw0-debuginfo-32bit-4.2.4-28.3.1 libsmbclient0-32bit-4.2.4-28.3.1 libsmbclient0-debuginfo-32bit-4.2.4-28.3.1 libsmbconf0-32bit-4.2.4-28.3.1 libsmbconf0-debuginfo-32bit-4.2.4-28.3.1 libsmbldap0-32bit-4.2.4-28.3.1 libsmbldap0-debuginfo-32bit-4.2.4-28.3.1 libtevent-util0-32bit-4.2.4-28.3.1 libtevent-util0-debuginfo-32bit-4.2.4-28.3.1 libwbclient0-32bit-4.2.4-28.3.1 libwbclient0-debuginfo-32bit-4.2.4-28.3.1 samba-32bit-4.2.4-28.3.1 samba-client-32bit-4.2.4-28.3.1 samba-client-debuginfo-32bit-4.2.4-28.3.1 samba-debuginfo-32bit-4.2.4-28.3.1 samba-libs-32bit-4.2.4-28.3.1 samba-libs-debuginfo-32bit-4.2.4-28.3.1 samba-winbind-32bit-4.2.4-28.3.1 samba-winbind-debuginfo-32bit-4.2.4-28.3.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): samba-doc-4.2.4-28.3.1 - SUSE Linux Enterprise High Availability 12-SP1 (ppc64le s390x x86_64): ctdb-4.2.4-28.3.1 ctdb-debuginfo-4.2.4-28.3.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libdcerpc-atsvc0-4.2.4-28.3.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libdcerpc-binding0-32bit-4.2.4-28.3.1 libdcerpc-binding0-4.2.4-28.3.1 libdcerpc-binding0-debuginfo-32bit-4.2.4-28.3.1 libdcerpc-binding0-debuginfo-4.2.4-28.3.1 libdcerpc0-32bit-4.2.4-28.3.1 libdcerpc0-4.2.4-28.3.1 libdcerpc0-debuginfo-32bit-4.2.4-28.3.1 libdcerpc0-debuginfo-4.2.4-28.3.1 libgensec0-32bit-4.2.4-28.3.1 libgensec0-4.2.4-28.3.1 libgensec0-debuginfo-32bit-4.2.4-28.3.1 libgensec0-debuginfo-4.2.4-28.3.1 libndr-krb5pac0-32bit-4.2.4-28.3.1 libndr-krb5pac0-4.2.4-28.3.1 libndr-krb5pac0-debuginfo-32bit-4.2.4-28.3.1 libndr-krb5pac0-debuginfo-4.2.4-28.3.1 libndr-nbt0-32bit-4.2.4-28.3.1 libndr-nbt0-4.2.4-28.3.1 libndr-nbt0-debuginfo-32bit-4.2.4-28.3.1 libndr-nbt0-debuginfo-4.2.4-28.3.1 libndr-standard0-32bit-4.2.4-28.3.1 libndr-standard0-4.2.4-28.3.1 libndr-standard0-debuginfo-32bit-4.2.4-28.3.1 libndr-standard0-debuginfo-4.2.4-28.3.1 libndr0-32bit-4.2.4-28.3.1 libndr0-4.2.4-28.3.1 libndr0-debuginfo-32bit-4.2.4-28.3.1 libndr0-debuginfo-4.2.4-28.3.1 libnetapi0-32bit-4.2.4-28.3.1 libnetapi0-4.2.4-28.3.1 libnetapi0-debuginfo-32bit-4.2.4-28.3.1 libnetapi0-debuginfo-4.2.4-28.3.1 libregistry0-4.2.4-28.3.1 libregistry0-debuginfo-4.2.4-28.3.1 libsamba-credentials0-32bit-4.2.4-28.3.1 libsamba-credentials0-4.2.4-28.3.1 libsamba-credentials0-debuginfo-32bit-4.2.4-28.3.1 libsamba-credentials0-debuginfo-4.2.4-28.3.1 libsamba-hostconfig0-32bit-4.2.4-28.3.1 libsamba-hostconfig0-4.2.4-28.3.1 libsamba-hostconfig0-debuginfo-32bit-4.2.4-28.3.1 libsamba-hostconfig0-debuginfo-4.2.4-28.3.1 libsamba-passdb0-32bit-4.2.4-28.3.1 libsamba-passdb0-4.2.4-28.3.1 libsamba-passdb0-debuginfo-32bit-4.2.4-28.3.1 libsamba-passdb0-debuginfo-4.2.4-28.3.1 libsamba-util0-32bit-4.2.4-28.3.1 libsamba-util0-4.2.4-28.3.1 libsamba-util0-debuginfo-32bit-4.2.4-28.3.1 libsamba-util0-debuginfo-4.2.4-28.3.1 libsamdb0-32bit-4.2.4-28.3.1 libsamdb0-4.2.4-28.3.1 libsamdb0-debuginfo-32bit-4.2.4-28.3.1 libsamdb0-debuginfo-4.2.4-28.3.1 libsmbclient-raw0-32bit-4.2.4-28.3.1 libsmbclient-raw0-4.2.4-28.3.1 libsmbclient-raw0-debuginfo-32bit-4.2.4-28.3.1 libsmbclient-raw0-debuginfo-4.2.4-28.3.1 libsmbclient0-32bit-4.2.4-28.3.1 libsmbclient0-4.2.4-28.3.1 libsmbclient0-debuginfo-32bit-4.2.4-28.3.1 libsmbclient0-debuginfo-4.2.4-28.3.1 libsmbconf0-32bit-4.2.4-28.3.1 libsmbconf0-4.2.4-28.3.1 libsmbconf0-debuginfo-32bit-4.2.4-28.3.1 libsmbconf0-debuginfo-4.2.4-28.3.1 libsmbldap0-32bit-4.2.4-28.3.1 libsmbldap0-4.2.4-28.3.1 libsmbldap0-debuginfo-32bit-4.2.4-28.3.1 libsmbldap0-debuginfo-4.2.4-28.3.1 libtevent-util0-32bit-4.2.4-28.3.1 libtevent-util0-4.2.4-28.3.1 libtevent-util0-debuginfo-32bit-4.2.4-28.3.1 libtevent-util0-debuginfo-4.2.4-28.3.1 libwbclient0-32bit-4.2.4-28.3.1 libwbclient0-4.2.4-28.3.1 libwbclient0-debuginfo-32bit-4.2.4-28.3.1 libwbclient0-debuginfo-4.2.4-28.3.1 samba-32bit-4.2.4-28.3.1 samba-4.2.4-28.3.1 samba-client-32bit-4.2.4-28.3.1 samba-client-4.2.4-28.3.1 samba-client-debuginfo-32bit-4.2.4-28.3.1 samba-client-debuginfo-4.2.4-28.3.1 samba-debuginfo-32bit-4.2.4-28.3.1 samba-debuginfo-4.2.4-28.3.1 samba-debugsource-4.2.4-28.3.1 samba-libs-32bit-4.2.4-28.3.1 samba-libs-4.2.4-28.3.1 samba-libs-debuginfo-32bit-4.2.4-28.3.1 samba-libs-debuginfo-4.2.4-28.3.1 samba-winbind-32bit-4.2.4-28.3.1 samba-winbind-4.2.4-28.3.1 samba-winbind-debuginfo-32bit-4.2.4-28.3.1 samba-winbind-debuginfo-4.2.4-28.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): samba-doc-4.2.4-28.3.1 References: https://www.suse.com/security/cve/CVE-2016-2123.html https://www.suse.com/security/cve/CVE-2016-2125.html https://www.suse.com/security/cve/CVE-2016-2126.html https://bugzilla.suse.com/1001203 https://bugzilla.suse.com/1009085 https://bugzilla.suse.com/1014437 https://bugzilla.suse.com/1014441 https://bugzilla.suse.com/1014442 https://bugzilla.suse.com/975299 https://bugzilla.suse.com/986675 https://bugzilla.suse.com/991564 https://bugzilla.suse.com/994500 https://bugzilla.suse.com/997833 From sle-security-updates at lists.suse.com Tue Dec 27 09:11:00 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Dec 2016 17:11:00 +0100 (CET) Subject: SUSE-SU-2016:3273-1: important: Security update for xen Message-ID: <20161227161100.22835FF36@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3273-1 Rating: important References: #1000106 #1000893 #1003030 #1003032 #1005004 #1005005 #1007157 #1007160 #1009100 #1009103 #1009107 #1009109 #1009111 #1011652 Cross-References: CVE-2016-7777 CVE-2016-7908 CVE-2016-7909 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9386 CVE-2016-9637 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) This non-security issue was fixed: - bsc#1000893: virsh setmem didn't allow to set current guest memory to max limit Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-xen-12919=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-xen-12919=1 - SUSE Manager 2.1: zypper in -t patch sleman21-xen-12919=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-xen-12919=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xen-12919=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xen-12919=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): xen-4.2.5_21-30.1 xen-doc-html-4.2.5_21-30.1 xen-doc-pdf-4.2.5_21-30.1 xen-kmp-default-4.2.5_21_3.0.101_0.47.90-30.1 xen-libs-32bit-4.2.5_21-30.1 xen-libs-4.2.5_21-30.1 xen-tools-4.2.5_21-30.1 xen-tools-domU-4.2.5_21-30.1 - SUSE Manager Proxy 2.1 (x86_64): xen-4.2.5_21-30.1 xen-doc-html-4.2.5_21-30.1 xen-doc-pdf-4.2.5_21-30.1 xen-kmp-default-4.2.5_21_3.0.101_0.47.90-30.1 xen-libs-32bit-4.2.5_21-30.1 xen-libs-4.2.5_21-30.1 xen-tools-4.2.5_21-30.1 xen-tools-domU-4.2.5_21-30.1 - SUSE Manager 2.1 (x86_64): xen-4.2.5_21-30.1 xen-doc-html-4.2.5_21-30.1 xen-doc-pdf-4.2.5_21-30.1 xen-kmp-default-4.2.5_21_3.0.101_0.47.90-30.1 xen-libs-32bit-4.2.5_21-30.1 xen-libs-4.2.5_21-30.1 xen-tools-4.2.5_21-30.1 xen-tools-domU-4.2.5_21-30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): xen-kmp-default-4.2.5_21_3.0.101_0.47.90-30.1 xen-libs-4.2.5_21-30.1 xen-tools-domU-4.2.5_21-30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): xen-4.2.5_21-30.1 xen-doc-html-4.2.5_21-30.1 xen-doc-pdf-4.2.5_21-30.1 xen-libs-32bit-4.2.5_21-30.1 xen-tools-4.2.5_21-30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): xen-kmp-pae-4.2.5_21_3.0.101_0.47.90-30.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xen-kmp-default-4.2.5_21_3.0.101_0.47.90-30.1 xen-kmp-pae-4.2.5_21_3.0.101_0.47.90-30.1 xen-libs-4.2.5_21-30.1 xen-tools-domU-4.2.5_21-30.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): xen-debuginfo-4.2.5_21-30.1 xen-debugsource-4.2.5_21-30.1 References: https://www.suse.com/security/cve/CVE-2016-7777.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9379.html https://www.suse.com/security/cve/CVE-2016-9380.html https://www.suse.com/security/cve/CVE-2016-9381.html https://www.suse.com/security/cve/CVE-2016-9382.html https://www.suse.com/security/cve/CVE-2016-9383.html https://www.suse.com/security/cve/CVE-2016-9386.html https://www.suse.com/security/cve/CVE-2016-9637.html https://bugzilla.suse.com/1000106 https://bugzilla.suse.com/1000893 https://bugzilla.suse.com/1003030 https://bugzilla.suse.com/1003032 https://bugzilla.suse.com/1005004 https://bugzilla.suse.com/1005005 https://bugzilla.suse.com/1007157 https://bugzilla.suse.com/1007160 https://bugzilla.suse.com/1009100 https://bugzilla.suse.com/1009103 https://bugzilla.suse.com/1009107 https://bugzilla.suse.com/1009109 https://bugzilla.suse.com/1009111 https://bugzilla.suse.com/1011652 From sle-security-updates at lists.suse.com Thu Dec 29 05:07:41 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Dec 2016 13:07:41 +0100 (CET) Subject: SUSE-SU-2016:3286-1: Security update for libcares2 Message-ID: <20161229120741.CA314FF36@maintenance.suse.de> SUSE Security Update: Security update for libcares2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3286-1 Rating: low References: #1007728 Cross-References: CVE-2016-5180 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libcares2 fixes the following issues: - Add patch to fix single byte out of buffer write (CVE-2016-5180, bsc#1007728) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1924=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1924=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1924=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1924=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1924=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1924=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1924=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1924=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1924=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libcares2-32bit-1.9.1-5.1 libcares2-debuginfo-32bit-1.9.1-5.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libcares2-32bit-1.9.1-5.1 libcares2-debuginfo-32bit-1.9.1-5.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libcares-devel-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libcares-devel-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libcares2-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libcares2-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libcares2-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libcares2-1.9.1-5.1 libcares2-32bit-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debuginfo-32bit-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libcares2-1.9.1-5.1 libcares2-32bit-1.9.1-5.1 libcares2-debuginfo-1.9.1-5.1 libcares2-debuginfo-32bit-1.9.1-5.1 libcares2-debugsource-1.9.1-5.1 References: https://www.suse.com/security/cve/CVE-2016-5180.html https://bugzilla.suse.com/1007728 From sle-security-updates at lists.suse.com Thu Dec 29 05:08:15 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Dec 2016 13:08:15 +0100 (CET) Subject: SUSE-SU-2016:3287-1: Security update for libcares2 Message-ID: <20161229120815.F1571F7BF@maintenance.suse.de> SUSE Security Update: Security update for libcares2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3287-1 Rating: low References: #1007728 Cross-References: CVE-2016-5180 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libcares2 fixes the following issues: - Add patch to fix single byte out of buffer write (CVE-2016-5180, bsc#1007728) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libcares2-12921=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libcares2-12921=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libcares2-12921=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libcares-devel-1.7.4-7.9.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libcares2-1.7.4-7.9.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libcares2-debuginfo-1.7.4-7.9.1 libcares2-debugsource-1.7.4-7.9.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): libcares2-debuginfo-32bit-1.7.4-7.9.1 References: https://www.suse.com/security/cve/CVE-2016-5180.html https://bugzilla.suse.com/1007728 From sle-security-updates at lists.suse.com Thu Dec 29 05:08:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Dec 2016 13:08:42 +0100 (CET) Subject: SUSE-SU-2016:3288-1: important: Security update for gstreamer-plugins-good Message-ID: <20161229120842.DEB42FF36@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-good ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3288-1 Rating: important References: #1012102 #1012103 #1012104 #1013653 #1013655 #1013663 Cross-References: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9807 CVE-2016-9808 CVE-2016-9810 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for gstreamer-plugins-good fixes the following issues: * CVE-2016-9807: flic decoder invalid read could lead to crash [bsc#1013655] * CVE-2016-9634: flic out-of-bounds write could lead to code execution [bsc#1012102] * CVE-2016-9635: flic out-of-bounds write could lead to code execution [bsc#1012103] * CVE-2016-9635: flic out-of-bounds write could lead to code execution [bsc#1012104] * CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. [bsc#1013653] * CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses [bsc#1013663] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1922=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1922=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): gstreamer-plugins-good-1.2.4-2.3.1 gstreamer-plugins-good-debuginfo-1.2.4-2.3.1 gstreamer-plugins-good-debugsource-1.2.4-2.3.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): gstreamer-plugins-good-lang-1.2.4-2.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): gstreamer-plugins-good-1.2.4-2.3.1 gstreamer-plugins-good-debuginfo-1.2.4-2.3.1 gstreamer-plugins-good-debugsource-1.2.4-2.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): gstreamer-plugins-good-lang-1.2.4-2.3.1 References: https://www.suse.com/security/cve/CVE-2016-9634.html https://www.suse.com/security/cve/CVE-2016-9635.html https://www.suse.com/security/cve/CVE-2016-9636.html https://www.suse.com/security/cve/CVE-2016-9807.html https://www.suse.com/security/cve/CVE-2016-9808.html https://www.suse.com/security/cve/CVE-2016-9810.html https://bugzilla.suse.com/1012102 https://bugzilla.suse.com/1012103 https://bugzilla.suse.com/1012104 https://bugzilla.suse.com/1013653 https://bugzilla.suse.com/1013655 https://bugzilla.suse.com/1013663 From sle-security-updates at lists.suse.com Thu Dec 29 16:07:46 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 00:07:46 +0100 (CET) Subject: SUSE-SU-2016:3296-1: moderate: Security update for gstreamer-plugins-bad Message-ID: <20161229230746.3EF3EFF36@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3296-1 Rating: moderate References: #1010829 #1013659 #1013678 #1013680 Cross-References: CVE-2016-9445 CVE-2016-9446 CVE-2016-9809 CVE-2016-9812 CVE-2016-9813 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for gstreamer-plugins-bad fixes the following security issues, which would allow attackers able to submit media files for indexing to cause code execution or crashes: - Check an integer overflow (CVE-2016-9445) and initialize a buffer (CVE-2016-9446) in vmncdec. (bsc#1010829) - CVE-2016-9809: Ensure codec_data has the right size when reading number of SPS (bsc#1013659). - CVE-2016-9812: Add more section size checks (bsc#1013678). - CVE-2016-9813: fix PAT parsing (bsc#1013680). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1933=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1933=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1933=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1933=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-debuginfo-1.8.3-14.1 gstreamer-plugins-bad-debugsource-1.8.3-14.1 gstreamer-plugins-bad-devel-1.8.3-14.1 libgstinsertbin-1_0-0-1.8.3-14.1 libgstinsertbin-1_0-0-debuginfo-1.8.3-14.1 libgsturidownloader-1_0-0-1.8.3-14.1 libgsturidownloader-1_0-0-debuginfo-1.8.3-14.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): gstreamer-plugins-bad-1.8.3-14.1 gstreamer-plugins-bad-debuginfo-1.8.3-14.1 gstreamer-plugins-bad-debugsource-1.8.3-14.1 libgstadaptivedemux-1_0-0-1.8.3-14.1 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-14.1 libgstbadaudio-1_0-0-1.8.3-14.1 libgstbadaudio-1_0-0-debuginfo-1.8.3-14.1 libgstbadbase-1_0-0-1.8.3-14.1 libgstbadbase-1_0-0-debuginfo-1.8.3-14.1 libgstbadvideo-1_0-0-1.8.3-14.1 libgstbadvideo-1_0-0-debuginfo-1.8.3-14.1 libgstbasecamerabinsrc-1_0-0-1.8.3-14.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-14.1 libgstcodecparsers-1_0-0-1.8.3-14.1 libgstcodecparsers-1_0-0-debuginfo-1.8.3-14.1 libgstgl-1_0-0-1.8.3-14.1 libgstgl-1_0-0-debuginfo-1.8.3-14.1 libgstmpegts-1_0-0-1.8.3-14.1 libgstmpegts-1_0-0-debuginfo-1.8.3-14.1 libgstphotography-1_0-0-1.8.3-14.1 libgstphotography-1_0-0-debuginfo-1.8.3-14.1 libgsturidownloader-1_0-0-1.8.3-14.1 libgsturidownloader-1_0-0-debuginfo-1.8.3-14.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): gstreamer-plugins-bad-lang-1.8.3-14.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): gstreamer-plugins-bad-1.8.3-14.1 gstreamer-plugins-bad-debuginfo-1.8.3-14.1 gstreamer-plugins-bad-debugsource-1.8.3-14.1 libgstadaptivedemux-1_0-0-1.8.3-14.1 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-14.1 libgstbadaudio-1_0-0-1.8.3-14.1 libgstbadaudio-1_0-0-debuginfo-1.8.3-14.1 libgstbadbase-1_0-0-1.8.3-14.1 libgstbadbase-1_0-0-debuginfo-1.8.3-14.1 libgstbadvideo-1_0-0-1.8.3-14.1 libgstbadvideo-1_0-0-debuginfo-1.8.3-14.1 libgstbasecamerabinsrc-1_0-0-1.8.3-14.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-14.1 libgstcodecparsers-1_0-0-1.8.3-14.1 libgstcodecparsers-1_0-0-debuginfo-1.8.3-14.1 libgstgl-1_0-0-1.8.3-14.1 libgstgl-1_0-0-debuginfo-1.8.3-14.1 libgstmpegts-1_0-0-1.8.3-14.1 libgstmpegts-1_0-0-debuginfo-1.8.3-14.1 libgstphotography-1_0-0-1.8.3-14.1 libgstphotography-1_0-0-debuginfo-1.8.3-14.1 libgsturidownloader-1_0-0-1.8.3-14.1 libgsturidownloader-1_0-0-debuginfo-1.8.3-14.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): gstreamer-plugins-bad-lang-1.8.3-14.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): gstreamer-plugins-bad-lang-1.8.3-14.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): gstreamer-plugins-bad-1.8.3-14.1 gstreamer-plugins-bad-debuginfo-1.8.3-14.1 gstreamer-plugins-bad-debugsource-1.8.3-14.1 libgstadaptivedemux-1_0-0-1.8.3-14.1 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-14.1 libgstbadaudio-1_0-0-1.8.3-14.1 libgstbadaudio-1_0-0-debuginfo-1.8.3-14.1 libgstbadbase-1_0-0-1.8.3-14.1 libgstbadbase-1_0-0-debuginfo-1.8.3-14.1 libgstbadvideo-1_0-0-1.8.3-14.1 libgstbadvideo-1_0-0-debuginfo-1.8.3-14.1 libgstbasecamerabinsrc-1_0-0-1.8.3-14.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-14.1 libgstcodecparsers-1_0-0-1.8.3-14.1 libgstcodecparsers-1_0-0-debuginfo-1.8.3-14.1 libgstgl-1_0-0-1.8.3-14.1 libgstgl-1_0-0-debuginfo-1.8.3-14.1 libgstmpegts-1_0-0-1.8.3-14.1 libgstmpegts-1_0-0-debuginfo-1.8.3-14.1 libgstphotography-1_0-0-1.8.3-14.1 libgstphotography-1_0-0-debuginfo-1.8.3-14.1 libgsturidownloader-1_0-0-1.8.3-14.1 libgsturidownloader-1_0-0-debuginfo-1.8.3-14.1 References: https://www.suse.com/security/cve/CVE-2016-9445.html https://www.suse.com/security/cve/CVE-2016-9446.html https://www.suse.com/security/cve/CVE-2016-9809.html https://www.suse.com/security/cve/CVE-2016-9812.html https://www.suse.com/security/cve/CVE-2016-9813.html https://bugzilla.suse.com/1010829 https://bugzilla.suse.com/1013659 https://bugzilla.suse.com/1013678 https://bugzilla.suse.com/1013680 From sle-security-updates at lists.suse.com Thu Dec 29 16:08:58 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 00:08:58 +0100 (CET) Subject: SUSE-SU-2016:3297-1: important: Security update for gstreamer-plugins-bad Message-ID: <20161229230858.55F65F7BF@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3297-1 Rating: important References: #1010829 #1013659 #1013678 #1013680 Cross-References: CVE-2016-9445 CVE-2016-9446 CVE-2016-9809 CVE-2016-9812 CVE-2016-9813 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for gstreamer-plugins-bad fixes the following issues: - CVE-2016-9809: Malicious mkv/h264 file could cause an off by one out of bounds read and lead to crash (bsc#1013659) - CVE-2016-9812: Malicious mpeg file could cause invalid a null pointer access and lead to crash (bsc#1013678) - CVE-2016-9813: Malicious mpegts file could cause invalid a null pointer access and lead to crash (bsc#1013680) - CVE-2016-9445, CVE-2016-9446: Check an integer overflow and initialize a buffer in vmncdec (bsc#1010829) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1932=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1932=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1932=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1932=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1932=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1932=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): gstreamer-plugins-bad-debuginfo-1.2.4-3.4.1 gstreamer-plugins-bad-debugsource-1.2.4-3.4.1 gstreamer-plugins-bad-devel-1.2.4-3.4.1 libgstinsertbin-1_0-0-1.2.4-3.4.1 libgstinsertbin-1_0-0-debuginfo-1.2.4-3.4.1 libgsturidownloader-1_0-0-1.2.4-3.4.1 libgsturidownloader-1_0-0-debuginfo-1.2.4-3.4.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libgstegl-1_0-0-1.2.4-3.4.1 libgstegl-1_0-0-debuginfo-1.2.4-3.4.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libgstegl-1_0-0-1.2.4-3.4.1 libgstegl-1_0-0-debuginfo-1.2.4-3.4.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): gstreamer-plugins-bad-1.2.4-3.4.1 gstreamer-plugins-bad-debuginfo-1.2.4-3.4.1 gstreamer-plugins-bad-debugsource-1.2.4-3.4.1 libgstbasecamerabinsrc-1_0-0-1.2.4-3.4.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.2.4-3.4.1 libgstcodecparsers-1_0-0-1.2.4-3.4.1 libgstcodecparsers-1_0-0-debuginfo-1.2.4-3.4.1 libgstegl-1_0-0-1.2.4-3.4.1 libgstegl-1_0-0-debuginfo-1.2.4-3.4.1 libgstmpegts-1_0-0-1.2.4-3.4.1 libgstmpegts-1_0-0-debuginfo-1.2.4-3.4.1 libgstphotography-1_0-0-1.2.4-3.4.1 libgstphotography-1_0-0-debuginfo-1.2.4-3.4.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): gstreamer-plugins-bad-lang-1.2.4-3.4.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libgstegl-1_0-0-1.2.4-3.4.1 libgstegl-1_0-0-debuginfo-1.2.4-3.4.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): gstreamer-plugins-bad-lang-1.2.4-3.4.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): gstreamer-plugins-bad-1.2.4-3.4.1 gstreamer-plugins-bad-debuginfo-1.2.4-3.4.1 gstreamer-plugins-bad-debugsource-1.2.4-3.4.1 libgstbasecamerabinsrc-1_0-0-1.2.4-3.4.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.2.4-3.4.1 libgstcodecparsers-1_0-0-1.2.4-3.4.1 libgstcodecparsers-1_0-0-debuginfo-1.2.4-3.4.1 libgstegl-1_0-0-1.2.4-3.4.1 libgstegl-1_0-0-debuginfo-1.2.4-3.4.1 libgstmpegts-1_0-0-1.2.4-3.4.1 libgstmpegts-1_0-0-debuginfo-1.2.4-3.4.1 libgstphotography-1_0-0-1.2.4-3.4.1 libgstphotography-1_0-0-debuginfo-1.2.4-3.4.1 References: https://www.suse.com/security/cve/CVE-2016-9445.html https://www.suse.com/security/cve/CVE-2016-9446.html https://www.suse.com/security/cve/CVE-2016-9809.html https://www.suse.com/security/cve/CVE-2016-9812.html https://www.suse.com/security/cve/CVE-2016-9813.html https://bugzilla.suse.com/1010829 https://bugzilla.suse.com/1013659 https://bugzilla.suse.com/1013678 https://bugzilla.suse.com/1013680 From sle-security-updates at lists.suse.com Thu Dec 29 16:09:59 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 00:09:59 +0100 (CET) Subject: SUSE-SU-2016:3298-1: moderate: Security update for samba Message-ID: <20161229230959.C33A9F7BF@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3298-1 Rating: moderate References: #1003731 #1009711 #1014441 #1014442 #993692 #997833 Cross-References: CVE-2016-2125 CVE-2016-2126 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: This update for samba provides the following fixes: Security issues fixed: - CVE-2016-2125: Don't send delegated credentials to all servers. (bsc#1014441) - CVE-2016-2126: Prevent denial of service due to a client triggered crash in the winbindd parent process. (bsc#1014442) Non security issues fixed: - Allow SESSION KEY setup without signing. (bsc#1009711) - Fix crash bug in tevent_queue_immediate_trigger(). (bsc#1003731) - Don't fail when using default domain with user at domain.com format. (bsc#997833) - Prevent core, make sure response->extra_data.data is always cleared out. (bsc#993692) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-samba-12924=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-samba-12924=1 - SUSE Manager 2.1: zypper in -t patch sleman21-samba-12924=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-samba-12924=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-samba-12924=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-samba-12924=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-samba-12924=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-samba-12924=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-samba-12924=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): ldapsmb-1.34b-84.1 libldb1-3.6.3-84.1 libsmbclient0-3.6.3-84.1 libsmbclient0-32bit-3.6.3-84.1 libtalloc2-3.6.3-84.1 libtalloc2-32bit-3.6.3-84.1 libtdb1-3.6.3-84.1 libtdb1-32bit-3.6.3-84.1 libtevent0-3.6.3-84.1 libtevent0-32bit-3.6.3-84.1 libwbclient0-3.6.3-84.1 libwbclient0-32bit-3.6.3-84.1 samba-3.6.3-84.1 samba-32bit-3.6.3-84.1 samba-client-3.6.3-84.1 samba-client-32bit-3.6.3-84.1 samba-krb-printing-3.6.3-84.1 samba-winbind-3.6.3-84.1 samba-winbind-32bit-3.6.3-84.1 - SUSE OpenStack Cloud 5 (noarch): samba-doc-3.6.3-84.1 - SUSE Manager Proxy 2.1 (x86_64): ldapsmb-1.34b-84.1 libldb1-3.6.3-84.1 libsmbclient0-3.6.3-84.1 libsmbclient0-32bit-3.6.3-84.1 libtalloc2-3.6.3-84.1 libtalloc2-32bit-3.6.3-84.1 libtdb1-3.6.3-84.1 libtdb1-32bit-3.6.3-84.1 libtevent0-3.6.3-84.1 libtevent0-32bit-3.6.3-84.1 libwbclient0-3.6.3-84.1 libwbclient0-32bit-3.6.3-84.1 samba-3.6.3-84.1 samba-32bit-3.6.3-84.1 samba-client-3.6.3-84.1 samba-client-32bit-3.6.3-84.1 samba-krb-printing-3.6.3-84.1 samba-winbind-3.6.3-84.1 samba-winbind-32bit-3.6.3-84.1 - SUSE Manager Proxy 2.1 (noarch): samba-doc-3.6.3-84.1 - SUSE Manager 2.1 (s390x x86_64): ldapsmb-1.34b-84.1 libldb1-3.6.3-84.1 libsmbclient0-3.6.3-84.1 libsmbclient0-32bit-3.6.3-84.1 libtalloc2-3.6.3-84.1 libtalloc2-32bit-3.6.3-84.1 libtdb1-3.6.3-84.1 libtdb1-32bit-3.6.3-84.1 libtevent0-3.6.3-84.1 libtevent0-32bit-3.6.3-84.1 libwbclient0-3.6.3-84.1 libwbclient0-32bit-3.6.3-84.1 samba-3.6.3-84.1 samba-32bit-3.6.3-84.1 samba-client-3.6.3-84.1 samba-client-32bit-3.6.3-84.1 samba-krb-printing-3.6.3-84.1 samba-winbind-3.6.3-84.1 samba-winbind-32bit-3.6.3-84.1 - SUSE Manager 2.1 (noarch): samba-doc-3.6.3-84.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libldb-devel-3.6.3-84.1 libnetapi-devel-3.6.3-84.1 libnetapi0-3.6.3-84.1 libsmbclient-devel-3.6.3-84.1 libsmbsharemodes-devel-3.6.3-84.1 libsmbsharemodes0-3.6.3-84.1 libtalloc-devel-3.6.3-84.1 libtdb-devel-3.6.3-84.1 libtevent-devel-3.6.3-84.1 libwbclient-devel-3.6.3-84.1 samba-devel-3.6.3-84.1 samba-test-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): ldapsmb-1.34b-84.1 libldb1-3.6.3-84.1 libsmbclient0-3.6.3-84.1 libtalloc2-3.6.3-84.1 libtdb1-3.6.3-84.1 libtevent0-3.6.3-84.1 libwbclient0-3.6.3-84.1 samba-3.6.3-84.1 samba-client-3.6.3-84.1 samba-krb-printing-3.6.3-84.1 samba-winbind-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libsmbclient0-32bit-3.6.3-84.1 libtalloc2-32bit-3.6.3-84.1 libtdb1-32bit-3.6.3-84.1 libtevent0-32bit-3.6.3-84.1 libwbclient0-32bit-3.6.3-84.1 samba-32bit-3.6.3-84.1 samba-client-32bit-3.6.3-84.1 samba-winbind-32bit-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP4 (noarch): samba-doc-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libsmbclient0-x86-3.6.3-84.1 libtalloc2-x86-3.6.3-84.1 libtdb1-x86-3.6.3-84.1 libtevent0-x86-3.6.3-84.1 libwbclient0-x86-3.6.3-84.1 samba-client-x86-3.6.3-84.1 samba-winbind-x86-3.6.3-84.1 samba-x86-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): ldapsmb-1.34b-84.1 libldb1-3.6.3-84.1 libsmbclient0-3.6.3-84.1 libtalloc2-3.6.3-84.1 libtdb1-3.6.3-84.1 libtevent0-3.6.3-84.1 libwbclient0-3.6.3-84.1 samba-3.6.3-84.1 samba-client-3.6.3-84.1 samba-krb-printing-3.6.3-84.1 samba-winbind-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libsmbclient0-32bit-3.6.3-84.1 libtalloc2-32bit-3.6.3-84.1 libtdb1-32bit-3.6.3-84.1 libtevent0-32bit-3.6.3-84.1 libwbclient0-32bit-3.6.3-84.1 samba-32bit-3.6.3-84.1 samba-client-32bit-3.6.3-84.1 samba-winbind-32bit-3.6.3-84.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (noarch): samba-doc-3.6.3-84.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): samba-doc-3.6.3-84.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): ldapsmb-1.34b-84.1 libldb1-3.6.3-84.1 libsmbclient0-3.6.3-84.1 libtalloc2-3.6.3-84.1 libtdb1-3.6.3-84.1 libtevent0-3.6.3-84.1 libwbclient0-3.6.3-84.1 samba-3.6.3-84.1 samba-client-3.6.3-84.1 samba-krb-printing-3.6.3-84.1 samba-winbind-3.6.3-84.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): samba-debuginfo-3.6.3-84.1 samba-debugsource-3.6.3-84.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): samba-debuginfo-32bit-3.6.3-84.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): samba-debuginfo-x86-3.6.3-84.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): samba-debuginfo-3.6.3-84.1 samba-debugsource-3.6.3-84.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x): samba-debuginfo-32bit-3.6.3-84.1 References: https://www.suse.com/security/cve/CVE-2016-2125.html https://www.suse.com/security/cve/CVE-2016-2126.html https://bugzilla.suse.com/1003731 https://bugzilla.suse.com/1009711 https://bugzilla.suse.com/1014441 https://bugzilla.suse.com/1014442 https://bugzilla.suse.com/993692 https://bugzilla.suse.com/997833 From sle-security-updates at lists.suse.com Thu Dec 29 16:11:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 00:11:31 +0100 (CET) Subject: SUSE-SU-2016:3299-1: moderate: Security update for samba Message-ID: <20161229231131.AAB62F7BF@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3299-1 Rating: moderate References: #1001203 #1009085 #1014437 #1014441 #1014442 #975299 #986675 #991564 #994500 #997833 Cross-References: CVE-2016-2123 CVE-2016-2125 CVE-2016-2126 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise High Availability 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has 7 fixes is now available. Description: This update for samba fixes the following issues: Security issues fixed: - CVE-2016-2125: Don't send delegated credentials to all servers. (bsc#1014441). - CVE-2016-2126: Denial of service due to a client triggered crash in the winbindd parent process. (bsc#1014442). - CVE-2016-2123: Heap-based Buffer Overflow Remote Code Execution Vulnerability. (bsc#1014437). This issue does not affect our packages, as the component is not built. Non security issues fixed: - s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port (bsc#1009085) - Add doc changes for net ads --no-dns-updates switch (bsc#991564) - Include vfstest in samba-test (bsc#1001203). - s3/winbindd: using default domain with user at domain.com format fails (bsc#997833). - Fix illegal memory access after memory has been deleted (bsc#975299). - Fix bug in tevent poll backend causing winbind to loop tightly (bsc#994500). - Various fixes for spnego/ntlm (bsc#986675). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1935=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1935=1 - SUSE Linux Enterprise High Availability 12: zypper in -t patch SUSE-SLE-HA-12-2016-1935=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (noarch): samba-doc-4.2.4-18.30.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): ctdb-4.2.4-18.30.1 ctdb-debuginfo-4.2.4-18.30.1 libdcerpc-binding0-32bit-4.2.4-18.30.1 libdcerpc-binding0-4.2.4-18.30.1 libdcerpc-binding0-debuginfo-32bit-4.2.4-18.30.1 libdcerpc-binding0-debuginfo-4.2.4-18.30.1 libdcerpc0-32bit-4.2.4-18.30.1 libdcerpc0-4.2.4-18.30.1 libdcerpc0-debuginfo-32bit-4.2.4-18.30.1 libdcerpc0-debuginfo-4.2.4-18.30.1 libgensec0-32bit-4.2.4-18.30.1 libgensec0-4.2.4-18.30.1 libgensec0-debuginfo-32bit-4.2.4-18.30.1 libgensec0-debuginfo-4.2.4-18.30.1 libndr-krb5pac0-32bit-4.2.4-18.30.1 libndr-krb5pac0-4.2.4-18.30.1 libndr-krb5pac0-debuginfo-32bit-4.2.4-18.30.1 libndr-krb5pac0-debuginfo-4.2.4-18.30.1 libndr-nbt0-32bit-4.2.4-18.30.1 libndr-nbt0-4.2.4-18.30.1 libndr-nbt0-debuginfo-32bit-4.2.4-18.30.1 libndr-nbt0-debuginfo-4.2.4-18.30.1 libndr-standard0-32bit-4.2.4-18.30.1 libndr-standard0-4.2.4-18.30.1 libndr-standard0-debuginfo-32bit-4.2.4-18.30.1 libndr-standard0-debuginfo-4.2.4-18.30.1 libndr0-32bit-4.2.4-18.30.1 libndr0-4.2.4-18.30.1 libndr0-debuginfo-32bit-4.2.4-18.30.1 libndr0-debuginfo-4.2.4-18.30.1 libnetapi0-32bit-4.2.4-18.30.1 libnetapi0-4.2.4-18.30.1 libnetapi0-debuginfo-32bit-4.2.4-18.30.1 libnetapi0-debuginfo-4.2.4-18.30.1 libregistry0-4.2.4-18.30.1 libregistry0-debuginfo-4.2.4-18.30.1 libsamba-credentials0-32bit-4.2.4-18.30.1 libsamba-credentials0-4.2.4-18.30.1 libsamba-credentials0-debuginfo-32bit-4.2.4-18.30.1 libsamba-credentials0-debuginfo-4.2.4-18.30.1 libsamba-hostconfig0-32bit-4.2.4-18.30.1 libsamba-hostconfig0-4.2.4-18.30.1 libsamba-hostconfig0-debuginfo-32bit-4.2.4-18.30.1 libsamba-hostconfig0-debuginfo-4.2.4-18.30.1 libsamba-passdb0-32bit-4.2.4-18.30.1 libsamba-passdb0-4.2.4-18.30.1 libsamba-passdb0-debuginfo-32bit-4.2.4-18.30.1 libsamba-passdb0-debuginfo-4.2.4-18.30.1 libsamba-util0-32bit-4.2.4-18.30.1 libsamba-util0-4.2.4-18.30.1 libsamba-util0-debuginfo-32bit-4.2.4-18.30.1 libsamba-util0-debuginfo-4.2.4-18.30.1 libsamdb0-32bit-4.2.4-18.30.1 libsamdb0-4.2.4-18.30.1 libsamdb0-debuginfo-32bit-4.2.4-18.30.1 libsamdb0-debuginfo-4.2.4-18.30.1 libsmbclient-raw0-32bit-4.2.4-18.30.1 libsmbclient-raw0-4.2.4-18.30.1 libsmbclient-raw0-debuginfo-32bit-4.2.4-18.30.1 libsmbclient-raw0-debuginfo-4.2.4-18.30.1 libsmbclient0-32bit-4.2.4-18.30.1 libsmbclient0-4.2.4-18.30.1 libsmbclient0-debuginfo-32bit-4.2.4-18.30.1 libsmbclient0-debuginfo-4.2.4-18.30.1 libsmbconf0-32bit-4.2.4-18.30.1 libsmbconf0-4.2.4-18.30.1 libsmbconf0-debuginfo-32bit-4.2.4-18.30.1 libsmbconf0-debuginfo-4.2.4-18.30.1 libsmbldap0-32bit-4.2.4-18.30.1 libsmbldap0-4.2.4-18.30.1 libsmbldap0-debuginfo-32bit-4.2.4-18.30.1 libsmbldap0-debuginfo-4.2.4-18.30.1 libtevent-util0-32bit-4.2.4-18.30.1 libtevent-util0-4.2.4-18.30.1 libtevent-util0-debuginfo-32bit-4.2.4-18.30.1 libtevent-util0-debuginfo-4.2.4-18.30.1 libwbclient0-32bit-4.2.4-18.30.1 libwbclient0-4.2.4-18.30.1 libwbclient0-debuginfo-32bit-4.2.4-18.30.1 libwbclient0-debuginfo-4.2.4-18.30.1 samba-32bit-4.2.4-18.30.1 samba-4.2.4-18.30.1 samba-client-32bit-4.2.4-18.30.1 samba-client-4.2.4-18.30.1 samba-client-debuginfo-32bit-4.2.4-18.30.1 samba-client-debuginfo-4.2.4-18.30.1 samba-debuginfo-32bit-4.2.4-18.30.1 samba-debuginfo-4.2.4-18.30.1 samba-debugsource-4.2.4-18.30.1 samba-libs-32bit-4.2.4-18.30.1 samba-libs-4.2.4-18.30.1 samba-libs-debuginfo-32bit-4.2.4-18.30.1 samba-libs-debuginfo-4.2.4-18.30.1 samba-winbind-32bit-4.2.4-18.30.1 samba-winbind-4.2.4-18.30.1 samba-winbind-debuginfo-32bit-4.2.4-18.30.1 samba-winbind-debuginfo-4.2.4-18.30.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): ctdb-4.2.4-18.30.1 ctdb-debuginfo-4.2.4-18.30.1 libdcerpc-binding0-4.2.4-18.30.1 libdcerpc-binding0-debuginfo-4.2.4-18.30.1 libdcerpc0-4.2.4-18.30.1 libdcerpc0-debuginfo-4.2.4-18.30.1 libgensec0-4.2.4-18.30.1 libgensec0-debuginfo-4.2.4-18.30.1 libndr-krb5pac0-4.2.4-18.30.1 libndr-krb5pac0-debuginfo-4.2.4-18.30.1 libndr-nbt0-4.2.4-18.30.1 libndr-nbt0-debuginfo-4.2.4-18.30.1 libndr-standard0-4.2.4-18.30.1 libndr-standard0-debuginfo-4.2.4-18.30.1 libndr0-4.2.4-18.30.1 libndr0-debuginfo-4.2.4-18.30.1 libnetapi0-4.2.4-18.30.1 libnetapi0-debuginfo-4.2.4-18.30.1 libregistry0-4.2.4-18.30.1 libregistry0-debuginfo-4.2.4-18.30.1 libsamba-credentials0-4.2.4-18.30.1 libsamba-credentials0-debuginfo-4.2.4-18.30.1 libsamba-hostconfig0-4.2.4-18.30.1 libsamba-hostconfig0-debuginfo-4.2.4-18.30.1 libsamba-passdb0-4.2.4-18.30.1 libsamba-passdb0-debuginfo-4.2.4-18.30.1 libsamba-util0-4.2.4-18.30.1 libsamba-util0-debuginfo-4.2.4-18.30.1 libsamdb0-4.2.4-18.30.1 libsamdb0-debuginfo-4.2.4-18.30.1 libsmbclient-raw0-4.2.4-18.30.1 libsmbclient-raw0-debuginfo-4.2.4-18.30.1 libsmbclient0-4.2.4-18.30.1 libsmbclient0-debuginfo-4.2.4-18.30.1 libsmbconf0-4.2.4-18.30.1 libsmbconf0-debuginfo-4.2.4-18.30.1 libsmbldap0-4.2.4-18.30.1 libsmbldap0-debuginfo-4.2.4-18.30.1 libtevent-util0-4.2.4-18.30.1 libtevent-util0-debuginfo-4.2.4-18.30.1 libwbclient0-4.2.4-18.30.1 libwbclient0-debuginfo-4.2.4-18.30.1 samba-4.2.4-18.30.1 samba-client-4.2.4-18.30.1 samba-client-debuginfo-4.2.4-18.30.1 samba-debuginfo-4.2.4-18.30.1 samba-debugsource-4.2.4-18.30.1 samba-libs-4.2.4-18.30.1 samba-libs-debuginfo-4.2.4-18.30.1 samba-winbind-4.2.4-18.30.1 samba-winbind-debuginfo-4.2.4-18.30.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libdcerpc-binding0-32bit-4.2.4-18.30.1 libdcerpc-binding0-debuginfo-32bit-4.2.4-18.30.1 libdcerpc0-32bit-4.2.4-18.30.1 libdcerpc0-debuginfo-32bit-4.2.4-18.30.1 libgensec0-32bit-4.2.4-18.30.1 libgensec0-debuginfo-32bit-4.2.4-18.30.1 libndr-krb5pac0-32bit-4.2.4-18.30.1 libndr-krb5pac0-debuginfo-32bit-4.2.4-18.30.1 libndr-nbt0-32bit-4.2.4-18.30.1 libndr-nbt0-debuginfo-32bit-4.2.4-18.30.1 libndr-standard0-32bit-4.2.4-18.30.1 libndr-standard0-debuginfo-32bit-4.2.4-18.30.1 libndr0-32bit-4.2.4-18.30.1 libndr0-debuginfo-32bit-4.2.4-18.30.1 libnetapi0-32bit-4.2.4-18.30.1 libnetapi0-debuginfo-32bit-4.2.4-18.30.1 libsamba-credentials0-32bit-4.2.4-18.30.1 libsamba-credentials0-debuginfo-32bit-4.2.4-18.30.1 libsamba-hostconfig0-32bit-4.2.4-18.30.1 libsamba-hostconfig0-debuginfo-32bit-4.2.4-18.30.1 libsamba-passdb0-32bit-4.2.4-18.30.1 libsamba-passdb0-debuginfo-32bit-4.2.4-18.30.1 libsamba-util0-32bit-4.2.4-18.30.1 libsamba-util0-debuginfo-32bit-4.2.4-18.30.1 libsamdb0-32bit-4.2.4-18.30.1 libsamdb0-debuginfo-32bit-4.2.4-18.30.1 libsmbclient-raw0-32bit-4.2.4-18.30.1 libsmbclient-raw0-debuginfo-32bit-4.2.4-18.30.1 libsmbclient0-32bit-4.2.4-18.30.1 libsmbclient0-debuginfo-32bit-4.2.4-18.30.1 libsmbconf0-32bit-4.2.4-18.30.1 libsmbconf0-debuginfo-32bit-4.2.4-18.30.1 libsmbldap0-32bit-4.2.4-18.30.1 libsmbldap0-debuginfo-32bit-4.2.4-18.30.1 libtevent-util0-32bit-4.2.4-18.30.1 libtevent-util0-debuginfo-32bit-4.2.4-18.30.1 libwbclient0-32bit-4.2.4-18.30.1 libwbclient0-debuginfo-32bit-4.2.4-18.30.1 samba-32bit-4.2.4-18.30.1 samba-client-32bit-4.2.4-18.30.1 samba-client-debuginfo-32bit-4.2.4-18.30.1 samba-debuginfo-32bit-4.2.4-18.30.1 samba-libs-32bit-4.2.4-18.30.1 samba-libs-debuginfo-32bit-4.2.4-18.30.1 samba-winbind-32bit-4.2.4-18.30.1 samba-winbind-debuginfo-32bit-4.2.4-18.30.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): samba-doc-4.2.4-18.30.1 - SUSE Linux Enterprise High Availability 12 (s390x x86_64): ctdb-4.2.4-18.30.1 ctdb-debuginfo-4.2.4-18.30.1 References: https://www.suse.com/security/cve/CVE-2016-2123.html https://www.suse.com/security/cve/CVE-2016-2125.html https://www.suse.com/security/cve/CVE-2016-2126.html https://bugzilla.suse.com/1001203 https://bugzilla.suse.com/1009085 https://bugzilla.suse.com/1014437 https://bugzilla.suse.com/1014441 https://bugzilla.suse.com/1014442 https://bugzilla.suse.com/975299 https://bugzilla.suse.com/986675 https://bugzilla.suse.com/991564 https://bugzilla.suse.com/994500 https://bugzilla.suse.com/997833 From sle-security-updates at lists.suse.com Thu Dec 29 16:13:38 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 00:13:38 +0100 (CET) Subject: SUSE-SU-2016:3300-1: moderate: Security update for samba Message-ID: <20161229231338.0EE3DF7BF@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3300-1 Rating: moderate References: #1003731 #1009711 #1014441 #1014442 #975131 #978898 #993692 #997833 Cross-References: CVE-2016-2125 CVE-2016-2126 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 6 fixes is now available. Description: This update for samba provides the following fixes: Security issues fixed: - CVE-2016-2125: Don't send delegated credentials to all servers. (bsc#1014441) - CVE-2016-2126: Prevent denial of service due to a client triggered crash in the winbindd parent process. (bsc#1014442) Non security issues fixed: - Allow SESSION KEY setup without signing. (bsc#1009711) - Fix crash bug in tevent_queue_immediate_trigger(). (bsc#1003731) - Don't fail when using default domain with user at domain.com format. (bsc#997833) - Prevent core, make sure response->extra_data.data is always cleared out. (bsc#993692) - Honor smb.conf socket options in winbind. (bsc#975131) - Fix crash with net rpc join. (bsc#978898) - Fix a regression verifying the security trailer. (bsc#978898) - Fix updating netlogon credentials. (bsc#978898) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-samba-12925=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-samba-12925=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): ldapsmb-1.34b-56.1 libldb1-3.6.3-56.1 libsmbclient0-3.6.3-56.1 libtalloc2-3.6.3-56.1 libtdb1-3.6.3-56.1 libtevent0-3.6.3-56.1 libwbclient0-3.6.3-56.1 samba-3.6.3-56.1 samba-client-3.6.3-56.1 samba-krb-printing-3.6.3-56.1 samba-winbind-3.6.3-56.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libsmbclient0-32bit-3.6.3-56.1 libtalloc2-32bit-3.6.3-56.1 libtdb1-32bit-3.6.3-56.1 libtevent0-32bit-3.6.3-56.1 libwbclient0-32bit-3.6.3-56.1 samba-32bit-3.6.3-56.1 samba-client-32bit-3.6.3-56.1 samba-winbind-32bit-3.6.3-56.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (noarch): samba-doc-3.6.3-56.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): samba-debuginfo-3.6.3-56.1 samba-debugsource-3.6.3-56.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64): samba-debuginfo-32bit-3.6.3-56.1 References: https://www.suse.com/security/cve/CVE-2016-2125.html https://www.suse.com/security/cve/CVE-2016-2126.html https://bugzilla.suse.com/1003731 https://bugzilla.suse.com/1009711 https://bugzilla.suse.com/1014441 https://bugzilla.suse.com/1014442 https://bugzilla.suse.com/975131 https://bugzilla.suse.com/978898 https://bugzilla.suse.com/993692 https://bugzilla.suse.com/997833 From sle-security-updates at lists.suse.com Thu Dec 29 16:15:32 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 00:15:32 +0100 (CET) Subject: SUSE-SU-2016:3301-1: moderate: Security update for tiff Message-ID: <20161229231532.BA8A5F7BF@maintenance.suse.de> SUSE Security Update: Security update for tiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3301-1 Rating: moderate References: #1007280 #1010161 #1010163 #1011103 #1011107 #914890 #974449 #974840 #984813 #984815 #987351 Cross-References: CVE-2014-8127 CVE-2016-3622 CVE-2016-3658 CVE-2016-5321 CVE-2016-5323 CVE-2016-5652 CVE-2016-5875 CVE-2016-9273 CVE-2016-9297 CVE-2016-9448 CVE-2016-9453 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: The tiff library and tools were updated to version 4.0.7 fixing various bug and security issues. - CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890] - CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161] - CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840] - CVE-2016-9273: heap overflow [bnc#1010163] - CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449] - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280] - CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107] - CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351] - CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103] - CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function [bnc#984813] - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1937=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1937=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1937=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1937=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1937=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1937=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1937=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libtiff-devel-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libtiff-devel-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libtiff5-4.0.7-35.1 libtiff5-debuginfo-4.0.7-35.1 tiff-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libtiff5-4.0.7-35.1 libtiff5-debuginfo-4.0.7-35.1 tiff-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libtiff5-32bit-4.0.7-35.1 libtiff5-debuginfo-32bit-4.0.7-35.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libtiff5-4.0.7-35.1 libtiff5-debuginfo-4.0.7-35.1 tiff-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libtiff5-32bit-4.0.7-35.1 libtiff5-debuginfo-32bit-4.0.7-35.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libtiff5-32bit-4.0.7-35.1 libtiff5-4.0.7-35.1 libtiff5-debuginfo-32bit-4.0.7-35.1 libtiff5-debuginfo-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libtiff5-32bit-4.0.7-35.1 libtiff5-4.0.7-35.1 libtiff5-debuginfo-32bit-4.0.7-35.1 libtiff5-debuginfo-4.0.7-35.1 tiff-debuginfo-4.0.7-35.1 tiff-debugsource-4.0.7-35.1 References: https://www.suse.com/security/cve/CVE-2014-8127.html https://www.suse.com/security/cve/CVE-2016-3622.html https://www.suse.com/security/cve/CVE-2016-3658.html https://www.suse.com/security/cve/CVE-2016-5321.html https://www.suse.com/security/cve/CVE-2016-5323.html https://www.suse.com/security/cve/CVE-2016-5652.html https://www.suse.com/security/cve/CVE-2016-5875.html https://www.suse.com/security/cve/CVE-2016-9273.html https://www.suse.com/security/cve/CVE-2016-9297.html https://www.suse.com/security/cve/CVE-2016-9448.html https://www.suse.com/security/cve/CVE-2016-9453.html https://bugzilla.suse.com/1007280 https://bugzilla.suse.com/1010161 https://bugzilla.suse.com/1010163 https://bugzilla.suse.com/1011103 https://bugzilla.suse.com/1011107 https://bugzilla.suse.com/914890 https://bugzilla.suse.com/974449 https://bugzilla.suse.com/974840 https://bugzilla.suse.com/984813 https://bugzilla.suse.com/984815 https://bugzilla.suse.com/987351 From sle-security-updates at lists.suse.com Fri Dec 30 10:08:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 18:08:10 +0100 (CET) Subject: SUSE-SU-2016:3303-1: important: Security update for gstreamer-plugins-good Message-ID: <20161230170810.4EA64F7BF@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-good ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3303-1 Rating: important References: #1012102 #1012103 #1012104 #1013653 #1013655 #1013663 Cross-References: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9807 CVE-2016-9808 CVE-2016-9810 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for gstreamer-plugins-good fixes the following security issues: - CVE-2016-9807: Flic decoder invalid read could lead to crash. (bsc#1013655) - CVE-2016-9634: Flic out-of-bounds write could lead to code execution. (bsc#1012102) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012103) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012104) - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013653) - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013663) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1939=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1939=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1939=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): gstreamer-plugins-good-1.8.3-9.1 gstreamer-plugins-good-debuginfo-1.8.3-9.1 gstreamer-plugins-good-debugsource-1.8.3-9.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): gstreamer-plugins-good-lang-1.8.3-9.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): gstreamer-plugins-good-1.8.3-9.1 gstreamer-plugins-good-debuginfo-1.8.3-9.1 gstreamer-plugins-good-debugsource-1.8.3-9.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): gstreamer-plugins-good-lang-1.8.3-9.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): gstreamer-plugins-good-lang-1.8.3-9.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): gstreamer-plugins-good-1.8.3-9.1 gstreamer-plugins-good-debuginfo-1.8.3-9.1 gstreamer-plugins-good-debugsource-1.8.3-9.1 References: https://www.suse.com/security/cve/CVE-2016-9634.html https://www.suse.com/security/cve/CVE-2016-9635.html https://www.suse.com/security/cve/CVE-2016-9636.html https://www.suse.com/security/cve/CVE-2016-9807.html https://www.suse.com/security/cve/CVE-2016-9808.html https://www.suse.com/security/cve/CVE-2016-9810.html https://bugzilla.suse.com/1012102 https://bugzilla.suse.com/1012103 https://bugzilla.suse.com/1012104 https://bugzilla.suse.com/1013653 https://bugzilla.suse.com/1013655 https://bugzilla.suse.com/1013663 From sle-security-updates at lists.suse.com Fri Dec 30 10:09:30 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Dec 2016 18:09:30 +0100 (CET) Subject: SUSE-SU-2016:3304-1: important: Security update for the Linux Kernel Message-ID: <20161230170930.894D2F7BF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:3304-1 Rating: important References: #1000189 #1000287 #1000304 #1000776 #1001419 #1001486 #1002165 #1003079 #1003153 #1003400 #1003568 #1003925 #1004252 #1004418 #1004462 #1004517 #1004520 #1005666 #1006691 #1007615 #1007886 #744692 #789311 #857397 #860441 #865545 #866130 #868923 #874131 #875631 #876145 #876463 #898675 #904489 #909994 #911687 #915183 #921338 #921784 #922064 #922634 #924381 #924384 #930399 #934067 #937086 #937888 #941420 #946309 #955446 #956514 #959463 #961257 #962846 #963655 #963767 #966864 #967640 #970943 #971975 #971989 #974406 #974620 #975596 #975772 #976195 #977687 #978094 #979451 #979681 #979928 #980371 #981597 #982783 #983619 #984194 #984419 #984779 #984992 #985562 #986362 #986365 #986445 #987192 #987333 #987542 #987565 #987621 #987805 #988440 #988617 #988715 #989152 #989953 #990058 #990245 #991247 #991608 #991665 #991667 #992244 #992555 #992568 #992591 #992593 #992712 #993392 #993841 #993890 #993891 #994167 #994296 #994438 #994520 #994758 #995153 #995968 #996664 #997059 #997299 #997708 #997896 #998689 #998795 #998825 #999577 #999584 #999600 #999779 #999907 #999932 Cross-References: CVE-2015-8956 CVE-2016-2069 CVE-2016-4998 CVE-2016-5195 CVE-2016-5696 CVE-2016-6130 CVE-2016-6327 CVE-2016-6480 CVE-2016-6828 CVE-2016-7042 CVE-2016-7097 CVE-2016-7425 CVE-2016-8658 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP1 ______________________________________________________________________________ An update that solves 13 vulnerabilities and has 118 fixes is now available. Description: The SUSE Linux Enterprise 12 SP1 RT kernel was updated to 3.12.67 to receive various security and bugfixes. This feature was added: - fate#320805: Execute in place (XIP) support for the ext2 filesystem. The following security bugs were fixed: - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel allowed local users to gain privileges by triggering access to a paging structure by a different CPU (bnc#963767). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986362). - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152) - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a "double fetch" vulnerability (bnc#987542) - CVE-2016-6327: System using the infiniband support module ib_srpt were vulnerable to a denial of service by system crash by a local attacker who is able to abort writes by sending the ABORT_TASK command (bsc#994758) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bnc#991608) - CVE-2016-6828: Use after free 4 in tcp_xmit_retransmit_queue or other tcp_ functions (bsc#994296) - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bsc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bsc#995968). - CVE-2016-7425: A buffer overflow in the Linux Kernel in arcmsr_iop_message_xfer() could have caused kernel heap corruption and arbitraty kernel code execution (bsc#999932) - CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bsc#1004462). The following non-security bugs were fixed: - aacraid: Fix RRQ overload (bsc#1003079). - acpi / PM: Ignore wakeup setting if the ACPI companion can't wake up. - AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520). - apparmor: add missing id bounds check on dfa verification (bsc#1000304). - apparmor: check that xindex is in trans_table bounds (bsc#1000304). - apparmor: do not expose kernel stack (bsc#1000304). - apparmor: don't check for vmalloc_addr if kvzalloc() failed (bsc#1000304). - apparmor: ensure the target profile name is always audited (bsc#1000304). - apparmor: exec should not be returning ENOENT when it denies (bsc#1000304). - apparmor: fix arg_size computation for when setprocattr is null terminated (bsc#1000304). - apparmor: fix audit full profile hname on successful load (bsc#1000304). - apparmor: fix change_hat not finding hat after policy replacement (bsc#1000287). - apparmor: fix disconnected bind mnts reconnection (bsc#1000304). - apparmor: fix log failures for all profiles in a set (bsc#1000304). - apparmor: fix module parameters can be changed after policy is locked (bsc#1000304). - apparmor: fix oops in profile_unpack() when policy_db is not present (bsc#1000304). - apparmor: fix oops, validate buffer size in apparmor_setprocattr() (bsc#1000304). - apparmor: fix put() parent ref after updating the active ref (bsc#1000304). - apparmor: fix refcount bug in profile replacement (bsc#1000304). - apparmor: fix refcount race when finding a child profile (bsc#1000304). - apparmor: fix replacement bug that adds new child to old parent (bsc#1000304). - apparmor: fix uninitialized lsm_audit member (bsc#1000304). - apparmor: fix update the mtime of the profile file on replacement (bsc#1000304). - apparmor: internal paths should be treated as disconnected (bsc#1000304). - apparmor: use list_next_entry instead of list_entry_next (bsc#1000304). - arm64: Ensure pmd_present() returns false after pmd_mknotpresent() (Automatic NUMA Balancing). - avoid dentry crash triggered by NFS (bsc#984194). - be2net: Don't leak iomapped memory on removal (bsc#921784 FATE#318561). - be2net: fix BE3-R FW download compatibility check (bsc#921784 FATE#318561). - be2net: fix wrong return value in be_check_ufi_compatibility() (bsc#921784 FATE#318561). - be2net: remove vlan promisc capability from VF's profile descriptors (bsc#921784 FATE#318561). - blkfront: fix an error path memory leak (luckily none so far). - blk-mq: fix undefined behaviour in order_to_size(). - blktap2: eliminate deadlock potential from shutdown path (bsc#909994). - blktap2: eliminate race from deferred work queue handling (bsc#911687). - bluetooth: Fix potential NULL dereference in RFCOMM bind callback (bsc#1003925, CVE-2015-8956). - bond: Check length of IFLA_BOND_ARP_IP_TARGET attributes. - bonding: always set recv_probe to bond_arp_rcv in arp monitor (bsc#977687). - bonding: fix curr_active_slave/carrier with loadbalance arp monitoring. - bonding: Prevent IPv6 link local address on enslaved devices. - bonding: prevent out of bound accesses. - bonding: set carrier off for devices created through netlink (bsc#999577). - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction (bsc#983619). - btrfs: add missing discards when unpinning extents with -o discard (bsc#904489). - btrfs: btrfs_issue_discard ensure offset/length are aligned to sector boundaries (bsc#904489). - btrfs: Disable btrfs-8448-improve-performance-on-fsync-against-new-inode.patch (bsc#981597). - btrfs: do not create or leak aliased root while cleaning up orphans (bsc#904489). - btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600). - btrfs: explictly delete unused block groups in close_ctree and ro-remount (bsc#904489). - btrfs: Fix a data space underflow warning (bsc#985562, bsc#975596, bsc#984779) - btrfs: fix fitrim discarding device area reserved for boot loader's use (bsc#904489). - btrfs: handle quota reserve failure properly (bsc#1005666). - btrfs: iterate over unused chunk space in FITRIM (bsc#904489). - btrfs: make btrfs_issue_discard return bytes discarded (bsc#904489). - btrfs: properly track when rescan worker is running (bsc#989953). - btrfs: remove unnecessary locking of cleaner_mutex to avoid deadlock (bsc#904489). - btrfs: skip superblocks during discard (bsc#904489). - btrfs: test_check_exists: Fix infinite loop when searching for free space entries (bsc#987192). - btrfs: waiting on qgroup rescan should not always be interruptible (bsc#992712). - cdc-acm: added sanity checking for probe() (bsc#993891). - cephfs: ignore error from invalidate_inode_pages2_range() in direct write (bsc#995153). - cephfs: remove warning when ceph_releasepage() is called on dirty page (bsc#995153). - ceph: Refresh patches.suse/CFS-0259-ceph-Asynchronous-IO-support.patch. After a write, we must free the 'request', not the 'response' (bsc#995153). - clockevents: export clockevents_unbind_device instead of clockevents_unbind (bnc#937888). - conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition (bsc#966864). - cxgbi: fix uninitialized flowi6 (bsc#924384 FATE#318570 bsc#921338). - dm: fix AB-BA deadlock in __dm_destroy(). (bsc#970943) - efi: Small leak on error in runtime map code (fate#315019). - ext2: Enable ext2 driver in config files (bsc#976195). - ext4: Add parameter for tuning handling of ext2 (bsc#976195). - Fix kabi change cause by adding flock_owner to open_context (bsc#998689). - fix xfs-handle-dquot-buffer-readahead-in-log-recovery-co.patch (bsc#1003153). - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - fs/select: add vmalloc fallback for select(2) (bsc#1000189). - ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it (bsc#984419). - hyperv: enable call to clockevents_unbind_device in kexec/kdump path - hyperv: replace KEXEC_CORE by plain KEXEC because we lack 2965faa5e0 in the base kernel - i40e: fix an uninitialized variable bug (bnc#857397 FATE#315659). - ib/iwpm: Fix a potential skb leak (bsc#924381 FATE#318568 bsc#921338). - ib/mlx5: Fix RC transport send queue overhead computation (bnc#865545 FATE#316891). - introduce NETIF_F_GSO_ENCAP_ALL helper mask (bsc#1001486). - iommu/amd: Update Alias-DTE in update_device_table() (bsc#975772). - ipv6: Fix improper use or RCU in patches.kabi/ipv6-add-complete-rcu-protection-around-np-opt.kabi.patch. (bsc#961257). - ipv6: fix multipath route replace error recovery (bsc#930399). - ipv6: send NEWLINK on RA managed/otherconf changes (bsc#934067). - ipv6: send only one NEWLINK when RA causes changes (bsc#934067). - iscsi: Add a missed complete in iscsit_close_connection (bsc#992555, bsc#987805). - kabi: work around kabi changes from commit 53f9ff48f636 (bsc#988617). - kaweth: fix firmware download (bsc#993890). - kaweth: fix oops upon failed memory allocation (bsc#993890). - kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd (bnc#941420). - kernel/printk: fix faulty logic in the case of recursive printk (bnc#744692, bnc#789311). - kvm: do not handle APIC access page if in-kernel irqchip is not in use (bsc#959463). - kvm: vmx: defer load of APIC access page address during reset (bsc#959463). - libceph: enable large, variable-sized OSD requests (bsc#988715). - libceph: make r_request msg_size calculation clearer (bsc#988715). - libceph: move r_reply_op_{len,result} into struct ceph_osd_req_op (bsc#988715). - libceph: osdc->req_mempool should be backed by a slab pool (bsc#988715). - libceph: rename ceph_osd_req_op::payload_len to indata_len (bsc#988715). - libfc: do not send ABTS when resetting exchanges (bsc#962846). - libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response (bsc#962846). - libfc: Fixup disc_mutex handling (bsc#962846). - libfc: fixup locking of ptp_setup() (bsc#962846). - libfc: Issue PRLI after a PRLO has been received (bsc#962846). - libfc: reset exchange manager during LOGO handling (bsc#962846). - libfc: Revisit kref handling (bnc#990245). - libfc: sanity check cpu number extracted from xid (bsc#988440). - libfc: send LOGO for PLOGI failure (bsc#962846). - md: check command validity early in md_ioctl() (bsc#1004520). - md: Drop sending a change uevent when stopping (bsc#1003568). - md: lockless I/O submission for RAID1 (bsc#982783). - md/raid5: fix a recently broken BUG_ON() (bsc#1006691). - mm, cma: prevent nr_isolated_* counters from going negative (bnc#971975). - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445). - module: Issue warnings when tainting kernel (bsc#974406). - mpt2sas, mpt3sas: Fix panic when aer correct error occurred (bsc#997708). - mpt3sas: Update patches.drivers/mpt3sas-Fix-use-sas_is_tlr_enabled-API-before-enabli.patch (bsc#967640, bsc#992244). - msi-x: fix an error path (luckily none so far). - netback: fix flipping mode (bsc#996664). - netback: fix refounting (bsc#978094). - netfront: don't truncate grant references. - netfront: use correct linear area after linearizing an skb (bsc#1007886). - nfs4: reset states to use open_stateid when returning delegation voluntarily (bsc#1003400). - nfs: Add a stub for GETDEVICELIST (bnc#898675). - nfs: Do not write enable new pages while an invalidation is proceeding (bsc#999584). - nfsd: Use free_conn to free connection (bsc#979451). - nfs: Fix an LOCK/OPEN race when unlinking an open file (bsc#956514). - nfs: Fix a regression in the read() syscall (bsc#999584). - nfs: fix BUG() crash in notify_change() with patch to chown_common() (bnc#876463). - nfs: fix pg_test page count calculation (bnc#898675). - nfs: nfs4_fl_prepare_ds must be careful about reporting success (bsc#1000776). - nfsv4: add flock_owner to open context (bnc#998689). - nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (bnc#998689). - nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (bnc#998689). - nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (bnc#998689). - nfsv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT (bnc#866130). - oops on restarting network with bonding mode4 (lacp) (bsc#876145). - packet: tpacket_snd(): fix signed/unsigned comparison (bsc#874131). - perf/x86/intel: Fix bug for "cycles:p" and "cycles:pp" on SLM (bsc#997896). - PM / hibernate: Fix 2G size issue of snapshot image verification (bsc#1004252). - PM / hibernate: Fix rtree_next_node() to avoid walking off list ends (bnc#860441). - powerpc: add kernel parameter iommu_alloc_quiet (bsc#998825). - ppp: defer netns reference release for ppp channel (bsc#980371). - printk: add kernel parameter to control writes to /dev/kmsg (bsc#979928). - qgroup: Prevent qgroup->reserved from going subzero (bsc#993841). - qlcnic: potential NULL dereference in qlcnic_83xx_get_minidump_template() (bsc#922064 FATE#318609) - radeon: avoid boot hang in Xen Dom0 (luckily none so far). - ratelimit: extend to print suppressed messages on release (bsc#979928). - ratelimit: fix bug in time interval by resetting right begin time (bsc#979928). - rbd: truncate objects on cmpext short reads (bsc#988715). - Revert "Input: i8042 - break load dependency between atkbd/psmouse and i8042". - Revert "Input: i8042 - set up shared ps2_cmd_mutex for AUX ports". - rpm/mkspec: Read a default release string from rpm/config.sh (bsc997059) - rtnetlink: avoid 0 sized arrays. - RTNL: assertion failed at dev.c (bsc#875631). - s390: add SMT support (bnc#994438). - sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (bnc#1001419). - sched/core: Fix a race between try_to_wake_up() and a woken up task (bsc#1002165, bsc#1001419). - scsi: ibmvfc: add FC Class 3 Error Recovery support (bsc#984992). - scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989) - scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in PRLI (bsc#984992). - sd: Fix memory leak caused by RESET_WP patch (bsc#999779). - squashfs3: properly handle dir_emit() failures (bsc#998795). - SUNRPC: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT (bnc#868923). - SUNRPC: Fix a regression when reconnecting (bsc#946309). - supported.conf: Add ext2 - supported.conf: Add iscsi modules to -base (bsc#997299) - supported.conf: Add tun to -base (bsc#992593) - supported.conf: Add veth to -base (bsc#992591) - target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP (bsc#987621). - target: Fix race between iscsi-target connection shutdown + ABORT_TASK (bsc#987621). - tcp: add proper TS val into RST packets (bsc#937086). - tcp: align tcp_xmit_size_goal() on tcp_tso_autosize() (bsc#937086). - tcp: fix child sockets to use system default congestion control if not set. - tcp: fix cwnd limited checking to improve congestion control (bsc#988617). - tcp: refresh skb timestamp at retransmit time (bsc#937086). - timers: Use proper base migration in add_timer_on() (bnc#993392). - tunnels: Do not apply GRO to multiple layers of encapsulation (bsc#1001486). - tunnels: Remove encapsulation offloads on decap (bsc#1001486). - usb: fix typo in wMaxPacketSize validation (bsc#991665). - usbhid: add ATEN CS962 to list of quirky devices (bsc#1007615). - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices (bsc#922634). - usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665). - vmxnet3: Wake queue from reset work (bsc#999907). - x86: Removed the free memblock of hibernat keys to avoid memory corruption (bsc#990058). - x86/tlb/trace: Do not trace on CPU that is offline (TLB Performance git-fixes). - xenbus: don't invoke ->is_ready() for most device states (bsc#987333). - xenbus: inspect the correct type in xenbus_dev_request_and_reply(). - xen/pciback: Fix conf_space read/write overlap check. - xen-pciback: return proper values during BAR sizing. - xen: x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - xfs: fixed signedness of error code in xfs_inode_buf_verify (bsc#1003153). - xfs: handle dquot buffer readahead in log recovery correctly (bsc#955446). - xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565). - xhci: Check if slot is already in default state before moving it there (FATE#315518). - xhci: silence warnings in switch (bnc#991665). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP1: zypper in -t patch SUSE-SLE-RT-12-SP1-2016-1938=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Real Time Extension 12-SP1 (x86_64): kernel-compute-3.12.67-60.27.1 kernel-compute-base-3.12.67-60.27.1 kernel-compute-base-debuginfo-3.12.67-60.27.1 kernel-compute-debuginfo-3.12.67-60.27.1 kernel-compute-debugsource-3.12.67-60.27.1 kernel-compute-devel-3.12.67-60.27.1 kernel-compute_debug-debuginfo-3.12.67-60.27.1 kernel-compute_debug-debugsource-3.12.67-60.27.1 kernel-compute_debug-devel-3.12.67-60.27.1 kernel-compute_debug-devel-debuginfo-3.12.67-60.27.1 kernel-rt-3.12.67-60.27.1 kernel-rt-base-3.12.67-60.27.1 kernel-rt-base-debuginfo-3.12.67-60.27.1 kernel-rt-debuginfo-3.12.67-60.27.1 kernel-rt-debugsource-3.12.67-60.27.1 kernel-rt-devel-3.12.67-60.27.1 kernel-rt_debug-debuginfo-3.12.67-60.27.1 kernel-rt_debug-debugsource-3.12.67-60.27.1 kernel-rt_debug-devel-3.12.67-60.27.1 kernel-rt_debug-devel-debuginfo-3.12.67-60.27.1 kernel-syms-rt-3.12.67-60.27.1 - SUSE Linux Enterprise Real Time Extension 12-SP1 (noarch): kernel-devel-rt-3.12.67-60.27.1 kernel-source-rt-3.12.67-60.27.1 References: https://www.suse.com/security/cve/CVE-2015-8956.html https://www.suse.com/security/cve/CVE-2016-2069.html https://www.suse.com/security/cve/CVE-2016-4998.html https://www.suse.com/security/cve/CVE-2016-5195.html https://www.suse.com/security/cve/CVE-2016-5696.html https://www.suse.com/security/cve/CVE-2016-6130.html https://www.suse.com/security/cve/CVE-2016-6327.html https://www.suse.com/security/cve/CVE-2016-6480.html https://www.suse.com/security/cve/CVE-2016-6828.html https://www.suse.com/security/cve/CVE-2016-7042.html https://www.suse.com/security/cve/CVE-2016-7097.html https://www.suse.com/security/cve/CVE-2016-7425.html https://www.suse.com/security/cve/CVE-2016-8658.html https://bugzilla.suse.com/1000189 https://bugzilla.suse.com/1000287 https://bugzilla.suse.com/1000304 https://bugzilla.suse.com/1000776 https://bugzilla.suse.com/1001419 https://bugzilla.suse.com/1001486 https://bugzilla.suse.com/1002165 https://bugzilla.suse.com/1003079 https://bugzilla.suse.com/1003153 https://bugzilla.suse.com/1003400 https://bugzilla.suse.com/1003568 https://bugzilla.suse.com/1003925 https://bugzilla.suse.com/1004252 https://bugzilla.suse.com/1004418 https://bugzilla.suse.com/1004462 https://bugzilla.suse.com/1004517 https://bugzilla.suse.com/1004520 https://bugzilla.suse.com/1005666 https://bugzilla.suse.com/1006691 https://bugzilla.suse.com/1007615 https://bugzilla.suse.com/1007886 https://bugzilla.suse.com/744692 https://bugzilla.suse.com/789311 https://bugzilla.suse.com/857397 https://bugzilla.suse.com/860441 https://bugzilla.suse.com/865545 https://bugzilla.suse.com/866130 https://bugzilla.suse.com/868923 https://bugzilla.suse.com/874131 https://bugzilla.suse.com/875631 https://bugzilla.suse.com/876145 https://bugzilla.suse.com/876463 https://bugzilla.suse.com/898675 https://bugzilla.suse.com/904489 https://bugzilla.suse.com/909994 https://bugzilla.suse.com/911687 https://bugzilla.suse.com/915183 https://bugzilla.suse.com/921338 https://bugzilla.suse.com/921784 https://bugzilla.suse.com/922064 https://bugzilla.suse.com/922634 https://bugzilla.suse.com/924381 https://bugzilla.suse.com/924384 https://bugzilla.suse.com/930399 https://bugzilla.suse.com/934067 https://bugzilla.suse.com/937086 https://bugzilla.suse.com/937888 https://bugzilla.suse.com/941420 https://bugzilla.suse.com/946309 https://bugzilla.suse.com/955446 https://bugzilla.suse.com/956514 https://bugzilla.suse.com/959463 https://bugzilla.suse.com/961257 https://bugzilla.suse.com/962846 https://bugzilla.suse.com/963655 https://bugzilla.suse.com/963767 https://bugzilla.suse.com/966864 https://bugzilla.suse.com/967640 https://bugzilla.suse.com/970943 https://bugzilla.suse.com/971975 https://bugzilla.suse.com/971989 https://bugzilla.suse.com/974406 https://bugzilla.suse.com/974620 https://bugzilla.suse.com/975596 https://bugzilla.suse.com/975772 https://bugzilla.suse.com/976195 https://bugzilla.suse.com/977687 https://bugzilla.suse.com/978094 https://bugzilla.suse.com/979451 https://bugzilla.suse.com/979681 https://bugzilla.suse.com/979928 https://bugzilla.suse.com/980371 https://bugzilla.suse.com/981597 https://bugzilla.suse.com/982783 https://bugzilla.suse.com/983619 https://bugzilla.suse.com/984194 https://bugzilla.suse.com/984419 https://bugzilla.suse.com/984779 https://bugzilla.suse.com/984992 https://bugzilla.suse.com/985562 https://bugzilla.suse.com/986362 https://bugzilla.suse.com/986365 https://bugzilla.suse.com/986445 https://bugzilla.suse.com/987192 https://bugzilla.suse.com/987333 https://bugzilla.suse.com/987542 https://bugzilla.suse.com/987565 https://bugzilla.suse.com/987621 https://bugzilla.suse.com/987805 https://bugzilla.suse.com/988440 https://bugzilla.suse.com/988617 https://bugzilla.suse.com/988715 https://bugzilla.suse.com/989152 https://bugzilla.suse.com/989953 https://bugzilla.suse.com/990058 https://bugzilla.suse.com/990245 https://bugzilla.suse.com/991247 https://bugzilla.suse.com/991608 https://bugzilla.suse.com/991665 https://bugzilla.suse.com/991667 https://bugzilla.suse.com/992244 https://bugzilla.suse.com/992555 https://bugzilla.suse.com/992568 https://bugzilla.suse.com/992591 https://bugzilla.suse.com/992593 https://bugzilla.suse.com/992712 https://bugzilla.suse.com/993392 https://bugzilla.suse.com/993841 https://bugzilla.suse.com/993890 https://bugzilla.suse.com/993891 https://bugzilla.suse.com/994167 https://bugzilla.suse.com/994296 https://bugzilla.suse.com/994438 https://bugzilla.suse.com/994520 https://bugzilla.suse.com/994758 https://bugzilla.suse.com/995153 https://bugzilla.suse.com/995968 https://bugzilla.suse.com/996664 https://bugzilla.suse.com/997059 https://bugzilla.suse.com/997299 https://bugzilla.suse.com/997708 https://bugzilla.suse.com/997896 https://bugzilla.suse.com/998689 https://bugzilla.suse.com/998795 https://bugzilla.suse.com/998825 https://bugzilla.suse.com/999577 https://bugzilla.suse.com/999584 https://bugzilla.suse.com/999600 https://bugzilla.suse.com/999779 https://bugzilla.suse.com/999907 https://bugzilla.suse.com/999932