From sle-security-updates at lists.suse.com Mon May 2 10:07:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 May 2016 18:07:54 +0200 (CEST) Subject: SUSE-SU-2016:1195-1: moderate: Security update for python-tornado Message-ID: <20160502160754.E1536FF8E@maintenance.suse.de> SUSE Security Update: Security update for python-tornado ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1195-1 Rating: moderate References: #930361 #930362 #974657 Cross-References: CVE-2014-9720 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed: - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed. - The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720) - The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361) The following enhancements have been implemented: - SSLIOStream.connect and IOStream.start_tls now validate certificates by default. - Certificate validation will now use the system CA root certificates. - The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side. - The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed. - New modules have been added: tornado.locks and tornado.queues. - The tornado.websocket module now supports compression via the "permessage-deflate" extension. - Tornado now depends on the backports.ssl_match_hostname when running on Python 2. For a comprehensive list of changes, please refer to the release notes: - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-589=1 - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2016-589=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-589=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-589=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (noarch): python-backports.ssl_match_hostname-3.4.0.2-15.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): python-tornado-4.2.1-11.1 - SUSE Linux Enterprise Workstation Extension 12 (x86_64): python-tornado-4.2.1-11.1 - SUSE Linux Enterprise Workstation Extension 12 (noarch): python-backports.ssl_match_hostname-3.4.0.2-15.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): python-tornado-4.2.1-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): python-backports.ssl_match_hostname-3.4.0.2-15.1 - SUSE Linux Enterprise Desktop 12 (noarch): python-backports.ssl_match_hostname-3.4.0.2-15.1 - SUSE Linux Enterprise Desktop 12 (x86_64): python-tornado-4.2.1-11.1 References: https://www.suse.com/security/cve/CVE-2014-9720.html https://bugzilla.suse.com/930361 https://bugzilla.suse.com/930362 https://bugzilla.suse.com/974657 From sle-security-updates at lists.suse.com Tue May 3 11:07:56 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 May 2016 19:07:56 +0200 (CEST) Subject: SUSE-SU-2016:1203-1: important: Security update for the Linux Kernel Message-ID: <20160503170756.32C03FF8E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1203-1 Rating: important References: #758040 #781018 #879378 #879381 #904035 #924919 #934787 #935123 #937444 #939955 #940017 #940413 #940913 #940946 #941514 #942082 #946122 #947128 #948330 #949298 #949752 #949936 #950750 #950998 #951392 #952976 #954628 #955308 #955354 #955654 #955673 #956375 #956514 #956707 #956708 #956709 #956852 #956949 #957988 #957990 #958463 #958886 #958906 #958912 #958951 #959190 #959312 #959399 #959705 #960857 #961500 #961509 #961512 #961516 #961518 #963276 #963765 #963767 #963998 #964201 #965319 #965923 #966437 #966693 #967863 #967972 #967973 #967974 #967975 #968010 #968011 #968012 #968013 #968141 #968670 #969307 #970504 #970892 #970909 #970911 #970948 #970956 #970958 #970970 #971124 #971125 #971360 #973570 #974646 #975945 Cross-References: CVE-2013-7446 CVE-2015-7509 CVE-2015-7515 CVE-2015-7550 CVE-2015-7566 CVE-2015-7799 CVE-2015-8215 CVE-2015-8539 CVE-2015-8543 CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8569 CVE-2015-8575 CVE-2015-8767 CVE-2015-8785 CVE-2015-8812 CVE-2015-8816 CVE-2016-0723 CVE-2016-2069 CVE-2016-2143 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-2384 CVE-2016-2543 CVE-2016-2544 CVE-2016-2545 CVE-2016-2546 CVE-2016-2547 CVE-2016-2548 CVE-2016-2549 CVE-2016-2782 CVE-2016-2847 CVE-2016-3137 CVE-2016-3138 CVE-2016-3139 CVE-2016-3140 CVE-2016-3156 CVE-2016-3955 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 41 vulnerabilities and has 49 fixes is now available. Description: The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015 (bnc#956707). - CVE-2015-7515: An out of bounds memory access in the aiptek USB driver could be used by physical local attackers to crash the kernel (bnc#956708). - CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel did not properly use a semaphore, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls (bnc#958951). - CVE-2015-7566: A malicious USB device could cause kernel crashes in the visor device driver (bnc#961512). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product (bnc#955354). - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c (bnc#958463). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2015-8550: Optimizations introduced by the compiler could have lead to double fetch vulnerabilities, potentially possibly leading to arbitrary code execution in backend (bsc#957988). (bsc#957988 XSA-155). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel do not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959399). - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not properly manage the relationship between a lock and a socket, which allowed local users to cause a denial of service (deadlock) via a crafted sctp_accept call (bnc#961509). - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bnc#963765). - CVE-2015-8812: A flaw was found in the CXGB3 kernel driver when the network was considered congested. The kernel would incorrectly misinterpret the congestion as an error condition and incorrectly free/clean up the skb. When the device would then send the skb's queued, these structures would be referenced and may panic the system or allow an attacker to escalate privileges in a use-after-free scenario.(bsc#966437). - CVE-2015-8816: A malicious USB device could cause kernel crashes in the in hub_activate() function (bnc#968010). - CVE-2016-0723: Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call (bnc#961500). - CVE-2016-2069: A race in invalidating paging structures that were not in use locally could have lead to disclosoure of information or arbitrary code exectution (bnc#963767). - CVE-2016-2143: On zSeries a fork of a large process could have caused memory corruption due to incorrect page table handling. (bnc#970504, LTC#138810). - CVE-2016-2184: A malicious USB device could cause kernel crashes in the alsa usb-audio device driver (bsc#971125). - CVE-2016-2185: A malicious USB device could cause kernel crashes in the usb_driver_claim_interface function (bnc#971124). - CVE-2016-2186: A malicious USB device could cause kernel crashes in the powermate device driver (bnc#970958). - CVE-2016-2384: A double free on the ALSA umidi object was fixed. (bsc#966693). - CVE-2016-2543: A missing NULL check at remove_events ioctl in the ALSA seq driver was fixed. (bsc#967972). - CVE-2016-2544: Fix race at timer setup and close in the ALSA seq driver was fixed. (bsc#967973). - CVE-2016-2545: A double unlink of active_list in the ALSA timer driver was fixed. (bsc#967974). - CVE-2016-2546: A race among ALSA timer ioctls was fixed (bsc#967975). - CVE-2016-2547,CVE-2016-2548: The ALSA slave timer list handling was hardened against hangs and races. (CVE-2016-2547,CVE-2016-2548,bsc#968011,bsc#968012). - CVE-2016-2549: A stall in ALSA hrtimer handling was fixed (bsc#968013). - CVE-2016-2782: A malicious USB device could cause kernel crashes in the visor device driver (bnc#968670). - CVE-2016-3137: A malicious USB device could cause kernel crashes in the cypress_m8 device driver (bnc#970970). - CVE-2016-3139: A malicious USB device could cause kernel crashes in the wacom device driver (bnc#970909). - CVE-2016-3140: A malicious USB device could cause kernel crashes in the digi_acceleport device driver (bnc#970892). - CVE-2016-3156: A quadratic algorithm could lead to long kernel ipv4 hangs when removing a device with a large number of addresses. (bsc#971360). - CVE-2016-3955: A remote buffer overflow in the usbip driver could be used by authenticated attackers to crash the kernel. (bsc#975945) - CVE-2016-2847: A local user could exhaust kernel memory by pushing lots of data into pipes. (bsc#970948). - CVE-2016-2188: A malicious USB device could cause kernel crashes in the iowarrior device driver (bnc#970956). - CVE-2016-3138: A malicious USB device could cause kernel crashes in the cdc-acm device driver (bnc#970911). The following non-security bugs were fixed: - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cachefiles: Avoid deadlocks with fs freezing (bsc#935123). - cifs: Schedule on hard mount retry (bsc#941514). - cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857, bsc#974646). - dcache: use IS_ROOT to decide where dentry is hashed (bsc#949752). - driver: Vmxnet3: Fix ethtool -S to return correct rx queue stats (bsc#950750). - drm/i915: Change semantics of hw_contexts_disabled (bsc#963276). - drm/i915: Evict CS TLBs between batches (bsc#758040). - drm/i915: Fix SRC_COPY width on 830/845g (bsc#758040). - e1000e: Do not read ICR in Other interrupt (bsc#924919). - e1000e: Do not write lsc to ics in msi-x mode (bsc#924919). - e1000e: Fix msi-x interrupt automask (bsc#924919). - e1000e: Remove unreachable code (bsc#924919). - ext3: fix data=journal fast mount/umount hang (bsc#942082). - ext3: NULL dereference in ext3_evict_inode() (bsc#942082). - firmware: Create directories for external firmware (bsc#959312). - firmware: Simplify directory creation (bsc#959312). - fs: Avoid deadlocks of fsync_bdev() and fs freezing (bsc#935123). - fs: Fix deadlocks between sync and fs freezing (bsc#935123). - ftdi_sio: private backport of TIOCMIWAIT (bnc#956375). - ipr: Fix incorrect trace indexing (bsc#940913). - ipr: Fix invalid array indexing for HRRQ (bsc#940913). - ipv6: make fib6 serial number per namespace (bsc#965319). - ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs (bsc#956852). - ipv6: per netns fib6 walkers (bsc#965319). - ipv6: per netns FIB garbage collection (bsc#965319). - ipv6: replace global gc_args with local variable (bsc#965319). - jbd: Fix unreclaimed pages after truncate in data=journal mode (bsc#961516). - kabi: protect struct netns_ipv6 after FIB6 GC series (bsc#965319). - kbuild: create directory for dir/file.o (bsc#959312). - kexec: Fix race between panic() and crash_kexec() called directly (bnc#937444). - lpfc: Fix null ndlp dereference in target_reset_handler (bsc#951392). - mld, igmp: Fix reserved tailroom calculation (bsc#956852). - mm-memcg-print-statistics-from-live-counters-fix (bnc#969307). - netfilter: xt_recent: fix namespace destroy path (bsc#879378). - nfs4: treat lock owners as opaque values (bnc#968141). - nfs: Fix handling of re-write-before-commit for mmapped NFS pages (bsc#964201). - nfs: use smaller allocations for 'struct id_map' (bsc#965923). - nfsv4: Fix two infinite loops in the mount code (bsc#954628). - nfsv4: Recovery of recalled read delegations is broken (bsc#956514). - panic/x86: Allow cpus to save registers even if they (bnc#940946). - panic/x86: Fix re-entrance problem due to panic on (bnc#937444). - pciback: do not allow MSI-X ops if PCI_COMMAND_MEMORY is not set. - pciback: for XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled. - pciback: return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled. - pciback: return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled. - pci: Update VPD size with correct length (bsc#958906). - quota: Fix deadlock with suspend and quotas (bsc#935123). - rdma/ucma: Fix AB-BA deadlock (bsc#963998). - README.BRANCH: Switch to LTSS mode - Refresh patches.xen/xen3-08-x86-ldt-make-modify_ldt-synchronous.patch (bsc#959705). - Restore kabi after lock-owner change (bnc#968141). - s390/pageattr: Do a single TLB flush for change_page_attr (bsc#940413). - scsi_dh_rdac: always retry MODE SELECT on command lock violation (bsc#956949). - scsi: mpt2sas: Rearrange the the code so that the completion queues are initialized prior to sending the request to controller firmware (bsc#967863). - skb: Add inline helper for getting the skb end offset from head (bsc#956852). - sunrcp: restore fair scheduling to priority queues (bsc#955308). - sunrpc: refactor rpcauth_checkverf error returns (bsc#955673). - tcp: avoid order-1 allocations on wifi and tx path (bsc#956852). - tcp: fix skb_availroom() (bsc#956852). - tg3: 5715 does not link up when autoneg off (bsc#904035). - Update patches.fixes/mm-exclude-reserved-pages-from-dirtyable-memory-fix.patch (bnc#940017, bnc#949298, bnc#947128). - usb: ftdi_sio: fix race condition in TIOCMIWAIT, and abort of TIOCMIWAIT when the device is removed (bnc#956375). - usb: ftdi_sio: fix status line change handling for TIOCMIWAIT and TIOCGICOUNT (bnc#956375). - usb: ftdi_sio: fix tiocmget and tiocmset return values (bnc#956375). - usb: ftdi_sio: fix tiocmget indentation (bnc#956375). - usb: ftdi_sio: optimise chars_in_buffer (bnc#956375). - usb: ftdi_sio: refactor modem-control status retrieval (bnc#956375). - usb: ftdi_sio: remove unnecessary memset (bnc#956375). - usb: ftdi_sio: use ftdi_get_modem_status in chars_in_buffer (bnc#956375). - usb: ftdi_sio: use generic chars_in_buffer (bnc#956375). - usb: serial: export usb_serial_generic_chars_in_buffer (bnc#956375). - usb: serial: ftdi_sio: Add missing chars_in_buffer function (bnc#956375). - usbvision fix overflow of interfaces array (bnc#950998). - veth: extend device features (bsc#879381). - vfs: Provide function to get superblock and wait for it to thaw (bsc#935123). - vmxnet3: adjust ring sizes when interface is down (bsc#950750). - vmxnet3: fix building without CONFIG_PCI_MSI (bsc#958912). - vmxnet3: fix ethtool ring buffer size setting (bsc#950750). - vmxnet3: fix netpoll race condition (bsc#958912). - writeback: Skip writeback for frozen filesystem (bsc#935123). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - x86, kvm: fix kvm's usage of kernel_fpu_begin/end() (bsc#961518). - x86, kvm: fix maintenance of guest/host xcr0 state (bsc#961518). - x86, kvm: use kernel_fpu_begin/end() in kvm_load/put_guest_fpu() (bsc#961518). - x86/mce: Fix return value of mce_chrdev_read() when erst is disabled (bsc#934787). - xen/panic/x86: Allow cpus to save registers even if they (bnc#940946). - xen/panic/x86: Fix re-entrance problem due to panic on (bnc#937444). - xen: x86: mm: drop TLB flush from ptep_set_access_flags (bsc#948330). - xen: x86: mm: only do a local tlb flush in ptep_set_access_flags() (bsc#948330). - xfrm: do not segment UFO packets (bsc#946122). - xhci: silence TD warning (bnc#939955). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-kernel-20160414-12537=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-kernel-20160414-12537=1 - SUSE Manager 2.1: zypper in -t patch sleman21-kernel-20160414-12537=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-kernel-20160414-12537=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-20160414-12537=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-kernel-20160414-12537=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): kernel-bigsmp-3.0.101-0.47.79.1 kernel-bigsmp-base-3.0.101-0.47.79.1 kernel-bigsmp-devel-3.0.101-0.47.79.1 kernel-default-3.0.101-0.47.79.1 kernel-default-base-3.0.101-0.47.79.1 kernel-default-devel-3.0.101-0.47.79.1 kernel-ec2-3.0.101-0.47.79.1 kernel-ec2-base-3.0.101-0.47.79.1 kernel-ec2-devel-3.0.101-0.47.79.1 kernel-source-3.0.101-0.47.79.1 kernel-syms-3.0.101-0.47.79.1 kernel-trace-3.0.101-0.47.79.1 kernel-trace-base-3.0.101-0.47.79.1 kernel-trace-devel-3.0.101-0.47.79.1 kernel-xen-3.0.101-0.47.79.1 kernel-xen-base-3.0.101-0.47.79.1 kernel-xen-devel-3.0.101-0.47.79.1 - SUSE Manager Proxy 2.1 (x86_64): kernel-bigsmp-3.0.101-0.47.79.1 kernel-bigsmp-base-3.0.101-0.47.79.1 kernel-bigsmp-devel-3.0.101-0.47.79.1 kernel-default-3.0.101-0.47.79.1 kernel-default-base-3.0.101-0.47.79.1 kernel-default-devel-3.0.101-0.47.79.1 kernel-ec2-3.0.101-0.47.79.1 kernel-ec2-base-3.0.101-0.47.79.1 kernel-ec2-devel-3.0.101-0.47.79.1 kernel-source-3.0.101-0.47.79.1 kernel-syms-3.0.101-0.47.79.1 kernel-trace-3.0.101-0.47.79.1 kernel-trace-base-3.0.101-0.47.79.1 kernel-trace-devel-3.0.101-0.47.79.1 kernel-xen-3.0.101-0.47.79.1 kernel-xen-base-3.0.101-0.47.79.1 kernel-xen-devel-3.0.101-0.47.79.1 - SUSE Manager 2.1 (s390x x86_64): kernel-default-3.0.101-0.47.79.1 kernel-default-base-3.0.101-0.47.79.1 kernel-default-devel-3.0.101-0.47.79.1 kernel-source-3.0.101-0.47.79.1 kernel-syms-3.0.101-0.47.79.1 kernel-trace-3.0.101-0.47.79.1 kernel-trace-base-3.0.101-0.47.79.1 kernel-trace-devel-3.0.101-0.47.79.1 - SUSE Manager 2.1 (x86_64): kernel-bigsmp-3.0.101-0.47.79.1 kernel-bigsmp-base-3.0.101-0.47.79.1 kernel-bigsmp-devel-3.0.101-0.47.79.1 kernel-ec2-3.0.101-0.47.79.1 kernel-ec2-base-3.0.101-0.47.79.1 kernel-ec2-devel-3.0.101-0.47.79.1 kernel-xen-3.0.101-0.47.79.1 kernel-xen-base-3.0.101-0.47.79.1 kernel-xen-devel-3.0.101-0.47.79.1 - SUSE Manager 2.1 (s390x): kernel-default-man-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.47.79.1 kernel-default-base-3.0.101-0.47.79.1 kernel-default-devel-3.0.101-0.47.79.1 kernel-source-3.0.101-0.47.79.1 kernel-syms-3.0.101-0.47.79.1 kernel-trace-3.0.101-0.47.79.1 kernel-trace-base-3.0.101-0.47.79.1 kernel-trace-devel-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.47.79.1 kernel-ec2-base-3.0.101-0.47.79.1 kernel-ec2-devel-3.0.101-0.47.79.1 kernel-xen-3.0.101-0.47.79.1 kernel-xen-base-3.0.101-0.47.79.1 kernel-xen-devel-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): kernel-bigsmp-3.0.101-0.47.79.1 kernel-bigsmp-base-3.0.101-0.47.79.1 kernel-bigsmp-devel-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x): kernel-default-man-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): kernel-pae-3.0.101-0.47.79.1 kernel-pae-base-3.0.101-0.47.79.1 kernel-pae-devel-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-bigsmp-extra-3.0.101-0.47.79.1 kernel-trace-extra-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-0.47.79.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-0.47.79.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.47.79.1 kernel-default-debugsource-3.0.101-0.47.79.1 kernel-trace-debuginfo-3.0.101-0.47.79.1 kernel-trace-debugsource-3.0.101-0.47.79.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.47.79.1 kernel-ec2-debugsource-3.0.101-0.47.79.1 kernel-xen-debuginfo-3.0.101-0.47.79.1 kernel-xen-debugsource-3.0.101-0.47.79.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64): kernel-bigsmp-debuginfo-3.0.101-0.47.79.1 kernel-bigsmp-debugsource-3.0.101-0.47.79.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586): kernel-pae-debuginfo-3.0.101-0.47.79.1 kernel-pae-debugsource-3.0.101-0.47.79.1 References: https://www.suse.com/security/cve/CVE-2013-7446.html https://www.suse.com/security/cve/CVE-2015-7509.html https://www.suse.com/security/cve/CVE-2015-7515.html https://www.suse.com/security/cve/CVE-2015-7550.html https://www.suse.com/security/cve/CVE-2015-7566.html https://www.suse.com/security/cve/CVE-2015-7799.html https://www.suse.com/security/cve/CVE-2015-8215.html https://www.suse.com/security/cve/CVE-2015-8539.html https://www.suse.com/security/cve/CVE-2015-8543.html https://www.suse.com/security/cve/CVE-2015-8550.html https://www.suse.com/security/cve/CVE-2015-8551.html https://www.suse.com/security/cve/CVE-2015-8552.html https://www.suse.com/security/cve/CVE-2015-8569.html https://www.suse.com/security/cve/CVE-2015-8575.html https://www.suse.com/security/cve/CVE-2015-8767.html https://www.suse.com/security/cve/CVE-2015-8785.html https://www.suse.com/security/cve/CVE-2015-8812.html https://www.suse.com/security/cve/CVE-2015-8816.html https://www.suse.com/security/cve/CVE-2016-0723.html https://www.suse.com/security/cve/CVE-2016-2069.html https://www.suse.com/security/cve/CVE-2016-2143.html https://www.suse.com/security/cve/CVE-2016-2184.html https://www.suse.com/security/cve/CVE-2016-2185.html https://www.suse.com/security/cve/CVE-2016-2186.html https://www.suse.com/security/cve/CVE-2016-2188.html https://www.suse.com/security/cve/CVE-2016-2384.html https://www.suse.com/security/cve/CVE-2016-2543.html https://www.suse.com/security/cve/CVE-2016-2544.html https://www.suse.com/security/cve/CVE-2016-2545.html https://www.suse.com/security/cve/CVE-2016-2546.html https://www.suse.com/security/cve/CVE-2016-2547.html https://www.suse.com/security/cve/CVE-2016-2548.html https://www.suse.com/security/cve/CVE-2016-2549.html https://www.suse.com/security/cve/CVE-2016-2782.html https://www.suse.com/security/cve/CVE-2016-2847.html https://www.suse.com/security/cve/CVE-2016-3137.html https://www.suse.com/security/cve/CVE-2016-3138.html https://www.suse.com/security/cve/CVE-2016-3139.html https://www.suse.com/security/cve/CVE-2016-3140.html https://www.suse.com/security/cve/CVE-2016-3156.html https://www.suse.com/security/cve/CVE-2016-3955.html https://bugzilla.suse.com/758040 https://bugzilla.suse.com/781018 https://bugzilla.suse.com/879378 https://bugzilla.suse.com/879381 https://bugzilla.suse.com/904035 https://bugzilla.suse.com/924919 https://bugzilla.suse.com/934787 https://bugzilla.suse.com/935123 https://bugzilla.suse.com/937444 https://bugzilla.suse.com/939955 https://bugzilla.suse.com/940017 https://bugzilla.suse.com/940413 https://bugzilla.suse.com/940913 https://bugzilla.suse.com/940946 https://bugzilla.suse.com/941514 https://bugzilla.suse.com/942082 https://bugzilla.suse.com/946122 https://bugzilla.suse.com/947128 https://bugzilla.suse.com/948330 https://bugzilla.suse.com/949298 https://bugzilla.suse.com/949752 https://bugzilla.suse.com/949936 https://bugzilla.suse.com/950750 https://bugzilla.suse.com/950998 https://bugzilla.suse.com/951392 https://bugzilla.suse.com/952976 https://bugzilla.suse.com/954628 https://bugzilla.suse.com/955308 https://bugzilla.suse.com/955354 https://bugzilla.suse.com/955654 https://bugzilla.suse.com/955673 https://bugzilla.suse.com/956375 https://bugzilla.suse.com/956514 https://bugzilla.suse.com/956707 https://bugzilla.suse.com/956708 https://bugzilla.suse.com/956709 https://bugzilla.suse.com/956852 https://bugzilla.suse.com/956949 https://bugzilla.suse.com/957988 https://bugzilla.suse.com/957990 https://bugzilla.suse.com/958463 https://bugzilla.suse.com/958886 https://bugzilla.suse.com/958906 https://bugzilla.suse.com/958912 https://bugzilla.suse.com/958951 https://bugzilla.suse.com/959190 https://bugzilla.suse.com/959312 https://bugzilla.suse.com/959399 https://bugzilla.suse.com/959705 https://bugzilla.suse.com/960857 https://bugzilla.suse.com/961500 https://bugzilla.suse.com/961509 https://bugzilla.suse.com/961512 https://bugzilla.suse.com/961516 https://bugzilla.suse.com/961518 https://bugzilla.suse.com/963276 https://bugzilla.suse.com/963765 https://bugzilla.suse.com/963767 https://bugzilla.suse.com/963998 https://bugzilla.suse.com/964201 https://bugzilla.suse.com/965319 https://bugzilla.suse.com/965923 https://bugzilla.suse.com/966437 https://bugzilla.suse.com/966693 https://bugzilla.suse.com/967863 https://bugzilla.suse.com/967972 https://bugzilla.suse.com/967973 https://bugzilla.suse.com/967974 https://bugzilla.suse.com/967975 https://bugzilla.suse.com/968010 https://bugzilla.suse.com/968011 https://bugzilla.suse.com/968012 https://bugzilla.suse.com/968013 https://bugzilla.suse.com/968141 https://bugzilla.suse.com/968670 https://bugzilla.suse.com/969307 https://bugzilla.suse.com/970504 https://bugzilla.suse.com/970892 https://bugzilla.suse.com/970909 https://bugzilla.suse.com/970911 https://bugzilla.suse.com/970948 https://bugzilla.suse.com/970956 https://bugzilla.suse.com/970958 https://bugzilla.suse.com/970970 https://bugzilla.suse.com/971124 https://bugzilla.suse.com/971125 https://bugzilla.suse.com/971360 https://bugzilla.suse.com/973570 https://bugzilla.suse.com/974646 https://bugzilla.suse.com/975945 From sle-security-updates at lists.suse.com Tue May 3 11:23:30 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 May 2016 19:23:30 +0200 (CEST) Subject: SUSE-SU-2016:1204-1: moderate: Security update for libxml2 Message-ID: <20160503172330.32201FF8E@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1204-1 Rating: moderate References: #972335 #975947 Cross-References: CVE-2016-3627 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for libxml2 fixes two security issues: - libxml2 limits the number of recursions an XML document can contain so to protect against the "Billion Laughs" denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit. This vulnerability has been fixed. (bsc#975947) - When running in recovery mode, certain invalid XML documents would trigger an infinite recursion in libxml2 that ran until all stack space was exhausted. This vulnerability could have been used to facilitate a denial-of-sevice attack. (CVE-2016-3627, bsc#972335) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-709=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-709=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-709=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-709=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-709=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-709=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libxml2-debugsource-2.9.1-20.1 libxml2-devel-2.9.1-20.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libxml2-debugsource-2.9.1-20.1 libxml2-devel-2.9.1-20.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libxml2-2-2.9.1-20.1 libxml2-2-debuginfo-2.9.1-20.1 libxml2-debugsource-2.9.1-20.1 libxml2-tools-2.9.1-20.1 libxml2-tools-debuginfo-2.9.1-20.1 python-libxml2-2.9.1-20.1 python-libxml2-debuginfo-2.9.1-20.1 python-libxml2-debugsource-2.9.1-20.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libxml2-2-32bit-2.9.1-20.1 libxml2-2-debuginfo-32bit-2.9.1-20.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): libxml2-doc-2.9.1-20.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libxml2-2-2.9.1-20.1 libxml2-2-debuginfo-2.9.1-20.1 libxml2-debugsource-2.9.1-20.1 libxml2-tools-2.9.1-20.1 libxml2-tools-debuginfo-2.9.1-20.1 python-libxml2-2.9.1-20.1 python-libxml2-debuginfo-2.9.1-20.1 python-libxml2-debugsource-2.9.1-20.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libxml2-2-32bit-2.9.1-20.1 libxml2-2-debuginfo-32bit-2.9.1-20.1 - SUSE Linux Enterprise Server 12 (noarch): libxml2-doc-2.9.1-20.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libxml2-2-2.9.1-20.1 libxml2-2-32bit-2.9.1-20.1 libxml2-2-debuginfo-2.9.1-20.1 libxml2-2-debuginfo-32bit-2.9.1-20.1 libxml2-debugsource-2.9.1-20.1 libxml2-tools-2.9.1-20.1 libxml2-tools-debuginfo-2.9.1-20.1 python-libxml2-2.9.1-20.1 python-libxml2-debuginfo-2.9.1-20.1 python-libxml2-debugsource-2.9.1-20.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libxml2-2-2.9.1-20.1 libxml2-2-32bit-2.9.1-20.1 libxml2-2-debuginfo-2.9.1-20.1 libxml2-2-debuginfo-32bit-2.9.1-20.1 libxml2-debugsource-2.9.1-20.1 libxml2-tools-2.9.1-20.1 libxml2-tools-debuginfo-2.9.1-20.1 python-libxml2-2.9.1-20.1 python-libxml2-debuginfo-2.9.1-20.1 python-libxml2-debugsource-2.9.1-20.1 References: https://www.suse.com/security/cve/CVE-2016-3627.html https://bugzilla.suse.com/972335 https://bugzilla.suse.com/975947 From sle-security-updates at lists.suse.com Tue May 3 11:23:59 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 May 2016 19:23:59 +0200 (CEST) Subject: SUSE-SU-2016:1205-1: moderate: Security update for libxml2 Message-ID: <20160503172359.B64FDFF6C@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1205-1 Rating: moderate References: #972335 #975947 Cross-References: CVE-2016-3627 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for libxml2 fixes two security issues: - libxml2 limits the number of recursions an XML document can contain so to protect against the "Billion Laughs" denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit. This vulnerability has been fixed. (bsc#975947) - When running in recovery mode, certain invalid XML documents would trigger an infinite recursion in libxml2 that ran until all stack space was exhausted. This vulnerability could have been used to facilitate a denial-of-sevice attack. (CVE-2016-3627, bsc#972335) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-libxml2-12538=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-libxml2-12538=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libxml2-12538=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libxml2-devel-2.7.6-0.40.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libxml2-devel-32bit-2.7.6-0.40.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libxml2-2.7.6-0.40.1 libxml2-doc-2.7.6-0.40.1 libxml2-python-2.7.6-0.40.3 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libxml2-32bit-2.7.6-0.40.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libxml2-x86-2.7.6-0.40.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): libxml2-debuginfo-2.7.6-0.40.1 libxml2-debugsource-2.7.6-0.40.1 libxml2-python-debuginfo-2.7.6-0.40.3 libxml2-python-debugsource-2.7.6-0.40.3 References: https://www.suse.com/security/cve/CVE-2016-3627.html https://bugzilla.suse.com/972335 https://bugzilla.suse.com/975947 From sle-security-updates at lists.suse.com Tue May 3 14:08:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 May 2016 22:08:21 +0200 (CEST) Subject: SUSE-SU-2016:1206-1: important: Security update for openssl1 Message-ID: <20160503200821.D0E61FF50@maintenance.suse.de> SUSE Security Update: Security update for openssl1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1206-1 Rating: important References: #889013 #971354 #976942 #976943 #977614 #977615 #977616 #977617 #977621 Cross-References: CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Linux Enterprise Server 11-SECURITY ______________________________________________________________________________ An update that solves 5 vulnerabilities and has four fixes is now available. Description: This update for openssl1 fixes the following issues: Security issues fixed: - CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) - CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (bsc#977616) - CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) - CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) - CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) Bugs fixed: - bsc#971354: libopenssl1_0_0 now Recommends: openssl1 to get correct SSL Root Certificate hashes - bsc#889013: Rename README.SuSE to the new spelling README.SUSE - bsc#976943: Fixed a buffer overrun in ASN1_parse. - bsc#977621: Preserve negotiated digests for SNI (bsc#977621) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openssl1-12539=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): libopenssl1-devel-1.0.1g-0.47.1 libopenssl1_0_0-1.0.1g-0.47.1 openssl1-1.0.1g-0.47.1 openssl1-doc-1.0.1g-0.47.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libopenssl1_0_0-32bit-1.0.1g-0.47.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libopenssl1_0_0-x86-1.0.1g-0.47.1 References: https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2107.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/889013 https://bugzilla.suse.com/971354 https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977616 https://bugzilla.suse.com/977617 https://bugzilla.suse.com/977621 From sle-security-updates at lists.suse.com Wed May 4 08:14:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 May 2016 16:14:11 +0200 (CEST) Subject: SUSE-SU-2016:1228-1: important: Security update for openssl Message-ID: <20160504141411.CD760F432@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1228-1 Rating: important References: #958501 #976942 #976943 #977614 #977615 #977616 #977617 #977621 Cross-References: CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has three fixes is now available. Description: This update for openssl fixes the following issues: - CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) - CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (bsc#977616) - CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) - CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) - CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) - bsc#976943: Buffer overrun in ASN1_parse - bsc#977621: Preserve negotiated digests for SNI (bsc#977621) - bsc#958501: Fix openssl enc -non-fips-allow option in FIPS mode (bsc#958501) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-715=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-715=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-715=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-27.16.1 openssl-debuginfo-1.0.1i-27.16.1 openssl-debugsource-1.0.1i-27.16.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-27.16.1 libopenssl1_0_0-debuginfo-1.0.1i-27.16.1 libopenssl1_0_0-hmac-1.0.1i-27.16.1 openssl-1.0.1i-27.16.1 openssl-debuginfo-1.0.1i-27.16.1 openssl-debugsource-1.0.1i-27.16.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-27.16.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.16.1 libopenssl1_0_0-hmac-32bit-1.0.1i-27.16.1 - SUSE Linux Enterprise Server 12 (noarch): openssl-doc-1.0.1i-27.16.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libopenssl1_0_0-1.0.1i-27.16.1 libopenssl1_0_0-32bit-1.0.1i-27.16.1 libopenssl1_0_0-debuginfo-1.0.1i-27.16.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.16.1 openssl-1.0.1i-27.16.1 openssl-debuginfo-1.0.1i-27.16.1 openssl-debugsource-1.0.1i-27.16.1 References: https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2107.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/958501 https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977616 https://bugzilla.suse.com/977617 https://bugzilla.suse.com/977621 From sle-security-updates at lists.suse.com Wed May 4 10:08:17 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 May 2016 18:08:17 +0200 (CEST) Subject: SUSE-SU-2016:1231-1: important: Security update for compat-openssl097g Message-ID: <20160504160817.F4012F433@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl097g ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1231-1 Rating: important References: #976942 #976943 #977615 #977617 Cross-References: CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Linux Enterprise Server for SAP 11-SP4 SUSE Linux Enterprise Server for SAP 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for compat-openssl097g fixes the following issues: Security issues fixed: - CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) - CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) - CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) - CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) Bugs fixed: - bsc#976943: Fix buffer overrun in ASN1_parse Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 11-SP4: zypper in -t patch slesappsp4-compat-openssl097g-12541=1 - SUSE Linux Enterprise Server for SAP 11-SP3: zypper in -t patch slesappsp3-compat-openssl097g-12541=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-compat-openssl097g-12541=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 11-SP4 (ppc64 x86_64): compat-openssl097g-0.9.7g-146.22.44.1 compat-openssl097g-32bit-0.9.7g-146.22.44.1 - SUSE Linux Enterprise Server for SAP 11-SP3 (x86_64): compat-openssl097g-0.9.7g-146.22.44.1 compat-openssl097g-32bit-0.9.7g-146.22.44.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): compat-openssl097g-debuginfo-0.9.7g-146.22.44.1 compat-openssl097g-debugsource-0.9.7g-146.22.44.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): compat-openssl097g-debuginfo-32bit-0.9.7g-146.22.44.1 References: https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977617 From sle-security-updates at lists.suse.com Wed May 4 10:09:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 May 2016 18:09:05 +0200 (CEST) Subject: SUSE-SU-2016:1232-1: moderate: Security update for nginx-1.0 Message-ID: <20160504160905.843D7F404@maintenance.suse.de> SUSE Security Update: Security update for nginx-1.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1232-1 Rating: moderate References: #963775 #963778 #963781 Cross-References: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747 Affected Products: SUSE Webyast 1.3 SUSE Studio Onsite 1.3 SUSE Lifecycle Management Server 1.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nginx-1.0 fixes the following issues: Security fixes: - CVE-2016-0742: Invalid pointer dereference during DNS server response processing - CVE-2016-0747: Resource exhaustion through unlimited CNAME resolution - CVE-2016-0746: Use-after-free condition during CNAME response processing Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Webyast 1.3: zypper in -t patch slewyst13-nginx-1.0-12540=1 - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-nginx-1.0-12540=1 - SUSE Lifecycle Management Server 1.3: zypper in -t patch sleslms13-nginx-1.0-12540=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Webyast 1.3 (i586 ia64 ppc64 s390x x86_64): GeoIP-1.4.7-2.10.1 libGeoIP1-1.4.7-2.10.1 nginx-1.0-1.0.15-0.29.2 - SUSE Studio Onsite 1.3 (x86_64): libGeoIP1-1.4.7-2.10.1 nginx-1.0-1.0.15-0.29.2 - SUSE Lifecycle Management Server 1.3 (x86_64): GeoIP-1.4.7-2.10.1 libGeoIP1-1.4.7-2.10.1 nginx-1.0-1.0.15-0.29.2 References: https://www.suse.com/security/cve/CVE-2016-0742.html https://www.suse.com/security/cve/CVE-2016-0746.html https://www.suse.com/security/cve/CVE-2016-0747.html https://bugzilla.suse.com/963775 https://bugzilla.suse.com/963778 https://bugzilla.suse.com/963781 From sle-security-updates at lists.suse.com Wed May 4 10:09:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 May 2016 18:09:42 +0200 (CEST) Subject: SUSE-SU-2016:1233-1: important: Security update for openssl Message-ID: <20160504160942.7D334F42E@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1233-1 Rating: important References: #958501 #976942 #976943 #977614 #977615 #977616 #977617 #977621 Cross-References: CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has three fixes is now available. Description: This update for openssl fixes the following issues: - CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) - CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (bsc#977616) - CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) - CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) - CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) - bsc#976943: Buffer overrun in ASN1_parse - bsc#977621: Preserve negotiated digests for SNI (bsc#977621) - bsc#958501: Fix openssl enc -non-fips-allow option in FIPS mode (bsc#958501) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-717=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-717=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-717=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libopenssl-devel-1.0.1i-47.1 openssl-debuginfo-1.0.1i-47.1 openssl-debugsource-1.0.1i-47.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libopenssl1_0_0-1.0.1i-47.1 libopenssl1_0_0-debuginfo-1.0.1i-47.1 libopenssl1_0_0-hmac-1.0.1i-47.1 openssl-1.0.1i-47.1 openssl-debuginfo-1.0.1i-47.1 openssl-debugsource-1.0.1i-47.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libopenssl1_0_0-32bit-1.0.1i-47.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-47.1 libopenssl1_0_0-hmac-32bit-1.0.1i-47.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): openssl-doc-1.0.1i-47.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libopenssl1_0_0-1.0.1i-47.1 libopenssl1_0_0-32bit-1.0.1i-47.1 libopenssl1_0_0-debuginfo-1.0.1i-47.1 libopenssl1_0_0-debuginfo-32bit-1.0.1i-47.1 openssl-1.0.1i-47.1 openssl-debuginfo-1.0.1i-47.1 openssl-debugsource-1.0.1i-47.1 References: https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2107.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/958501 https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977616 https://bugzilla.suse.com/977617 https://bugzilla.suse.com/977621 From sle-security-updates at lists.suse.com Fri May 6 05:07:50 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 May 2016 13:07:50 +0200 (CEST) Subject: SUSE-SU-2016:1247-1: important: Security update for ntp Message-ID: <20160506110750.0823FF404@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1247-1 Rating: important References: #782060 #905885 #910063 #916617 #920238 #926510 #936327 #937837 #942587 #944300 #946386 #951559 #951608 #951629 #954982 #956773 #962318 #962784 #962802 #962960 #962966 #962970 #962988 #962994 #962995 #962997 #963000 #963002 #975496 #975981 Cross-References: CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8139 CVE-2015-8140 CVE-2015-8158 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 28 vulnerabilities and has two fixes is now available. Description: ntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes: - The "sntp" commandline tool changed its option handling in a major way, some options have been renamed or dropped. - "controlkey 1" is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted. Other functional changes: - ntp-signd is installed. - "enable mode7" can be added to the configuration to allow ntdpc to work as compatibility mode option. - "kod" was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed: - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608). These non-security issues were fixed: - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq. - bsc#946386: Temporarily disable memlock to avoid problems due to high memory usage during name resolution. - bsc#905885: Use SHA1 instead of MD5 for symmetric keys. - Improve runtime configuration: * Read keytype from ntp.conf * Don't write ntp keys to syslog. - Fix legacy action scripts to pass on command line arguments. - bsc#944300: Remove "kod" from the restrict line in ntp.conf. - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd. - Add a controlkey to ntp.conf to make the above work. - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser. - Disable mode 7 (ntpdc) again, now that we don't use it anymore. - Add "addserver" as a new legacy action. - bsc#910063: Fix the comment regarding addserver in ntp.conf. - bsc#926510: Disable chroot by default. - bsc#920238: Enable ntpdc for backwards compatibility. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-727=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-727=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-727=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (noarch): yast2-ntp-client-devel-doc-3.1.12.4-8.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): ntp-4.2.8p6-46.5.2 ntp-debuginfo-4.2.8p6-46.5.2 ntp-debugsource-4.2.8p6-46.5.2 ntp-doc-4.2.8p6-46.5.2 - SUSE Linux Enterprise Server 12 (noarch): yast2-ntp-client-3.1.12.4-8.2 - SUSE Linux Enterprise Desktop 12 (noarch): yast2-ntp-client-3.1.12.4-8.2 - SUSE Linux Enterprise Desktop 12 (x86_64): ntp-4.2.8p6-46.5.2 ntp-debuginfo-4.2.8p6-46.5.2 ntp-debugsource-4.2.8p6-46.5.2 ntp-doc-4.2.8p6-46.5.2 References: https://www.suse.com/security/cve/CVE-2015-5300.html https://www.suse.com/security/cve/CVE-2015-7691.html https://www.suse.com/security/cve/CVE-2015-7692.html https://www.suse.com/security/cve/CVE-2015-7701.html https://www.suse.com/security/cve/CVE-2015-7702.html https://www.suse.com/security/cve/CVE-2015-7703.html https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7848.html https://www.suse.com/security/cve/CVE-2015-7849.html https://www.suse.com/security/cve/CVE-2015-7850.html https://www.suse.com/security/cve/CVE-2015-7851.html https://www.suse.com/security/cve/CVE-2015-7852.html https://www.suse.com/security/cve/CVE-2015-7853.html https://www.suse.com/security/cve/CVE-2015-7854.html https://www.suse.com/security/cve/CVE-2015-7855.html https://www.suse.com/security/cve/CVE-2015-7871.html https://www.suse.com/security/cve/CVE-2015-7973.html https://www.suse.com/security/cve/CVE-2015-7974.html https://www.suse.com/security/cve/CVE-2015-7975.html https://www.suse.com/security/cve/CVE-2015-7976.html https://www.suse.com/security/cve/CVE-2015-7977.html https://www.suse.com/security/cve/CVE-2015-7978.html https://www.suse.com/security/cve/CVE-2015-7979.html https://www.suse.com/security/cve/CVE-2015-8138.html https://www.suse.com/security/cve/CVE-2015-8139.html https://www.suse.com/security/cve/CVE-2015-8140.html https://www.suse.com/security/cve/CVE-2015-8158.html https://bugzilla.suse.com/782060 https://bugzilla.suse.com/905885 https://bugzilla.suse.com/910063 https://bugzilla.suse.com/916617 https://bugzilla.suse.com/920238 https://bugzilla.suse.com/926510 https://bugzilla.suse.com/936327 https://bugzilla.suse.com/937837 https://bugzilla.suse.com/942587 https://bugzilla.suse.com/944300 https://bugzilla.suse.com/946386 https://bugzilla.suse.com/951559 https://bugzilla.suse.com/951608 https://bugzilla.suse.com/951629 https://bugzilla.suse.com/954982 https://bugzilla.suse.com/956773 https://bugzilla.suse.com/962318 https://bugzilla.suse.com/962784 https://bugzilla.suse.com/962802 https://bugzilla.suse.com/962960 https://bugzilla.suse.com/962966 https://bugzilla.suse.com/962970 https://bugzilla.suse.com/962988 https://bugzilla.suse.com/962994 https://bugzilla.suse.com/962995 https://bugzilla.suse.com/962997 https://bugzilla.suse.com/963000 https://bugzilla.suse.com/963002 https://bugzilla.suse.com/975496 https://bugzilla.suse.com/975981 From sle-security-updates at lists.suse.com Fri May 6 05:13:03 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 May 2016 13:13:03 +0200 (CEST) Subject: SUSE-SU-2016:1248-1: important: Security update for java-1_8_0-openjdk Message-ID: <20160506111303.C735CF3FD@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1248-1 Rating: important References: #976340 Cross-References: CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following security issues - April 2016 Oracle CPU (bsc#976340): - CVE-2016-0686: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. - CVE-2016-0687: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component - CVE-2016-0695: Unspecified vulnerability allowed remote attackers to affect confidentiality via vectors related to the Security Component - CVE-2016-3425: Unspecified vulnerability allowed remote attackers to affect availability via vectors related to JAXP - CVE-2016-3426: Unspecified vulnerability allowed remote attackers to affect confidentiality via vectors related to JCE - CVE-2016-3427: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-724=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-724=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.91-11.1 java-1_8_0-openjdk-debuginfo-1.8.0.91-11.1 java-1_8_0-openjdk-debugsource-1.8.0.91-11.1 java-1_8_0-openjdk-demo-1.8.0.91-11.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.91-11.1 java-1_8_0-openjdk-devel-1.8.0.91-11.1 java-1_8_0-openjdk-headless-1.8.0.91-11.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.91-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): java-1_8_0-openjdk-1.8.0.91-11.1 java-1_8_0-openjdk-debuginfo-1.8.0.91-11.1 java-1_8_0-openjdk-debugsource-1.8.0.91-11.1 java-1_8_0-openjdk-headless-1.8.0.91-11.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.91-11.1 References: https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-0695.html https://www.suse.com/security/cve/CVE-2016-3425.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://bugzilla.suse.com/976340 From sle-security-updates at lists.suse.com Fri May 6 05:13:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 May 2016 13:13:21 +0200 (CEST) Subject: SUSE-SU-2016:1249-1: moderate: Security update for subversion Message-ID: <20160506111321.4296CF3FD@maintenance.suse.de> SUSE Security Update: Security update for subversion ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1249-1 Rating: moderate References: #911620 #969159 #976849 #976850 Cross-References: CVE-2016-2167 CVE-2016-2168 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for subversion fixes the following issues: - CVE-2016-2167: mod_authz_svn: DoS in MOVE/COPY authorization check (bsc#976849) - CVE-2016-2168: svnserve/sasl may authenticate users using the wrong realm (bsc#976850) The following non-security bugs were fixed: - bsc#969159: subversion dependencies did not enforce matching password store - bsc#911620: svnserve could not be started via YaST Service manager Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-726=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-726=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libsvn_auth_gnome_keyring-1-0-1.8.10-21.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.10-21.1 libsvn_auth_kwallet-1-0-1.8.10-21.1 libsvn_auth_kwallet-1-0-debuginfo-1.8.10-21.1 subversion-1.8.10-21.1 subversion-debuginfo-1.8.10-21.1 subversion-debugsource-1.8.10-21.1 subversion-devel-1.8.10-21.1 subversion-perl-1.8.10-21.1 subversion-perl-debuginfo-1.8.10-21.1 subversion-python-1.8.10-21.1 subversion-python-debuginfo-1.8.10-21.1 subversion-server-1.8.10-21.1 subversion-server-debuginfo-1.8.10-21.1 subversion-tools-1.8.10-21.1 subversion-tools-debuginfo-1.8.10-21.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (noarch): subversion-bash-completion-1.8.10-21.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libsvn_auth_gnome_keyring-1-0-1.8.10-21.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.10-21.1 libsvn_auth_kwallet-1-0-1.8.10-21.1 libsvn_auth_kwallet-1-0-debuginfo-1.8.10-21.1 subversion-1.8.10-21.1 subversion-debuginfo-1.8.10-21.1 subversion-debugsource-1.8.10-21.1 subversion-devel-1.8.10-21.1 subversion-perl-1.8.10-21.1 subversion-perl-debuginfo-1.8.10-21.1 subversion-python-1.8.10-21.1 subversion-python-debuginfo-1.8.10-21.1 subversion-server-1.8.10-21.1 subversion-server-debuginfo-1.8.10-21.1 subversion-tools-1.8.10-21.1 subversion-tools-debuginfo-1.8.10-21.1 - SUSE Linux Enterprise Software Development Kit 12 (noarch): subversion-bash-completion-1.8.10-21.1 References: https://www.suse.com/security/cve/CVE-2016-2167.html https://www.suse.com/security/cve/CVE-2016-2168.html https://bugzilla.suse.com/911620 https://bugzilla.suse.com/969159 https://bugzilla.suse.com/976849 https://bugzilla.suse.com/976850 From sle-security-updates at lists.suse.com Fri May 6 05:14:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 May 2016 13:14:05 +0200 (CEST) Subject: SUSE-SU-2016:1250-1: important: Security update for java-1_7_0-openjdk Message-ID: <20160506111405.2DA98F404@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1250-1 Rating: important References: #976340 Cross-References: CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3427 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk to version 2.6.6 fixes five security issues. These security issues were fixed: - CVE-2016-0686: Ensure thread consistency (bsc#976340). - CVE-2016-0687: Better byte behavior (bsc#976340). - CVE-2016-0695: Make DSA more fair (bsc#976340). - CVE-2016-3425: Better buffering of XML strings (bsc#976340). - CVE-2016-3427: Improve JMX connections (bsc#976340). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-725=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-725=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-725=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-725=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.101-30.1 java-1_7_0-openjdk-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-debugsource-1.7.0.101-30.1 java-1_7_0-openjdk-demo-1.7.0.101-30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-devel-1.7.0.101-30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-headless-1.7.0.101-30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.101-30.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.101-30.1 java-1_7_0-openjdk-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-debugsource-1.7.0.101-30.1 java-1_7_0-openjdk-demo-1.7.0.101-30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-devel-1.7.0.101-30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-headless-1.7.0.101-30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.101-30.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): java-1_7_0-openjdk-1.7.0.101-30.1 java-1_7_0-openjdk-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-debugsource-1.7.0.101-30.1 java-1_7_0-openjdk-headless-1.7.0.101-30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.101-30.1 - SUSE Linux Enterprise Desktop 12 (x86_64): java-1_7_0-openjdk-1.7.0.101-30.1 java-1_7_0-openjdk-debuginfo-1.7.0.101-30.1 java-1_7_0-openjdk-debugsource-1.7.0.101-30.1 java-1_7_0-openjdk-headless-1.7.0.101-30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.101-30.1 References: https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-0695.html https://www.suse.com/security/cve/CVE-2016-3425.html https://www.suse.com/security/cve/CVE-2016-3427.html https://bugzilla.suse.com/976340 From sle-security-updates at lists.suse.com Fri May 6 12:07:50 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 May 2016 20:07:50 +0200 (CEST) Subject: SUSE-SU-2016:1258-1: important: Security update for MozillaFirefox Message-ID: <20160506180750.8C0DAF404@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1258-1 Rating: important References: #977333 #977374 #977376 #977381 #977386 Cross-References: CVE-2016-2805 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update to MozillaFirefox 38.8.0 ESR fixes the following issues (bsc#977333): - CVE-2016-2805: Miscellaneous memory safety hazards - MFSA 2016-39 (bsc#977374) - CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (bsc#977376) - CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (bsc#977381) - CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() - MFSA 2016-47 (bsc#977386) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-732=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-732=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-732=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-732=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-732=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-732=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-38.8.0esr-66.2 MozillaFirefox-debugsource-38.8.0esr-66.2 MozillaFirefox-devel-38.8.0esr-66.2 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): MozillaFirefox-debuginfo-38.8.0esr-66.2 MozillaFirefox-debugsource-38.8.0esr-66.2 MozillaFirefox-devel-38.8.0esr-66.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): MozillaFirefox-38.8.0esr-66.2 MozillaFirefox-debuginfo-38.8.0esr-66.2 MozillaFirefox-debugsource-38.8.0esr-66.2 MozillaFirefox-translations-38.8.0esr-66.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): MozillaFirefox-38.8.0esr-66.2 MozillaFirefox-debuginfo-38.8.0esr-66.2 MozillaFirefox-debugsource-38.8.0esr-66.2 MozillaFirefox-translations-38.8.0esr-66.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): MozillaFirefox-38.8.0esr-66.2 MozillaFirefox-debuginfo-38.8.0esr-66.2 MozillaFirefox-debugsource-38.8.0esr-66.2 MozillaFirefox-translations-38.8.0esr-66.2 - SUSE Linux Enterprise Desktop 12 (x86_64): MozillaFirefox-38.8.0esr-66.2 MozillaFirefox-debuginfo-38.8.0esr-66.2 MozillaFirefox-debugsource-38.8.0esr-66.2 MozillaFirefox-translations-38.8.0esr-66.2 References: https://www.suse.com/security/cve/CVE-2016-2805.html https://www.suse.com/security/cve/CVE-2016-2807.html https://www.suse.com/security/cve/CVE-2016-2808.html https://www.suse.com/security/cve/CVE-2016-2814.html https://bugzilla.suse.com/977333 https://bugzilla.suse.com/977374 https://bugzilla.suse.com/977376 https://bugzilla.suse.com/977381 https://bugzilla.suse.com/977386 From sle-security-updates at lists.suse.com Sat May 7 05:07:53 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 May 2016 13:07:53 +0200 (CEST) Subject: SUSE-SU-2016:1259-1: moderate: Security update for spice Message-ID: <20160507110753.30955F399@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1259-1 Rating: moderate References: #944460 #944787 #948976 Cross-References: CVE-2015-3247 CVE-2015-5260 CVE-2015-5261 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: Spice was updated to fix three security issues. The following vulnerabilities were fixed: * CVE-2015-3247: heap corruption in the spice server (bsc#944460) * CVE-2015-5261: Guest could have accessed host memory using crafted images (bsc#948976) * CVE-2015-5260: Insufficient validation of surface_id parameter could have caused a crash (bsc#944787) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-spice-12542=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-spice-12542=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-spice-12542=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): libspice-server-devel-0.12.4-5.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): libspice-server1-0.12.4-5.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): spice-debuginfo-0.12.4-5.1 spice-debugsource-0.12.4-5.1 References: https://www.suse.com/security/cve/CVE-2015-3247.html https://www.suse.com/security/cve/CVE-2015-5260.html https://www.suse.com/security/cve/CVE-2015-5261.html https://bugzilla.suse.com/944460 https://bugzilla.suse.com/944787 https://bugzilla.suse.com/948976 From sle-security-updates at lists.suse.com Sat May 7 05:08:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 May 2016 13:08:31 +0200 (CEST) Subject: SUSE-SU-2016:1260-1: important: Security update for ImageMagick Message-ID: <20160507110831.B8FC1F36A@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1260-1 Rating: important References: #978061 Cross-References: CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: Security issues fixed: - Several coders were vulnerable to remote code execution attacks, these coders have now been disabled by default but can be re-enabled by editing "/etc/ImageMagick-*/policy.xml" (bsc#978061) - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading. - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder. - CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. Bugs fixed: - Use external svg loader (rsvg) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-733=1 - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2016-733=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-733=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-733=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-733=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-733=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-733=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-733=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): ImageMagick-6.8.8.1-19.1 ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 libMagick++-6_Q16-3-6.8.8.1-19.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-19.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-19.1 - SUSE Linux Enterprise Workstation Extension 12 (x86_64): ImageMagick-6.8.8.1-19.1 ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 libMagick++-6_Q16-3-6.8.8.1-19.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-19.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-19.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): ImageMagick-6.8.8.1-19.1 ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 ImageMagick-devel-6.8.8.1-19.1 libMagick++-6_Q16-3-6.8.8.1-19.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-19.1 libMagick++-devel-6.8.8.1-19.1 perl-PerlMagick-6.8.8.1-19.1 perl-PerlMagick-debuginfo-6.8.8.1-19.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): ImageMagick-6.8.8.1-19.1 ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 ImageMagick-devel-6.8.8.1-19.1 libMagick++-6_Q16-3-6.8.8.1-19.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-19.1 libMagick++-devel-6.8.8.1-19.1 perl-PerlMagick-6.8.8.1-19.1 perl-PerlMagick-debuginfo-6.8.8.1-19.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 libMagickCore-6_Q16-1-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-19.1 libMagickWand-6_Q16-1-6.8.8.1-19.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-19.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 libMagickCore-6_Q16-1-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-19.1 libMagickWand-6_Q16-1-6.8.8.1-19.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-19.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): ImageMagick-6.8.8.1-19.1 ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 libMagick++-6_Q16-3-6.8.8.1-19.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-19.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-19.1 libMagickCore-6_Q16-1-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-19.1 libMagickWand-6_Q16-1-6.8.8.1-19.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-19.1 - SUSE Linux Enterprise Desktop 12 (x86_64): ImageMagick-6.8.8.1-19.1 ImageMagick-debuginfo-6.8.8.1-19.1 ImageMagick-debugsource-6.8.8.1-19.1 libMagick++-6_Q16-3-6.8.8.1-19.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-19.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-19.1 libMagickCore-6_Q16-1-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-19.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-19.1 libMagickWand-6_Q16-1-6.8.8.1-19.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-19.1 References: https://www.suse.com/security/cve/CVE-2016-3714.html https://www.suse.com/security/cve/CVE-2016-3715.html https://www.suse.com/security/cve/CVE-2016-3716.html https://www.suse.com/security/cve/CVE-2016-3717.html https://www.suse.com/security/cve/CVE-2016-3718.html https://bugzilla.suse.com/978061 From sle-security-updates at lists.suse.com Mon May 9 04:08:02 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 May 2016 12:08:02 +0200 (CEST) Subject: SUSE-SU-2016:1267-1: important: Security update for compat-openssl098 Message-ID: <20160509100802.DAB40F404@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1267-1 Rating: important References: #889013 #968050 #976942 #976943 #977614 #977615 #977617 Cross-References: CVE-2016-0702 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. Description: This update for compat-openssl098 fixes the following issues: - CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) - CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) - CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) - CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) - CVE-2016-0702: Side channel attack on modular exponentiation "CacheBleed" (bsc#968050) - bsc#976943: Buffer overrun in ASN1_parse The following non-security bugs were fixed: - bsc#889013: Rename README.SuSE to the new spelling (bsc#889013) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2016-735=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2016-735=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-735=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-735=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): compat-openssl098-debugsource-0.9.8j-97.1 libopenssl0_9_8-0.9.8j-97.1 libopenssl0_9_8-debuginfo-0.9.8j-97.1 - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-97.1 libopenssl0_9_8-0.9.8j-97.1 libopenssl0_9_8-32bit-0.9.8j-97.1 libopenssl0_9_8-debuginfo-0.9.8j-97.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-97.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): compat-openssl098-debugsource-0.9.8j-97.1 libopenssl0_9_8-0.9.8j-97.1 libopenssl0_9_8-32bit-0.9.8j-97.1 libopenssl0_9_8-debuginfo-0.9.8j-97.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-97.1 - SUSE Linux Enterprise Desktop 12 (x86_64): compat-openssl098-debugsource-0.9.8j-97.1 libopenssl0_9_8-0.9.8j-97.1 libopenssl0_9_8-32bit-0.9.8j-97.1 libopenssl0_9_8-debuginfo-0.9.8j-97.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-97.1 References: https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/889013 https://bugzilla.suse.com/968050 https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977617 From sle-security-updates at lists.suse.com Wed May 11 09:08:08 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 May 2016 17:08:08 +0200 (CEST) Subject: SUSE-SU-2016:1275-1: important: Security update for ImageMagick Message-ID: <20160511150808.B5096FF5A@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1275-1 Rating: important References: #978061 Cross-References: CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: Security issues fixed: - Several coders were vulnerable to remote code execution attacks, these coders have now been disabled. They can be re-enabled by exporting the following environment variable MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vu lnerable/ (bsc#978061) - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading. - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder. - CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. Bugs fixed: - Use external svg loader (rsvg) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-ImageMagick-12549=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-ImageMagick-12549=1 - SUSE Manager 2.1: zypper in -t patch sleman21-ImageMagick-12549=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-ImageMagick-12549=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ImageMagick-12549=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-ImageMagick-12549=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-ImageMagick-12549=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ImageMagick-12549=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-ImageMagick-12549=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-ImageMagick-12549=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): libMagickCore1-32bit-6.4.3.6-7.34.1 libMagickCore1-6.4.3.6-7.34.1 - SUSE Manager Proxy 2.1 (x86_64): libMagickCore1-32bit-6.4.3.6-7.34.1 libMagickCore1-6.4.3.6-7.34.1 - SUSE Manager 2.1 (s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.34.1 libMagickCore1-6.4.3.6-7.34.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-6.4.3.6-7.34.1 ImageMagick-devel-6.4.3.6-7.34.1 libMagick++-devel-6.4.3.6-7.34.1 libMagick++1-6.4.3.6-7.34.1 libMagickWand1-6.4.3.6-7.34.1 perl-PerlMagick-6.4.3.6-7.34.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libMagickWand1-32bit-6.4.3.6-7.34.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libMagickCore1-6.4.3.6-7.34.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.34.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): libMagickCore1-6.4.3.6-7.34.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.34.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): libMagickCore1-6.4.3.6-7.34.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.34.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.34.1 ImageMagick-debugsource-6.4.3.6-7.34.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.34.1 ImageMagick-debugsource-6.4.3.6-7.34.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.34.1 ImageMagick-debugsource-6.4.3.6-7.34.1 References: https://www.suse.com/security/cve/CVE-2016-3714.html https://www.suse.com/security/cve/CVE-2016-3715.html https://www.suse.com/security/cve/CVE-2016-3716.html https://www.suse.com/security/cve/CVE-2016-3717.html https://www.suse.com/security/cve/CVE-2016-3718.html https://bugzilla.suse.com/978061 From sle-security-updates at lists.suse.com Wed May 11 09:08:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 May 2016 17:08:31 +0200 (CEST) Subject: SUSE-SU-2016:1276-1: moderate: Security update for GraphicsMagick Message-ID: <20160511150831.209E3FF50@maintenance.suse.de> SUSE Security Update: Security update for GraphicsMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1276-1 Rating: moderate References: #978061 Cross-References: CVE-2016-3714 CVE-2016-3715 CVE-2016-3717 CVE-2016-3718 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for GraphicsMagick fixes the following issues: - Security update Remote Code Execution / Local File read [bsc#978061] CVE-2016-3714, CVE-2016-3715, CVE-2016-3717, CVE-2016-3718 - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using GraphicsMagick's 'tmp:' file specification syntax. - CVE-2016-3717: Possible local file read by using GraphicsMagick's 'txt:' file specification syntax. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-GraphicsMagick-12548=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-GraphicsMagick-12548=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-GraphicsMagick-12548=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): GraphicsMagick-1.2.5-4.35.1 libGraphicsMagick2-1.2.5-4.35.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-1.2.5-4.35.1 libGraphicsMagick2-1.2.5-4.35.1 perl-GraphicsMagick-1.2.5-4.35.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-debuginfo-1.2.5-4.35.1 GraphicsMagick-debugsource-1.2.5-4.35.1 References: https://www.suse.com/security/cve/CVE-2016-3714.html https://www.suse.com/security/cve/CVE-2016-3715.html https://www.suse.com/security/cve/CVE-2016-3717.html https://www.suse.com/security/cve/CVE-2016-3718.html https://bugzilla.suse.com/978061 From sle-security-updates at lists.suse.com Wed May 11 10:07:53 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 May 2016 18:07:53 +0200 (CEST) Subject: SUSE-SU-2016:1277-1: important: Security update for php5 Message-ID: <20160511160753.9E722FF5A@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1277-1 Rating: important References: #976996 #976997 #977000 #977003 #977005 Cross-References: CVE-2015-8866 CVE-2015-8867 CVE-2016-4070 CVE-2016-4071 CVE-2016-4073 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for php5 fixes the following security issues: - CVE-2016-4073: A remote attacker could have caused denial of service, or possibly execute arbitrary code, due to incorrect handling of string length calculations in mb_strcut() (bsc#977003) - CVE-2015-8867: The PHP function openssl_random_pseudo_bytes() did not return cryptographically secure random bytes (bsc#977005) - CVE-2016-4070: The libxml_disable_entity_loader() setting was shared between threads, which could have resulted in XML external entity injection and entity expansion issues (bsc#976997) - CVE-2015-8866: A remote attacker could have caused denial of service due to incorrect handling of large strings in php_raw_url_encode() (bsc#976996) - CVE-2016-4071: A remote attacker could have caused denial of service, or possibly execute arbitrary code, due to incorrect handling of string formatting in php_snmp_error() (bsc#977000) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-752=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-752=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-752=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-56.1 php5-debugsource-5.5.14-56.1 php5-devel-5.5.14-56.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-56.1 php5-debugsource-5.5.14-56.1 php5-devel-5.5.14-56.1 - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64): apache2-mod_php5-5.5.14-56.1 apache2-mod_php5-debuginfo-5.5.14-56.1 php5-5.5.14-56.1 php5-bcmath-5.5.14-56.1 php5-bcmath-debuginfo-5.5.14-56.1 php5-bz2-5.5.14-56.1 php5-bz2-debuginfo-5.5.14-56.1 php5-calendar-5.5.14-56.1 php5-calendar-debuginfo-5.5.14-56.1 php5-ctype-5.5.14-56.1 php5-ctype-debuginfo-5.5.14-56.1 php5-curl-5.5.14-56.1 php5-curl-debuginfo-5.5.14-56.1 php5-dba-5.5.14-56.1 php5-dba-debuginfo-5.5.14-56.1 php5-debuginfo-5.5.14-56.1 php5-debugsource-5.5.14-56.1 php5-dom-5.5.14-56.1 php5-dom-debuginfo-5.5.14-56.1 php5-enchant-5.5.14-56.1 php5-enchant-debuginfo-5.5.14-56.1 php5-exif-5.5.14-56.1 php5-exif-debuginfo-5.5.14-56.1 php5-fastcgi-5.5.14-56.1 php5-fastcgi-debuginfo-5.5.14-56.1 php5-fileinfo-5.5.14-56.1 php5-fileinfo-debuginfo-5.5.14-56.1 php5-fpm-5.5.14-56.1 php5-fpm-debuginfo-5.5.14-56.1 php5-ftp-5.5.14-56.1 php5-ftp-debuginfo-5.5.14-56.1 php5-gd-5.5.14-56.1 php5-gd-debuginfo-5.5.14-56.1 php5-gettext-5.5.14-56.1 php5-gettext-debuginfo-5.5.14-56.1 php5-gmp-5.5.14-56.1 php5-gmp-debuginfo-5.5.14-56.1 php5-iconv-5.5.14-56.1 php5-iconv-debuginfo-5.5.14-56.1 php5-intl-5.5.14-56.1 php5-intl-debuginfo-5.5.14-56.1 php5-json-5.5.14-56.1 php5-json-debuginfo-5.5.14-56.1 php5-ldap-5.5.14-56.1 php5-ldap-debuginfo-5.5.14-56.1 php5-mbstring-5.5.14-56.1 php5-mbstring-debuginfo-5.5.14-56.1 php5-mcrypt-5.5.14-56.1 php5-mcrypt-debuginfo-5.5.14-56.1 php5-mysql-5.5.14-56.1 php5-mysql-debuginfo-5.5.14-56.1 php5-odbc-5.5.14-56.1 php5-odbc-debuginfo-5.5.14-56.1 php5-opcache-5.5.14-56.1 php5-opcache-debuginfo-5.5.14-56.1 php5-openssl-5.5.14-56.1 php5-openssl-debuginfo-5.5.14-56.1 php5-pcntl-5.5.14-56.1 php5-pcntl-debuginfo-5.5.14-56.1 php5-pdo-5.5.14-56.1 php5-pdo-debuginfo-5.5.14-56.1 php5-pgsql-5.5.14-56.1 php5-pgsql-debuginfo-5.5.14-56.1 php5-phar-5.5.14-56.1 php5-phar-debuginfo-5.5.14-56.1 php5-posix-5.5.14-56.1 php5-posix-debuginfo-5.5.14-56.1 php5-pspell-5.5.14-56.1 php5-pspell-debuginfo-5.5.14-56.1 php5-shmop-5.5.14-56.1 php5-shmop-debuginfo-5.5.14-56.1 php5-snmp-5.5.14-56.1 php5-snmp-debuginfo-5.5.14-56.1 php5-soap-5.5.14-56.1 php5-soap-debuginfo-5.5.14-56.1 php5-sockets-5.5.14-56.1 php5-sockets-debuginfo-5.5.14-56.1 php5-sqlite-5.5.14-56.1 php5-sqlite-debuginfo-5.5.14-56.1 php5-suhosin-5.5.14-56.1 php5-suhosin-debuginfo-5.5.14-56.1 php5-sysvmsg-5.5.14-56.1 php5-sysvmsg-debuginfo-5.5.14-56.1 php5-sysvsem-5.5.14-56.1 php5-sysvsem-debuginfo-5.5.14-56.1 php5-sysvshm-5.5.14-56.1 php5-sysvshm-debuginfo-5.5.14-56.1 php5-tokenizer-5.5.14-56.1 php5-tokenizer-debuginfo-5.5.14-56.1 php5-wddx-5.5.14-56.1 php5-wddx-debuginfo-5.5.14-56.1 php5-xmlreader-5.5.14-56.1 php5-xmlreader-debuginfo-5.5.14-56.1 php5-xmlrpc-5.5.14-56.1 php5-xmlrpc-debuginfo-5.5.14-56.1 php5-xmlwriter-5.5.14-56.1 php5-xmlwriter-debuginfo-5.5.14-56.1 php5-xsl-5.5.14-56.1 php5-xsl-debuginfo-5.5.14-56.1 php5-zip-5.5.14-56.1 php5-zip-debuginfo-5.5.14-56.1 php5-zlib-5.5.14-56.1 php5-zlib-debuginfo-5.5.14-56.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-56.1 References: https://www.suse.com/security/cve/CVE-2015-8866.html https://www.suse.com/security/cve/CVE-2015-8867.html https://www.suse.com/security/cve/CVE-2016-4070.html https://www.suse.com/security/cve/CVE-2016-4071.html https://www.suse.com/security/cve/CVE-2016-4073.html https://bugzilla.suse.com/976996 https://bugzilla.suse.com/976997 https://bugzilla.suse.com/977000 https://bugzilla.suse.com/977003 https://bugzilla.suse.com/977005 From sle-security-updates at lists.suse.com Wed May 11 10:08:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 May 2016 18:08:42 +0200 (CEST) Subject: SUSE-SU-2016:1278-1: important: Security update for ntp Message-ID: <20160511160842.358F7FF57@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1278-1 Rating: important References: #957226 #977446 #977450 #977451 #977452 #977455 #977457 #977458 #977459 #977461 #977464 Cross-References: CVE-2015-7704 CVE-2015-7705 CVE-2015-7974 CVE-2016-1547 CVE-2016-1548 CVE-2016-1549 CVE-2016-1550 CVE-2016-1551 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for ntp to 4.2.8p7 fixes the following issues: * CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. * CVE-2016-1548, bsc#977461: Interleave-pivot * CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. * CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. * CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability * CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. * CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. * CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. * CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. * This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed: - Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf (bsc#957226). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ntp-12553=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ntp-12553=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-4.2.8p7-11.1 ntp-doc-4.2.8p7-11.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ntp-debuginfo-4.2.8p7-11.1 ntp-debugsource-4.2.8p7-11.1 References: https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7974.html https://www.suse.com/security/cve/CVE-2016-1547.html https://www.suse.com/security/cve/CVE-2016-1548.html https://www.suse.com/security/cve/CVE-2016-1549.html https://www.suse.com/security/cve/CVE-2016-1550.html https://www.suse.com/security/cve/CVE-2016-1551.html https://www.suse.com/security/cve/CVE-2016-2516.html https://www.suse.com/security/cve/CVE-2016-2517.html https://www.suse.com/security/cve/CVE-2016-2518.html https://www.suse.com/security/cve/CVE-2016-2519.html https://bugzilla.suse.com/957226 https://bugzilla.suse.com/977446 https://bugzilla.suse.com/977450 https://bugzilla.suse.com/977451 https://bugzilla.suse.com/977452 https://bugzilla.suse.com/977455 https://bugzilla.suse.com/977457 https://bugzilla.suse.com/977458 https://bugzilla.suse.com/977459 https://bugzilla.suse.com/977461 https://bugzilla.suse.com/977464 From sle-security-updates at lists.suse.com Wed May 11 10:10:17 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 May 2016 18:10:17 +0200 (CEST) Subject: SUSE-SU-2016:1279-1: important: Security update for mysql Message-ID: <20160511161017.3532AFF50@maintenance.suse.de> SUSE Security Update: Security update for mysql ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1279-1 Rating: important References: #963806 #976341 Cross-References: CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0651 CVE-2016-0666 CVE-2016-2047 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: mysql was updated to version 5.5.49 to fix 13 security issues. These security issues were fixed: - CVE-2016-0644: Unspecified vulnerability allowed local users to affect availability via vectors related to DDL (bsc#976341). - CVE-2016-0646: Unspecified vulnerability allowed local users to affect availability via vectors related to DML (bsc#976341). - CVE-2016-0647: Unspecified vulnerability allowed local users to affect availability via vectors related to FTS (bsc#976341). - CVE-2016-0640: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to DML (bsc#976341). - CVE-2016-0641: Unspecified vulnerability allowed local users to affect confidentiality and availability via vectors related to MyISAM (bsc#976341). - CVE-2016-0642: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to Federated (bsc#976341). - CVE-2016-0643: Unspecified vulnerability allowed local users to affect confidentiality via vectors related to DML (bsc#976341). - CVE-2016-0666: Unspecified vulnerability allowed local users to affect availability via vectors related to Security: Privileges (bsc#976341). - CVE-2016-0651: Unspecified vulnerability allowed local users to affect availability via vectors related to Optimizer (bsc#976341). - CVE-2016-0650: Unspecified vulnerability allowed local users to affect availability via vectors related to Replication (bsc#976341). - CVE-2016-0648: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#976341). - CVE-2016-0649: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#976341). - CVE-2016-2047: The ssl_verify_server_cert function in sql-common/client.c did not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allowed man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com (bsc#963806). More details are available at - http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-49.html - http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-48.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-mysql-12554=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-mysql-12554=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mysql-12554=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.49-0.20.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64): libmysql55client_r18-x86-5.5.49-0.20.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libmysql55client18-5.5.49-0.20.1 libmysql55client_r18-5.5.49-0.20.1 mysql-5.5.49-0.20.1 mysql-client-5.5.49-0.20.1 mysql-tools-5.5.49-0.20.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libmysql55client18-32bit-5.5.49-0.20.1 libmysql55client_r18-32bit-5.5.49-0.20.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libmysql55client18-x86-5.5.49-0.20.1 libmysql55client_r18-x86-5.5.49-0.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): mysql-debuginfo-5.5.49-0.20.1 mysql-debugsource-5.5.49-0.20.1 References: https://www.suse.com/security/cve/CVE-2016-0640.html https://www.suse.com/security/cve/CVE-2016-0641.html https://www.suse.com/security/cve/CVE-2016-0642.html https://www.suse.com/security/cve/CVE-2016-0643.html https://www.suse.com/security/cve/CVE-2016-0644.html https://www.suse.com/security/cve/CVE-2016-0646.html https://www.suse.com/security/cve/CVE-2016-0647.html https://www.suse.com/security/cve/CVE-2016-0648.html https://www.suse.com/security/cve/CVE-2016-0649.html https://www.suse.com/security/cve/CVE-2016-0650.html https://www.suse.com/security/cve/CVE-2016-0651.html https://www.suse.com/security/cve/CVE-2016-0666.html https://www.suse.com/security/cve/CVE-2016-2047.html https://bugzilla.suse.com/963806 https://bugzilla.suse.com/976341 From sle-security-updates at lists.suse.com Thu May 12 12:08:01 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 May 2016 20:08:01 +0200 (CEST) Subject: SUSE-SU-2016:1290-1: important: Security update for openssl Message-ID: <20160512180801.7554BFF50@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1290-1 Rating: important References: #889013 #968050 #976942 #976943 #977614 #977615 #977617 Cross-References: CVE-2016-0702 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Studio Onsite 1.3 SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) - CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) - CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) - CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) - CVE-2016-0702: Side channel attack on modular exponentiation "CacheBleed" (bsc#968050) Bugs fixed: - fate#320304: build 32bit devel package - bsc#976943: Fix buffer overrun in ASN1_parse - bsc#973223: allow weak DH groups, vulnerable to the logjam attack, when environment variable OPENSSL_ALLOW_LOGJAM_ATTACK is set - bsc#889013: Rename README.SuSE to the new spelling Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-openssl-12557=1 - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-openssl-12557=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-openssl-12557=1 - SUSE Manager 2.1: zypper in -t patch sleman21-openssl-12557=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-openssl-12557=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-openssl-12557=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-openssl-12557=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-openssl-12557=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openssl-12557=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-openssl-12557=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-openssl-12557=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libopenssl-devel-0.9.8j-0.97.1 - SUSE OpenStack Cloud 5 (x86_64): libopenssl-devel-0.9.8j-0.97.1 libopenssl0_9_8-0.9.8j-0.97.1 libopenssl0_9_8-32bit-0.9.8j-0.97.1 libopenssl0_9_8-hmac-0.9.8j-0.97.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.97.1 openssl-0.9.8j-0.97.1 openssl-doc-0.9.8j-0.97.1 - SUSE Manager Proxy 2.1 (x86_64): libopenssl-devel-0.9.8j-0.97.1 libopenssl0_9_8-0.9.8j-0.97.1 libopenssl0_9_8-32bit-0.9.8j-0.97.1 libopenssl0_9_8-hmac-0.9.8j-0.97.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.97.1 openssl-0.9.8j-0.97.1 openssl-doc-0.9.8j-0.97.1 - SUSE Manager 2.1 (s390x x86_64): libopenssl-devel-0.9.8j-0.97.1 libopenssl0_9_8-0.9.8j-0.97.1 libopenssl0_9_8-32bit-0.9.8j-0.97.1 libopenssl0_9_8-hmac-0.9.8j-0.97.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.97.1 openssl-0.9.8j-0.97.1 openssl-doc-0.9.8j-0.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libopenssl-devel-0.9.8j-0.97.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libopenssl-devel-32bit-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libopenssl0_9_8-0.9.8j-0.97.1 libopenssl0_9_8-hmac-0.9.8j-0.97.1 openssl-0.9.8j-0.97.1 openssl-doc-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.97.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libopenssl0_9_8-x86-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): libopenssl-devel-0.9.8j-0.97.1 libopenssl0_9_8-0.9.8j-0.97.1 libopenssl0_9_8-hmac-0.9.8j-0.97.1 openssl-0.9.8j-0.97.1 openssl-doc-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.97.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): libopenssl-devel-0.9.8j-0.97.1 libopenssl0_9_8-0.9.8j-0.97.1 libopenssl0_9_8-hmac-0.9.8j-0.97.1 openssl-0.9.8j-0.97.1 openssl-doc-0.9.8j-0.97.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.97.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.97.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): openssl-debuginfo-0.9.8j-0.97.1 openssl-debugsource-0.9.8j-0.97.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): openssl-debuginfo-0.9.8j-0.97.1 openssl-debugsource-0.9.8j-0.97.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): openssl-debuginfo-0.9.8j-0.97.1 openssl-debugsource-0.9.8j-0.97.1 References: https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/889013 https://bugzilla.suse.com/968050 https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977617 From sle-security-updates at lists.suse.com Thu May 12 12:09:15 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 May 2016 20:09:15 +0200 (CEST) Subject: SUSE-SU-2016:1291-1: important: Security update for ntp Message-ID: <20160512180915.6474EFF50@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1291-1 Rating: important References: #957226 #977446 #977450 #977451 #977452 #977455 #977457 #977458 #977459 #977461 #977464 Cross-References: CVE-2015-7704 CVE-2015-7705 CVE-2015-7974 CVE-2016-1547 CVE-2016-1548 CVE-2016-1549 CVE-2016-1550 CVE-2016-1551 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for ntp to 4.2.8p7 fixes the following issues: * CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. * CVE-2016-1548, bsc#977461: Interleave-pivot * CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. * CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. * CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability * CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. * CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. * CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. * CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. * This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed: - Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf (bsc#957226). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-764=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-764=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): ntp-4.2.8p7-11.1 ntp-debuginfo-4.2.8p7-11.1 ntp-debugsource-4.2.8p7-11.1 ntp-doc-4.2.8p7-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): ntp-4.2.8p7-11.1 ntp-debuginfo-4.2.8p7-11.1 ntp-debugsource-4.2.8p7-11.1 ntp-doc-4.2.8p7-11.1 References: https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7974.html https://www.suse.com/security/cve/CVE-2016-1547.html https://www.suse.com/security/cve/CVE-2016-1548.html https://www.suse.com/security/cve/CVE-2016-1549.html https://www.suse.com/security/cve/CVE-2016-1550.html https://www.suse.com/security/cve/CVE-2016-1551.html https://www.suse.com/security/cve/CVE-2016-2516.html https://www.suse.com/security/cve/CVE-2016-2517.html https://www.suse.com/security/cve/CVE-2016-2518.html https://www.suse.com/security/cve/CVE-2016-2519.html https://bugzilla.suse.com/957226 https://bugzilla.suse.com/977446 https://bugzilla.suse.com/977450 https://bugzilla.suse.com/977451 https://bugzilla.suse.com/977452 https://bugzilla.suse.com/977455 https://bugzilla.suse.com/977457 https://bugzilla.suse.com/977458 https://bugzilla.suse.com/977459 https://bugzilla.suse.com/977461 https://bugzilla.suse.com/977464 From sle-security-updates at lists.suse.com Fri May 13 08:08:15 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 May 2016 16:08:15 +0200 (CEST) Subject: SUSE-SU-2016:1299-1: important: Security update for java-1_7_1-ibm Message-ID: <20160513140815.6055BFF5B@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1299-1 Rating: important References: #977646 #977648 #977650 #979252 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This IBM Java 1.7.1 SR3 FP40 release fixes the following issues: Security issues fixed: - CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648) - CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650) - CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646) - The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-766=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-766=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-766=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-766=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.40-25.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.40-25.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.40-25.1 java-1_7_1-ibm-jdbc-1.7.1_sr3.40-25.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.40-25.1 java-1_7_1-ibm-plugin-1.7.1_sr3.40-25.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.40-25.1 java-1_7_1-ibm-jdbc-1.7.1_sr3.40-25.1 - SUSE Linux Enterprise Server 12 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.40-25.1 java-1_7_1-ibm-plugin-1.7.1_sr3.40-25.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 From sle-security-updates at lists.suse.com Fri May 13 08:09:01 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 May 2016 16:09:01 +0200 (CEST) Subject: SUSE-SU-2016:1300-1: important: Security update for java-1_7_1-ibm Message-ID: <20160513140901.4919EFF50@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1300-1 Rating: important References: #977646 #977648 #977650 #979252 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This IBM Java 1.7.1 SR3 FP40 relese fixes the following issues: Security issues fixed: - CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648) - CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650) - CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646) - The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-java-1_7_1-ibm-12558=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-java-1_7_1-ibm-12558=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr3.40-13.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ppc64 s390x x86_64): java-1_7_1-ibm-1.7.1_sr3.40-13.1 java-1_7_1-ibm-jdbc-1.7.1_sr3.40-13.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): java-1_7_1-ibm-alsa-1.7.1_sr3.40-13.1 java-1_7_1-ibm-plugin-1.7.1_sr3.40-13.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 From sle-security-updates at lists.suse.com Fri May 13 12:08:06 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 May 2016 20:08:06 +0200 (CEST) Subject: SUSE-SU-2016:1301-1: important: Security update for ImageMagick Message-ID: <20160513180806.D038CFF5B@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1301-1 Rating: important References: #978061 Cross-References: CVE-2016-3714 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ImageMagick fixes the following issues: - bsc#978061: A vulnerability in ImageMagick's "https" module allowed users to execute arbitrary shell commands on the host performing the image conversion. The issue had the potential for remote command injection. This update mitigates the vulnerability by disabling all access to the "https" module in the "delegates.xml" config file. (CVE-2016-3714) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-ImageMagick-12560=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-ImageMagick-12560=1 - SUSE Manager 2.1: zypper in -t patch sleman21-ImageMagick-12560=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-ImageMagick-12560=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ImageMagick-12560=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-ImageMagick-12560=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-ImageMagick-12560=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ImageMagick-12560=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-ImageMagick-12560=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-ImageMagick-12560=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): libMagickCore1-32bit-6.4.3.6-7.37.1 libMagickCore1-6.4.3.6-7.37.1 - SUSE Manager Proxy 2.1 (x86_64): libMagickCore1-32bit-6.4.3.6-7.37.1 libMagickCore1-6.4.3.6-7.37.1 - SUSE Manager 2.1 (s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.37.1 libMagickCore1-6.4.3.6-7.37.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-6.4.3.6-7.37.1 ImageMagick-devel-6.4.3.6-7.37.1 libMagick++-devel-6.4.3.6-7.37.1 libMagick++1-6.4.3.6-7.37.1 libMagickWand1-6.4.3.6-7.37.1 perl-PerlMagick-6.4.3.6-7.37.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libMagickWand1-32bit-6.4.3.6-7.37.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libMagickCore1-6.4.3.6-7.37.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.37.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): libMagickCore1-6.4.3.6-7.37.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.37.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): libMagickCore1-6.4.3.6-7.37.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libMagickCore1-32bit-6.4.3.6-7.37.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.37.1 ImageMagick-debugsource-6.4.3.6-7.37.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.37.1 ImageMagick-debugsource-6.4.3.6-7.37.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): ImageMagick-debuginfo-6.4.3.6-7.37.1 ImageMagick-debugsource-6.4.3.6-7.37.1 References: https://www.suse.com/security/cve/CVE-2016-3714.html https://bugzilla.suse.com/978061 From sle-security-updates at lists.suse.com Fri May 13 13:07:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 May 2016 21:07:54 +0200 (CEST) Subject: SUSE-SU-2016:1303-1: important: Security update for java-1_6_0-ibm Message-ID: <20160513190754.9ACD0FF51@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1303-1 Rating: important References: #977646 #977648 #977650 #979252 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This IBM Java 1.6.0 SR16 FP25 release fixes the following issues: Security issues fixed: - CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648) - CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650) - CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646) - The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2016-771=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.25-34.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-34.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-34.1 - SUSE Linux Enterprise Module for Legacy Software 12 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.25-34.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 From sle-security-updates at lists.suse.com Mon May 16 10:08:08 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 May 2016 18:08:08 +0200 (CEST) Subject: SUSE-SU-2016:1305-1: important: Security update for flash-player Message-ID: <20160516160808.2C052FF5E@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1305-1 Rating: important References: #979422 Cross-References: CVE-2016-1006 CVE-2016-1011 CVE-2016-1012 CVE-2016-1013 CVE-2016-1014 CVE-2016-1015 CVE-2016-1016 CVE-2016-1017 CVE-2016-1018 CVE-2016-1019 CVE-2016-1020 CVE-2016-1021 CVE-2016-1022 CVE-2016-1023 CVE-2016-1024 CVE-2016-1025 CVE-2016-1026 CVE-2016-1027 CVE-2016-1028 CVE-2016-1029 CVE-2016-1030 CVE-2016-1031 CVE-2016-1032 CVE-2016-1033 CVE-2016-1096 CVE-2016-1097 CVE-2016-1098 CVE-2016-1099 CVE-2016-1100 CVE-2016-1101 CVE-2016-1102 CVE-2016-1103 CVE-2016-1104 CVE-2016-1105 CVE-2016-1106 CVE-2016-1107 CVE-2016-1108 CVE-2016-1109 CVE-2016-1110 CVE-2016-4108 CVE-2016-4109 CVE-2016-4110 CVE-2016-4111 CVE-2016-4112 CVE-2016-4113 CVE-2016-4114 CVE-2016-4115 CVE-2016-4116 CVE-2016-4117 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 49 vulnerabilities is now available. Description: This update for flash-player fixes the following issues: - Security update to 11.2.202.621 (bsc#979422): * APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116, CVE-2016-4117 - The following CVEs got fixed during the previous release, but got published afterwards: * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-772=1 - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2016-772=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-772=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-772=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): flash-player-11.2.202.621-130.1 flash-player-gnome-11.2.202.621-130.1 - SUSE Linux Enterprise Workstation Extension 12 (x86_64): flash-player-11.2.202.621-130.1 flash-player-gnome-11.2.202.621-130.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): flash-player-11.2.202.621-130.1 flash-player-gnome-11.2.202.621-130.1 - SUSE Linux Enterprise Desktop 12 (x86_64): flash-player-11.2.202.621-130.1 flash-player-gnome-11.2.202.621-130.1 References: https://www.suse.com/security/cve/CVE-2016-1006.html https://www.suse.com/security/cve/CVE-2016-1011.html https://www.suse.com/security/cve/CVE-2016-1012.html https://www.suse.com/security/cve/CVE-2016-1013.html https://www.suse.com/security/cve/CVE-2016-1014.html https://www.suse.com/security/cve/CVE-2016-1015.html https://www.suse.com/security/cve/CVE-2016-1016.html https://www.suse.com/security/cve/CVE-2016-1017.html https://www.suse.com/security/cve/CVE-2016-1018.html https://www.suse.com/security/cve/CVE-2016-1019.html https://www.suse.com/security/cve/CVE-2016-1020.html https://www.suse.com/security/cve/CVE-2016-1021.html https://www.suse.com/security/cve/CVE-2016-1022.html https://www.suse.com/security/cve/CVE-2016-1023.html https://www.suse.com/security/cve/CVE-2016-1024.html https://www.suse.com/security/cve/CVE-2016-1025.html https://www.suse.com/security/cve/CVE-2016-1026.html https://www.suse.com/security/cve/CVE-2016-1027.html https://www.suse.com/security/cve/CVE-2016-1028.html https://www.suse.com/security/cve/CVE-2016-1029.html https://www.suse.com/security/cve/CVE-2016-1030.html https://www.suse.com/security/cve/CVE-2016-1031.html https://www.suse.com/security/cve/CVE-2016-1032.html https://www.suse.com/security/cve/CVE-2016-1033.html https://www.suse.com/security/cve/CVE-2016-1096.html https://www.suse.com/security/cve/CVE-2016-1097.html https://www.suse.com/security/cve/CVE-2016-1098.html https://www.suse.com/security/cve/CVE-2016-1099.html https://www.suse.com/security/cve/CVE-2016-1100.html https://www.suse.com/security/cve/CVE-2016-1101.html https://www.suse.com/security/cve/CVE-2016-1102.html https://www.suse.com/security/cve/CVE-2016-1103.html https://www.suse.com/security/cve/CVE-2016-1104.html https://www.suse.com/security/cve/CVE-2016-1105.html https://www.suse.com/security/cve/CVE-2016-1106.html https://www.suse.com/security/cve/CVE-2016-1107.html https://www.suse.com/security/cve/CVE-2016-1108.html https://www.suse.com/security/cve/CVE-2016-1109.html https://www.suse.com/security/cve/CVE-2016-1110.html https://www.suse.com/security/cve/CVE-2016-4108.html https://www.suse.com/security/cve/CVE-2016-4109.html https://www.suse.com/security/cve/CVE-2016-4110.html https://www.suse.com/security/cve/CVE-2016-4111.html https://www.suse.com/security/cve/CVE-2016-4112.html https://www.suse.com/security/cve/CVE-2016-4113.html https://www.suse.com/security/cve/CVE-2016-4114.html https://www.suse.com/security/cve/CVE-2016-4115.html https://www.suse.com/security/cve/CVE-2016-4116.html https://www.suse.com/security/cve/CVE-2016-4117.html https://bugzilla.suse.com/979422 From sle-security-updates at lists.suse.com Tue May 17 07:08:22 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 May 2016 15:08:22 +0200 (CEST) Subject: SUSE-SU-2016:1310-1: moderate: Security update for php53 Message-ID: <20160517130822.0DCC2FF5E@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1310-1 Rating: moderate References: #976996 #976997 #977003 #977005 Cross-References: CVE-2015-8866 CVE-2015-8867 CVE-2016-4070 CVE-2016-4073 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for php53 fixes the following security issues: - CVE-2016-4073: A remote attacker could have caused denial of service, or possibly execute arbitrary code, due to incorrect handling of string length calculations in mb_strcut() (bsc#977003) - CVE-2015-8867: The PHP function openssl_random_pseudo_bytes() did not return cryptographically secure random bytes (bsc#977005) - CVE-2016-4070: The libxml_disable_entity_loader() setting was shared between threads, which could have resulted in XML external entity injection and entity expansion issues (bsc#976997) - CVE-2015-8866: A remote attacker could have caused denial of service due to incorrect handling of large strings in php_raw_url_encode() (bsc#976996) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-php53-12563=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-php53-12563=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-php53-12563=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-62.1 php53-imap-5.3.17-62.1 php53-posix-5.3.17-62.1 php53-readline-5.3.17-62.1 php53-sockets-5.3.17-62.1 php53-sqlite-5.3.17-62.1 php53-tidy-5.3.17-62.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-62.1 php53-5.3.17-62.1 php53-bcmath-5.3.17-62.1 php53-bz2-5.3.17-62.1 php53-calendar-5.3.17-62.1 php53-ctype-5.3.17-62.1 php53-curl-5.3.17-62.1 php53-dba-5.3.17-62.1 php53-dom-5.3.17-62.1 php53-exif-5.3.17-62.1 php53-fastcgi-5.3.17-62.1 php53-fileinfo-5.3.17-62.1 php53-ftp-5.3.17-62.1 php53-gd-5.3.17-62.1 php53-gettext-5.3.17-62.1 php53-gmp-5.3.17-62.1 php53-iconv-5.3.17-62.1 php53-intl-5.3.17-62.1 php53-json-5.3.17-62.1 php53-ldap-5.3.17-62.1 php53-mbstring-5.3.17-62.1 php53-mcrypt-5.3.17-62.1 php53-mysql-5.3.17-62.1 php53-odbc-5.3.17-62.1 php53-openssl-5.3.17-62.1 php53-pcntl-5.3.17-62.1 php53-pdo-5.3.17-62.1 php53-pear-5.3.17-62.1 php53-pgsql-5.3.17-62.1 php53-pspell-5.3.17-62.1 php53-shmop-5.3.17-62.1 php53-snmp-5.3.17-62.1 php53-soap-5.3.17-62.1 php53-suhosin-5.3.17-62.1 php53-sysvmsg-5.3.17-62.1 php53-sysvsem-5.3.17-62.1 php53-sysvshm-5.3.17-62.1 php53-tokenizer-5.3.17-62.1 php53-wddx-5.3.17-62.1 php53-xmlreader-5.3.17-62.1 php53-xmlrpc-5.3.17-62.1 php53-xmlwriter-5.3.17-62.1 php53-xsl-5.3.17-62.1 php53-zip-5.3.17-62.1 php53-zlib-5.3.17-62.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-debuginfo-5.3.17-62.1 php53-debugsource-5.3.17-62.1 References: https://www.suse.com/security/cve/CVE-2015-8866.html https://www.suse.com/security/cve/CVE-2015-8867.html https://www.suse.com/security/cve/CVE-2016-4070.html https://www.suse.com/security/cve/CVE-2016-4073.html https://bugzilla.suse.com/976996 https://bugzilla.suse.com/976997 https://bugzilla.suse.com/977003 https://bugzilla.suse.com/977005 From sle-security-updates at lists.suse.com Tue May 17 07:09:14 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 May 2016 15:09:14 +0200 (CEST) Subject: SUSE-SU-2016:1311-1: important: Security update for ntp Message-ID: <20160517130914.67704FF5B@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1311-1 Rating: important References: #782060 #784760 #905885 #910063 #916617 #920183 #920238 #926510 #936327 #937837 #942441 #942587 #943216 #943218 #944300 #946386 #951351 #951559 #951608 #951629 #954982 #956773 #962318 #962784 #962802 #962960 #962966 #962970 #962988 #962994 #962995 #962997 #963000 #963002 #975496 #975981 Cross-References: CVE-2015-5194 CVE-2015-5219 CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8139 CVE-2015-8140 CVE-2015-8158 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves 30 vulnerabilities and has 6 fixes is now available. Description: This network time protocol server ntp was updated to 4.2.8p6 to fix the following issues: Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes: - The "sntp" commandline tool changed its option handling in a major way. - "controlkey 1" is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted. Other functional changes: - ntp-signd is installed. - "enable mode7" can be added to the configuration to allow ntdpc to work as compatibility mode option. - "kod" was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys. These security issues were fixed: - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608). These non-security issues were fixed: - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq. - bsc#946386: Temporarily disable memlock to avoid problems due to high memory usage during name resolution. - bsc#905885: Use SHA1 instead of MD5 for symmetric keys. - Improve runtime configuration: * Read keytype from ntp.conf * Don't write ntp keys to syslog. - Fix legacy action scripts to pass on command line arguments. - bsc#944300: Remove "kod" from the restrict line in ntp.conf. - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd. - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser. - Disable mode 7 (ntpdc) again, now that we don't use it anymore. - Add "addserver" as a new legacy action. - bsc#910063: Fix the comment regarding addserver in ntp.conf. - bsc#926510: Disable chroot by default. - bsc#920238: Enable ntpdc for backwards compatibility. - bsc#784760: Remove local clock from default configuration. - bsc#942441/fate#319496: Require perl-Socket6. - Improve runtime configuration: * Read keytype from ntp.conf * Don't write ntp keys to syslog. - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives. - Use upstream ntp-wait, because our version is incompatible with the new ntpq command line syntax. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-ntp-12561=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-ntp-12561=1 - SUSE Manager 2.1: zypper in -t patch sleman21-ntp-12561=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-ntp-12561=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-ntp-12561=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-ntp-12561=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-ntp-12561=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): ntp-4.2.8p6-41.1 ntp-doc-4.2.8p6-41.1 - SUSE Manager Proxy 2.1 (x86_64): ntp-4.2.8p6-41.1 ntp-doc-4.2.8p6-41.1 - SUSE Manager 2.1 (s390x x86_64): ntp-4.2.8p6-41.1 ntp-doc-4.2.8p6-41.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): ntp-4.2.8p6-41.1 ntp-doc-4.2.8p6-41.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): ntp-4.2.8p6-41.1 ntp-doc-4.2.8p6-41.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (noarch): yast2-ntp-client-2.17.14.1-1.12.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): ntp-debuginfo-4.2.8p6-41.1 ntp-debugsource-4.2.8p6-41.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): ntp-debuginfo-4.2.8p6-41.1 ntp-debugsource-4.2.8p6-41.1 References: https://www.suse.com/security/cve/CVE-2015-5194.html https://www.suse.com/security/cve/CVE-2015-5219.html https://www.suse.com/security/cve/CVE-2015-5300.html https://www.suse.com/security/cve/CVE-2015-7691.html https://www.suse.com/security/cve/CVE-2015-7692.html https://www.suse.com/security/cve/CVE-2015-7701.html https://www.suse.com/security/cve/CVE-2015-7702.html https://www.suse.com/security/cve/CVE-2015-7703.html https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7848.html https://www.suse.com/security/cve/CVE-2015-7849.html https://www.suse.com/security/cve/CVE-2015-7850.html https://www.suse.com/security/cve/CVE-2015-7851.html https://www.suse.com/security/cve/CVE-2015-7852.html https://www.suse.com/security/cve/CVE-2015-7853.html https://www.suse.com/security/cve/CVE-2015-7854.html https://www.suse.com/security/cve/CVE-2015-7855.html https://www.suse.com/security/cve/CVE-2015-7871.html https://www.suse.com/security/cve/CVE-2015-7973.html https://www.suse.com/security/cve/CVE-2015-7974.html https://www.suse.com/security/cve/CVE-2015-7975.html https://www.suse.com/security/cve/CVE-2015-7976.html https://www.suse.com/security/cve/CVE-2015-7977.html https://www.suse.com/security/cve/CVE-2015-7978.html https://www.suse.com/security/cve/CVE-2015-7979.html https://www.suse.com/security/cve/CVE-2015-8138.html https://www.suse.com/security/cve/CVE-2015-8139.html https://www.suse.com/security/cve/CVE-2015-8140.html https://www.suse.com/security/cve/CVE-2015-8158.html https://bugzilla.suse.com/782060 https://bugzilla.suse.com/784760 https://bugzilla.suse.com/905885 https://bugzilla.suse.com/910063 https://bugzilla.suse.com/916617 https://bugzilla.suse.com/920183 https://bugzilla.suse.com/920238 https://bugzilla.suse.com/926510 https://bugzilla.suse.com/936327 https://bugzilla.suse.com/937837 https://bugzilla.suse.com/942441 https://bugzilla.suse.com/942587 https://bugzilla.suse.com/943216 https://bugzilla.suse.com/943218 https://bugzilla.suse.com/944300 https://bugzilla.suse.com/946386 https://bugzilla.suse.com/951351 https://bugzilla.suse.com/951559 https://bugzilla.suse.com/951608 https://bugzilla.suse.com/951629 https://bugzilla.suse.com/954982 https://bugzilla.suse.com/956773 https://bugzilla.suse.com/962318 https://bugzilla.suse.com/962784 https://bugzilla.suse.com/962802 https://bugzilla.suse.com/962960 https://bugzilla.suse.com/962966 https://bugzilla.suse.com/962970 https://bugzilla.suse.com/962988 https://bugzilla.suse.com/962994 https://bugzilla.suse.com/962995 https://bugzilla.suse.com/962997 https://bugzilla.suse.com/963000 https://bugzilla.suse.com/963002 https://bugzilla.suse.com/975496 https://bugzilla.suse.com/975981 From sle-security-updates at lists.suse.com Tue May 17 10:07:36 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 May 2016 18:07:36 +0200 (CEST) Subject: SUSE-SU-2016:1318-1: important: Security update for xen Message-ID: <20160517160736.11EEEFF5C@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1318-1 Rating: important References: #954872 #956832 #957988 #958007 #958009 #958493 #958523 #958918 #959006 #959387 #959695 #960707 #960726 #960836 #960861 #960862 #961332 #961358 #961692 #962321 #962335 #962360 #962611 #962627 #962632 #962642 #962758 #963783 #963923 #964415 #964431 #964452 #964644 #964746 #964925 #964929 #964947 #964950 #965112 #965156 #965269 #965315 #965317 #967090 #967101 #968004 #969125 #969126 Cross-References: CVE-2013-4527 CVE-2013-4529 CVE-2013-4530 CVE-2013-4533 CVE-2013-4534 CVE-2013-4537 CVE-2013-4538 CVE-2013-4539 CVE-2014-0222 CVE-2014-3640 CVE-2014-3689 CVE-2014-7815 CVE-2014-9718 CVE-2015-1779 CVE-2015-5278 CVE-2015-6855 CVE-2015-7512 CVE-2015-7549 CVE-2015-8345 CVE-2015-8504 CVE-2015-8550 CVE-2015-8554 CVE-2015-8555 CVE-2015-8558 CVE-2015-8567 CVE-2015-8568 CVE-2015-8613 CVE-2015-8619 CVE-2015-8743 CVE-2015-8744 CVE-2015-8745 CVE-2015-8817 CVE-2015-8818 CVE-2016-1568 CVE-2016-1570 CVE-2016-1571 CVE-2016-1714 CVE-2016-1922 CVE-2016-1981 CVE-2016-2198 CVE-2016-2270 CVE-2016-2271 CVE-2016-2391 CVE-2016-2392 CVE-2016-2538 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 45 vulnerabilities and has three fixes is now available. Description: xen was updated to fix 46 security issues. These security issues were fixed: - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might have allowed remote attackers to execute arbitrary code via vectors related to the number of timers (bsc#964746). - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image (bsc#964929). - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image (bsc#964950). - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image (bsc#964644). - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements (bsc#964452). - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed remote attackers to execute arbitrary code via a crafted arglen value in a savevm image (bsc#962642). - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image (bsc#962335). - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c might have allowed remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image (bsc#962758). - CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#964925). - CVE-2014-3640: The sosendto function in slirp/udp.c allowed local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket (bsc#965112). - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling (bsc#962611). - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value (bsc#962627). - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality had multiple interpretations of a function's return value, which allowed guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions (bsc#964431). - CVE-2015-1779: The VNC websocket frame decoder allowed remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section (bsc#962632). - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#964947). - CVE-2015-6855: hw/ide/core.c did not properly restrict the commands accepted by an ATAPI device, which allowed guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash (bsc#965156). - CVE-2015-7512: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet (bsc#962360). - CVE-2015-7549: pci: NULL pointer dereference issue (bsc#958918). - CVE-2015-8345: eepro100: infinite loop in processing command block list (bsc#956832). - CVE-2015-8504: VNC: floating point exception (bsc#958493). - CVE-2015-8550: Paravirtualized drivers were incautious about shared memory contents (XSA-155) (bsc#957988). - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164) (bsc#958007). - CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165) (bsc#958009). - CVE-2015-8558: Infinite loop in ehci_advance_state resulted in DoS (bsc#959006). - CVE-2015-8567: vmxnet3: host memory leakage (bsc#959387). - CVE-2015-8568: vmxnet3: host memory leakage (bsc#959387). - CVE-2015-8613: SCSI: stack based buffer overflow in megasas_ctrl_get_info (bsc#961358). - CVE-2015-8619: Stack based OOB write in hmp_sendkey routine (bsc#965269). - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bsc#960726). - CVE-2015-8744: vmxnet3: Incorrect l2 header validation lead to a crash via assert(2) call (bsc#960836). - CVE-2015-8745: Reading IMR registers lead to a crash via assert(2) call (bsc#960707). - CVE-2015-8817: OOB access in address_space_rw lead to segmentation fault (I) (bsc#969125). - CVE-2015-8818: OOB access in address_space_rw lead to segmentation fault (II) (bsc#969126). - CVE-2016-1568: AHCI use-after-free vulnerability in aio port commands (bsc#961332). - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates (bsc#960861). - CVE-2016-1571: VMX: intercept issue with INVLPG on non-canonical address (XSA-168) (bsc#960862). - CVE-2016-1714: nvram: OOB r/w access in processing firmware configurations (bsc#961692). - CVE-2016-1922: NULL pointer dereference in vapic_write() (bsc#962321). - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov routines (bsc#963783). - CVE-2016-2198: EHCI NULL pointer dereference in ehci_caps_write (bsc#964415). - CVE-2016-2270: Xen allowed local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings (bsc#965315). - CVE-2016-2271: VMX when using an Intel or Cyrix CPU, allowed local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP (bsc#965317). - CVE-2016-2391: usb: multiple eof_timers in ohci module lead to NULL pointer dereference (bsc#967101). - CVE-2016-2392: NULL pointer dereference in remote NDIS control message handling (bsc#967090). - CVE-2016-2538: Integer overflow in remote NDIS control message handling (bsc#968004). - XSA-166: ioreq handling possibly susceptible to multiple read issue (bsc#958523). These non-security issues were fixed: - bsc#954872: script block-dmmd not working as expected - bsc#963923: domain weights not honored when sched-credit tslice is reduced - bsc#959695: Missing docs for xen Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-779=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-779=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-779=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (x86_64): xen-debugsource-4.4.4_02-22.19.1 xen-devel-4.4.4_02-22.19.1 - SUSE Linux Enterprise Server 12 (x86_64): xen-4.4.4_02-22.19.1 xen-debugsource-4.4.4_02-22.19.1 xen-doc-html-4.4.4_02-22.19.1 xen-kmp-default-4.4.4_02_k3.12.55_52.42-22.19.1 xen-kmp-default-debuginfo-4.4.4_02_k3.12.55_52.42-22.19.1 xen-libs-32bit-4.4.4_02-22.19.1 xen-libs-4.4.4_02-22.19.1 xen-libs-debuginfo-32bit-4.4.4_02-22.19.1 xen-libs-debuginfo-4.4.4_02-22.19.1 xen-tools-4.4.4_02-22.19.1 xen-tools-debuginfo-4.4.4_02-22.19.1 xen-tools-domU-4.4.4_02-22.19.1 xen-tools-domU-debuginfo-4.4.4_02-22.19.1 - SUSE Linux Enterprise Desktop 12 (x86_64): xen-4.4.4_02-22.19.1 xen-debugsource-4.4.4_02-22.19.1 xen-kmp-default-4.4.4_02_k3.12.55_52.42-22.19.1 xen-kmp-default-debuginfo-4.4.4_02_k3.12.55_52.42-22.19.1 xen-libs-32bit-4.4.4_02-22.19.1 xen-libs-4.4.4_02-22.19.1 xen-libs-debuginfo-32bit-4.4.4_02-22.19.1 xen-libs-debuginfo-4.4.4_02-22.19.1 References: https://www.suse.com/security/cve/CVE-2013-4527.html https://www.suse.com/security/cve/CVE-2013-4529.html https://www.suse.com/security/cve/CVE-2013-4530.html https://www.suse.com/security/cve/CVE-2013-4533.html https://www.suse.com/security/cve/CVE-2013-4534.html https://www.suse.com/security/cve/CVE-2013-4537.html https://www.suse.com/security/cve/CVE-2013-4538.html https://www.suse.com/security/cve/CVE-2013-4539.html https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2014-3640.html https://www.suse.com/security/cve/CVE-2014-3689.html https://www.suse.com/security/cve/CVE-2014-7815.html https://www.suse.com/security/cve/CVE-2014-9718.html https://www.suse.com/security/cve/CVE-2015-1779.html https://www.suse.com/security/cve/CVE-2015-5278.html https://www.suse.com/security/cve/CVE-2015-6855.html https://www.suse.com/security/cve/CVE-2015-7512.html https://www.suse.com/security/cve/CVE-2015-7549.html https://www.suse.com/security/cve/CVE-2015-8345.html https://www.suse.com/security/cve/CVE-2015-8504.html https://www.suse.com/security/cve/CVE-2015-8550.html https://www.suse.com/security/cve/CVE-2015-8554.html https://www.suse.com/security/cve/CVE-2015-8555.html https://www.suse.com/security/cve/CVE-2015-8558.html https://www.suse.com/security/cve/CVE-2015-8567.html https://www.suse.com/security/cve/CVE-2015-8568.html https://www.suse.com/security/cve/CVE-2015-8613.html https://www.suse.com/security/cve/CVE-2015-8619.html https://www.suse.com/security/cve/CVE-2015-8743.html https://www.suse.com/security/cve/CVE-2015-8744.html https://www.suse.com/security/cve/CVE-2015-8745.html https://www.suse.com/security/cve/CVE-2015-8817.html https://www.suse.com/security/cve/CVE-2015-8818.html https://www.suse.com/security/cve/CVE-2016-1568.html https://www.suse.com/security/cve/CVE-2016-1570.html https://www.suse.com/security/cve/CVE-2016-1571.html https://www.suse.com/security/cve/CVE-2016-1714.html https://www.suse.com/security/cve/CVE-2016-1922.html https://www.suse.com/security/cve/CVE-2016-1981.html https://www.suse.com/security/cve/CVE-2016-2198.html https://www.suse.com/security/cve/CVE-2016-2270.html https://www.suse.com/security/cve/CVE-2016-2271.html https://www.suse.com/security/cve/CVE-2016-2391.html https://www.suse.com/security/cve/CVE-2016-2392.html https://www.suse.com/security/cve/CVE-2016-2538.html https://bugzilla.suse.com/954872 https://bugzilla.suse.com/956832 https://bugzilla.suse.com/957988 https://bugzilla.suse.com/958007 https://bugzilla.suse.com/958009 https://bugzilla.suse.com/958493 https://bugzilla.suse.com/958523 https://bugzilla.suse.com/958918 https://bugzilla.suse.com/959006 https://bugzilla.suse.com/959387 https://bugzilla.suse.com/959695 https://bugzilla.suse.com/960707 https://bugzilla.suse.com/960726 https://bugzilla.suse.com/960836 https://bugzilla.suse.com/960861 https://bugzilla.suse.com/960862 https://bugzilla.suse.com/961332 https://bugzilla.suse.com/961358 https://bugzilla.suse.com/961692 https://bugzilla.suse.com/962321 https://bugzilla.suse.com/962335 https://bugzilla.suse.com/962360 https://bugzilla.suse.com/962611 https://bugzilla.suse.com/962627 https://bugzilla.suse.com/962632 https://bugzilla.suse.com/962642 https://bugzilla.suse.com/962758 https://bugzilla.suse.com/963783 https://bugzilla.suse.com/963923 https://bugzilla.suse.com/964415 https://bugzilla.suse.com/964431 https://bugzilla.suse.com/964452 https://bugzilla.suse.com/964644 https://bugzilla.suse.com/964746 https://bugzilla.suse.com/964925 https://bugzilla.suse.com/964929 https://bugzilla.suse.com/964947 https://bugzilla.suse.com/964950 https://bugzilla.suse.com/965112 https://bugzilla.suse.com/965156 https://bugzilla.suse.com/965269 https://bugzilla.suse.com/965315 https://bugzilla.suse.com/965317 https://bugzilla.suse.com/967090 https://bugzilla.suse.com/967101 https://bugzilla.suse.com/968004 https://bugzilla.suse.com/969125 https://bugzilla.suse.com/969126 From sle-security-updates at lists.suse.com Wed May 18 10:09:27 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 18:09:27 +0200 (CEST) Subject: SUSE-SU-2016:1342-1: moderate: Security update for MozillaFirefox Message-ID: <20160518160927.5DEC2FF5B@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1342-1 Rating: moderate References: #977333 #977374 #977376 #977381 #977386 Cross-References: CVE-2016-2805 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814 Affected Products: SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update to MozillaFirefox 38.8.0 ESR fixes the following security issues (bsc#977333): - CVE-2016-2805: Miscellaneous memory safety hazards - MFSA 2016-39 (bsc#977374) - CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (bsc#977376) - CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() - MFSA 2016-47 (bsc#977386) - CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (bsc#977381) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-MozillaFirefox-12564=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-MozillaFirefox-12564=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): MozillaFirefox-38.8.0esr-40.1 MozillaFirefox-translations-38.8.0esr-40.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): MozillaFirefox-debuginfo-38.8.0esr-40.1 MozillaFirefox-debugsource-38.8.0esr-40.1 References: https://www.suse.com/security/cve/CVE-2016-2805.html https://www.suse.com/security/cve/CVE-2016-2807.html https://www.suse.com/security/cve/CVE-2016-2808.html https://www.suse.com/security/cve/CVE-2016-2814.html https://bugzilla.suse.com/977333 https://bugzilla.suse.com/977374 https://bugzilla.suse.com/977376 https://bugzilla.suse.com/977381 https://bugzilla.suse.com/977386 From sle-security-updates at lists.suse.com Wed May 18 10:10:27 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 18:10:27 +0200 (CEST) Subject: SUSE-SU-2016:1343-1: moderate: Security update for salt Message-ID: <20160518161027.916B3FF5B@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1343-1 Rating: moderate References: #972436 Cross-References: CVE-2016-3176 Affected Products: SUSE Enterprise Storage 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: salt was updated to fix one security issue. This security issue was fixed: - CVE-2016-3176: Insecure configuration of PAM external authentication service. Authenticating were able to specify the PAM service (bsc#972436). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 1.0: zypper in -t patch SUSE-Storage-1.0-2016-789=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Enterprise Storage 1.0 (noarch): salt-2014.1.10-5.6 salt-master-2014.1.10-5.6 salt-minion-2014.1.10-5.6 References: https://www.suse.com/security/cve/CVE-2016-3176.html https://bugzilla.suse.com/972436 From sle-security-updates at lists.suse.com Wed May 18 10:10:48 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 18:10:48 +0200 (CEST) Subject: SUSE-SU-2016:1344-1: moderate: Security update for wireshark Message-ID: <20160518161048.CB336FF5D@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1344-1 Rating: moderate References: #968565 #976944 Cross-References: CVE-2016-2523 CVE-2016-2530 CVE-2016-2531 CVE-2016-2532 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update to Wireshark 1 12.11 fixes a number issues in protocol dissectors that could have allowed a remote attacker to crash Wireshark or cause excessive CPU usage through specially crafted packages inserted into the network or a capture file. - The PKTC dissector could crash (wnpa-sec-2016-22) - The PKTC dissector could crash (wnpa-sec-2016-23) - The IAX2 dissector could go into an infinite loop (wnpa-sec-2016-24) - Wireshark and TShark could exhaust the stack (wnpa-sec-2016-25) - The GSM CBCH dissector could crash (wnpa-sec-2016-26) - The NCP dissector could crash (wnpa-sec-2016-28) - CVE-2016-2523: DNP dissector infinite loop (wnpa-sec-2016-03) - CVE-2016-2530: RSL dissector crash (wnpa-sec-2016-10) - CVE-2016-2531: RSL dissector crash (wnpa-sec-2016-10) - CVE-2016-2532: LLRP dissector crash (wnpa-sec-2016-11) - GSM A-bis OML dissector crash (wnpa-sec-2016-14) - ASN.1 BER dissector crash (wnpa-sec-2016-15) - ASN.1 BER dissector crash (wnpa-sec-2016-18) Also containsfurther bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-1.12.11.html https://www.wireshark.org/docs/relnotes/wireshark-1.12.10.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-788=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-788=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-788=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-788=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-788=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-788=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): wireshark-debuginfo-1.12.11-25.1 wireshark-debugsource-1.12.11-25.1 wireshark-devel-1.12.11-25.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): wireshark-debuginfo-1.12.11-25.1 wireshark-debugsource-1.12.11-25.1 wireshark-devel-1.12.11-25.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): wireshark-1.12.11-25.1 wireshark-debuginfo-1.12.11-25.1 wireshark-debugsource-1.12.11-25.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): wireshark-1.12.11-25.1 wireshark-debuginfo-1.12.11-25.1 wireshark-debugsource-1.12.11-25.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): wireshark-1.12.11-25.1 wireshark-debuginfo-1.12.11-25.1 wireshark-debugsource-1.12.11-25.1 - SUSE Linux Enterprise Desktop 12 (x86_64): wireshark-1.12.11-25.1 wireshark-debuginfo-1.12.11-25.1 wireshark-debugsource-1.12.11-25.1 References: https://www.suse.com/security/cve/CVE-2016-2523.html https://www.suse.com/security/cve/CVE-2016-2530.html https://www.suse.com/security/cve/CVE-2016-2531.html https://www.suse.com/security/cve/CVE-2016-2532.html https://bugzilla.suse.com/968565 https://bugzilla.suse.com/976944 From sle-security-updates at lists.suse.com Wed May 18 10:11:20 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 18:11:20 +0200 (CEST) Subject: SUSE-SU-2016:1345-1: moderate: Security update for wireshark Message-ID: <20160518161120.713DFFF5B@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1345-1 Rating: moderate References: #968565 #976944 Cross-References: CVE-2016-2523 CVE-2016-2530 CVE-2016-2531 CVE-2016-2532 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update to Wireshark 1 12.11 fixes a number issues in protocol dissectors that could have allowed a remote attacker to crash Wireshark or cause excessive CPU usage through specially crafted packages inserted into the network or a capture file. - The PKTC dissector could crash (wnpa-sec-2016-22) - The PKTC dissector could crash (wnpa-sec-2016-23) - The IAX2 dissector could go into an infinite loop (wnpa-sec-2016-24) - Wireshark and TShark could exhaust the stack (wnpa-sec-2016-25) - The GSM CBCH dissector could crash (wnpa-sec-2016-26) - The NCP dissector could crash (wnpa-sec-2016-28) - CVE-2016-2523: DNP dissector infinite loop (wnpa-sec-2016-03) - CVE-2016-2530: RSL dissector crash (wnpa-sec-2016-10) - CVE-2016-2531: RSL dissector crash (wnpa-sec-2016-10) - CVE-2016-2532: LLRP dissector crash (wnpa-sec-2016-11) - GSM A-bis OML dissector crash (wnpa-sec-2016-14) - ASN.1 BER dissector crash (wnpa-sec-2016-15) - ASN.1 BER dissector crash (wnpa-sec-2016-18) Also containsfurther bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-1.12.11.html https://www.wireshark.org/docs/relnotes/wireshark-1.12.10.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-wireshark-12565=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-wireshark-12565=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-wireshark-12565=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-devel-1.12.11-0.18.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): wireshark-1.12.11-0.18.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-1.12.11-0.18.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-debuginfo-1.12.11-0.18.1 wireshark-debugsource-1.12.11-0.18.1 References: https://www.suse.com/security/cve/CVE-2016-2523.html https://www.suse.com/security/cve/CVE-2016-2530.html https://www.suse.com/security/cve/CVE-2016-2531.html https://www.suse.com/security/cve/CVE-2016-2532.html https://bugzilla.suse.com/968565 https://bugzilla.suse.com/976944 From sle-security-updates at lists.suse.com Wed May 18 11:08:00 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 19:08:00 +0200 (CEST) Subject: SUSE-SU-2016:1346-1: moderate: Security update for systemd Message-ID: <20160518170800.D3E1FFF5B@maintenance.suse.de> SUSE Security Update: Security update for systemd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1346-1 Rating: moderate References: #959886 #960158 #963230 #965897 #967122 #970423 #970860 #972612 #972727 #973848 #976766 #978275 Cross-References: CVE-2014-9770 CVE-2015-8842 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update for SystemD provides fixes and enhancements. The following security issue has been fixed: - Don't allow read access to journal files to users. (bsc#972612, CVE-2014-9770, CVE-2015-8842) The following non-security issues have been fixed: - Restore initrd-udevadm-cleanup-db.service. (bsc#978275, bsc#976766) - Incorrect permissions set after boot on journal files. (bsc#973848) - Exclude device-mapper from block device ownership event locking. (bsc#972727) - Explicitly set mode for /run/log. - Don't apply sgid and executable bit to journal files, only the directories they are contained in. - Add ability to mask access mode by pre-existing access mode on files/directories. - No need to pass --all if inactive is explicitly requested in list-units. (bsc#967122) - Fix automount option and don't start associated mount unit at boot. (bsc#970423) - Support more than just power-gpio-key. (fate#318444, bsc#970860) - Add standard gpio power button support. (fate#318444, bsc#970860) - Downgrade warnings about wanted unit which are not found. (bsc#960158) - Shorten hostname before checking for trailing dot. (bsc#965897) - Remove WorkingDirectory parameter from emergency, rescue and console-shell.service. (bsc#959886) - Don't ship boot.udev and systemd-journald.init anymore. - Revert "log: honour the kernel's quiet cmdline argument". (bsc#963230) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-790=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-790=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-790=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libgudev-1_0-devel-210-104.1 libudev-devel-210-104.1 systemd-debuginfo-210-104.1 systemd-debugsource-210-104.1 systemd-devel-210-104.1 typelib-1_0-GUdev-1_0-210-104.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libgudev-1_0-0-210-104.1 libgudev-1_0-0-debuginfo-210-104.1 libudev1-210-104.1 libudev1-debuginfo-210-104.1 systemd-210-104.1 systemd-debuginfo-210-104.1 systemd-debugsource-210-104.1 systemd-sysvinit-210-104.1 udev-210-104.1 udev-debuginfo-210-104.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libgudev-1_0-0-32bit-210-104.1 libgudev-1_0-0-debuginfo-32bit-210-104.1 libudev1-32bit-210-104.1 libudev1-debuginfo-32bit-210-104.1 systemd-32bit-210-104.1 systemd-debuginfo-32bit-210-104.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): systemd-bash-completion-210-104.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): systemd-bash-completion-210-104.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libgudev-1_0-0-210-104.1 libgudev-1_0-0-32bit-210-104.1 libgudev-1_0-0-debuginfo-210-104.1 libgudev-1_0-0-debuginfo-32bit-210-104.1 libudev1-210-104.1 libudev1-32bit-210-104.1 libudev1-debuginfo-210-104.1 libudev1-debuginfo-32bit-210-104.1 systemd-210-104.1 systemd-32bit-210-104.1 systemd-debuginfo-210-104.1 systemd-debuginfo-32bit-210-104.1 systemd-debugsource-210-104.1 systemd-sysvinit-210-104.1 udev-210-104.1 udev-debuginfo-210-104.1 References: https://www.suse.com/security/cve/CVE-2014-9770.html https://www.suse.com/security/cve/CVE-2015-8842.html https://bugzilla.suse.com/959886 https://bugzilla.suse.com/960158 https://bugzilla.suse.com/963230 https://bugzilla.suse.com/965897 https://bugzilla.suse.com/967122 https://bugzilla.suse.com/970423 https://bugzilla.suse.com/970860 https://bugzilla.suse.com/972612 https://bugzilla.suse.com/972727 https://bugzilla.suse.com/973848 https://bugzilla.suse.com/976766 https://bugzilla.suse.com/978275 From sle-security-updates at lists.suse.com Wed May 18 11:14:14 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 19:14:14 +0200 (CEST) Subject: SUSE-SU-2016:1351-1: moderate: Security update for systemd Message-ID: <20160518171414.B0F61FF5B@maintenance.suse.de> SUSE Security Update: Security update for systemd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1351-1 Rating: moderate References: #959886 #960158 #963230 #965897 #967122 #970423 #970860 #972612 #972727 #973848 #976766 #978275 Cross-References: CVE-2014-9770 CVE-2015-8842 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update for SystemD provides fixes and enhancements. The following security issue has been fixed: - Don't allow read access to journal files to users. (bsc#972612, CVE-2014-9770, CVE-2015-8842) The following non-security issues have been fixed: - Restore initrd-udevadm-cleanup-db.service. (bsc#978275, bsc#976766) - Incorrect permissions set after boot on journal files. (bsc#973848) - Exclude device-mapper from block device ownership event locking. (bsc#972727) - Explicitly set mode for /run/log. - Don't apply sgid and executable bit to journal files, only the directories they are contained in. - Add ability to mask access mode by pre-existing access mode on files/directories. - No need to pass --all if inactive is explicitly requested in list-units. (bsc#967122) - Fix automount option and don't start associated mount unit at boot. (bsc#970423) - Support more than just power-gpio-key. (fate#318444, bsc#970860) - Add standard gpio power button support. (fate#318444, bsc#970860) - Downgrade warnings about wanted unit which are not found. (bsc#960158) - Shorten hostname before checking for trailing dot. (bsc#965897) - Remove WorkingDirectory parameter from emergency, rescue and console-shell.service. (bsc#959886) - Don't ship boot.udev and systemd-journald.init anymore. - Revert "log: honour the kernel's quiet cmdline argument". (bsc#963230) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-791=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-791=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-791=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): libgudev-1_0-devel-210-70.48.1 libudev-devel-210-70.48.1 systemd-debuginfo-210-70.48.1 systemd-debugsource-210-70.48.1 systemd-devel-210-70.48.1 typelib-1_0-GUdev-1_0-210-70.48.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): libgudev-1_0-0-210-70.48.1 libgudev-1_0-0-debuginfo-210-70.48.1 libudev1-210-70.48.1 libudev1-debuginfo-210-70.48.1 systemd-210-70.48.1 systemd-debuginfo-210-70.48.1 systemd-debugsource-210-70.48.1 systemd-sysvinit-210-70.48.1 udev-210-70.48.1 udev-debuginfo-210-70.48.1 - SUSE Linux Enterprise Server 12 (s390x x86_64): libgudev-1_0-0-32bit-210-70.48.1 libgudev-1_0-0-debuginfo-32bit-210-70.48.1 libudev1-32bit-210-70.48.1 libudev1-debuginfo-32bit-210-70.48.1 systemd-32bit-210-70.48.1 systemd-debuginfo-32bit-210-70.48.1 - SUSE Linux Enterprise Server 12 (noarch): systemd-bash-completion-210-70.48.1 - SUSE Linux Enterprise Desktop 12 (x86_64): libgudev-1_0-0-210-70.48.1 libgudev-1_0-0-32bit-210-70.48.1 libgudev-1_0-0-debuginfo-210-70.48.1 libgudev-1_0-0-debuginfo-32bit-210-70.48.1 libudev1-210-70.48.1 libudev1-32bit-210-70.48.1 libudev1-debuginfo-210-70.48.1 libudev1-debuginfo-32bit-210-70.48.1 systemd-210-70.48.1 systemd-32bit-210-70.48.1 systemd-debuginfo-210-70.48.1 systemd-debuginfo-32bit-210-70.48.1 systemd-debugsource-210-70.48.1 systemd-sysvinit-210-70.48.1 udev-210-70.48.1 udev-debuginfo-210-70.48.1 - SUSE Linux Enterprise Desktop 12 (noarch): systemd-bash-completion-210-70.48.1 References: https://www.suse.com/security/cve/CVE-2014-9770.html https://www.suse.com/security/cve/CVE-2015-8842.html https://bugzilla.suse.com/959886 https://bugzilla.suse.com/960158 https://bugzilla.suse.com/963230 https://bugzilla.suse.com/965897 https://bugzilla.suse.com/967122 https://bugzilla.suse.com/970423 https://bugzilla.suse.com/970860 https://bugzilla.suse.com/972612 https://bugzilla.suse.com/972727 https://bugzilla.suse.com/973848 https://bugzilla.suse.com/976766 https://bugzilla.suse.com/978275 From sle-security-updates at lists.suse.com Wed May 18 13:07:41 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 May 2016 21:07:41 +0200 (CEST) Subject: SUSE-SU-2016:1352-1: important: Security update for Mozilla Firefox Message-ID: <20160518190741.B15F2FF5E@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1352-1 Rating: important References: #977333 #977374 #977376 #977381 #977386 Cross-References: CVE-2016-2805 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: Mozilla Firefox was updated to fix the following vulnerabilities (bsc#977333): * CVE-2016-2805: Memory safety bug fixed in Firefox ESR 38.8 (MFSA 2016-39, bsc#977374) * CVE-2016-2807: Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (MFSA 2016-39, bsc#977376) * CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() (MFSA 2016-47, bsc#977386) * CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets (MFSA 2016-44, bsc#977381) Security Issues: * CVE-2016-2805 * CVE-2016-2807 * CVE-2016-2808 * CVE-2016-2814 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x): MozillaFirefox-38.8.0esr-0.5.1 MozillaFirefox-translations-38.8.0esr-0.5.1 References: https://www.suse.com/security/cve/CVE-2016-2805.html https://www.suse.com/security/cve/CVE-2016-2807.html https://www.suse.com/security/cve/CVE-2016-2808.html https://www.suse.com/security/cve/CVE-2016-2814.html https://bugzilla.suse.com/977333 https://bugzilla.suse.com/977374 https://bugzilla.suse.com/977376 https://bugzilla.suse.com/977381 https://bugzilla.suse.com/977386 https://download.suse.com/patch/finder/?keywords=c4a992c726ddbf623907944154d39624 From sle-security-updates at lists.suse.com Thu May 19 05:08:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 May 2016 13:08:09 +0200 (CEST) Subject: SUSE-SU-2016:1355-1: moderate: Security update for python-Pillow Message-ID: <20160519110809.6C989FF5E@maintenance.suse.de> SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1355-1 Rating: moderate References: #965579 #965582 Cross-References: CVE-2016-0740 CVE-2016-0775 Affected Products: SUSE Enterprise Storage 1.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-Pillow fixes the following security issues: * CVE-2016-0775: Fixed a buffer overflow in FliDecode.c causing a segfault when opening FLI files. (bsc#965582) * CVE-2016-0740: Fixed a buffer overflow in TiffDecode.c causing an arbitrary amount of memory to be overwritten when opening a specially crafted invalid TIFF file. (bsc#965579) * Fixed an integer overflow in Resample.c causing writes in the Python heap. * Fixed a buffer overflow in PcdDecode.c causing a segfault when opening PhotoCD files. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 1.0: zypper in -t patch SUSE-Storage-1.0-2016-796=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Enterprise Storage 1.0 (x86_64): python-Pillow-2.7.0-7.1 python-Pillow-debuginfo-2.7.0-7.1 python-Pillow-debugsource-2.7.0-7.1 References: https://www.suse.com/security/cve/CVE-2016-0740.html https://www.suse.com/security/cve/CVE-2016-0775.html https://bugzilla.suse.com/965579 https://bugzilla.suse.com/965582 From sle-security-updates at lists.suse.com Thu May 19 11:09:51 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 May 2016 19:09:51 +0200 (CEST) Subject: SUSE-SU-2016:1360-1: important: Security update for openssl Message-ID: <20160519170951.10BFBFF63@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1360-1 Rating: important References: #968050 #973223 #976942 #976943 #977614 #977615 #977617 Cross-References: CVE-2016-0702 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. Description: This update for OpenSSL fixes the following security issues: * CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614) * CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615) * CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617) * CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942) * CVE-2016-0702: Side channel attack on modular exponentiation "CacheBleed" (bsc#968050) Additionally, the following non-security issues have been fixed: * Fix buffer overrun in ASN1_parse. (bsc#976943) * Allow weak DH groups. (bsc#973223) Security Issues: * CVE-2016-2105 * CVE-2016-2106 * CVE-2016-2108 * CVE-2016-2109 * CVE-2016-0702 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.96.1 openssl-devel-0.9.8a-18.96.1 openssl-doc-0.9.8a-18.96.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.96.1 openssl-devel-32bit-0.9.8a-18.96.1 References: https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2106.html https://www.suse.com/security/cve/CVE-2016-2108.html https://www.suse.com/security/cve/CVE-2016-2109.html https://bugzilla.suse.com/968050 https://bugzilla.suse.com/973223 https://bugzilla.suse.com/976942 https://bugzilla.suse.com/976943 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977615 https://bugzilla.suse.com/977617 https://download.suse.com/patch/finder/?keywords=bfdaa5a35088a70db557cea0e263ef89 From sle-security-updates at lists.suse.com Thu May 19 18:11:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 May 2016 02:11:10 +0200 (CEST) Subject: SUSE-SU-2016:1366-1: Recommended udpate for SUSE Manager Client Tools Message-ID: <20160520001110.4C907FF5F@maintenance.suse.de> SUSE Security Update: Recommended udpate for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1366-1 Rating: low References: #970550 #970989 Affected Products: SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for SUSE Manager Client Tools provides the following fixes and enhancements: rhnlib: - Use TLSv1_METHOD in SSL Context (bsc#970989) suseRegisterInfo: - Fix file permissions (bsc#970550) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-client-tools-21-201602-12567=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): rhnlib-2.5.69.8-11.2 suseRegisterInfo-2.1.12-14.2 References: https://bugzilla.suse.com/970550 https://bugzilla.suse.com/970989 From sle-security-updates at lists.suse.com Thu May 19 18:11:40 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 May 2016 02:11:40 +0200 (CEST) Subject: SUSE-SU-2016:1367-1: moderate: Security update for SUSE Manager Server 2.1 Message-ID: <20160520001140.67694FF5F@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 2.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1367-1 Rating: moderate References: #922740 #924298 #958923 #961002 #961565 #962253 #966622 #966737 #966890 #968257 #968406 #968851 #970223 #970425 #970550 #970672 #970901 #970989 #971237 #972341 #973162 #973432 #973550 #974010 #974011 #974315 #976194 #976826 #978166 Cross-References: CVE-2015-0284 CVE-2016-2103 CVE-2016-2104 CVE-2016-3079 CVE-2016-3097 Affected Products: SUSE Manager 2.1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 24 fixes is now available. Description: This update for SUSE Manager Server 2.1 fixes the following issues: cobbler: - Add logrotate file for cobbler (bsc#976826) - Fix cobbler yaboot handling (bsc#968406, bsc#966622) osad: - Fix file permissions (bsc#970550) rhnlib: - Use TLSv1_METHOD in SSL Context (bsc#970989) spacewalk-backend: - Mgr_ncc_sync: Adapt to bulk scheduling introduced in scheduleSingleSatRepoSync spacewalk-branding: - Fix link to "Schedule patch updates" (bsc#973432) - Fix link to scheduled action for SP migration (bsc#968257, bsc#974315) - Fix: 'Advanced Search' title consistency spacewalk-certs-tools: - Fix file permissions (bsc#970550) spacewalk-java: - Recreate upgrade paths on every refresh (bsc#978166) - Call cobbler sync after cobbler command is finished (bsc#966890) - Under high load, the service wrapper may incorrectly interpret the inability to get a response in time from taskomatic and kill it (bsc#962253) - Log permissions problems on channel access while SP migration (bsc#970223) - Unittests: support SLE-POS 11 SP3 as addon for SLES 11 SP4 (bsc#976194) - Mgr-sync: use bulk channel reposync (bsc#961002) - Double the backslashes when reading the config files from java (bsc#958923) - When generating repo metadata for a cloned channel, recursively fetch keywords from the original channel (bsc#970901) - Better logging for SP Migration feature (bsc#970223) - Fix: 'Advanced Search' title consistency - CVE-2015-0284: XSS when altering user details and going somewhere where you are choosing user (bsc#922740) - CVE-2016-3079, CVE-2016-2103, CVE-2016-2104, CVE-2016-3097: Fix multiple XSS vulnerabilities (bsc#973162, bsc#974011, bsc#974010, bsc#973550) - BugFix: 'Systems > Advanced Search' title and description consistency (bsc#966737) - Fix: correct behavior with visibility conditions of sub-tabs in Systems/Misc page - BugFix: add missing url mapping (bsc#961565) - Fix kernel and initrd pathes for creating autoinstallation tries (bsc#966622) - Fix tests for HAE-GEO on SLES 4 SAP (bsc#970425) - Add unit tests for SLE-Live-Patching12 (bsc#924298) spacewalk-utils: - Bugfix: don't repeat channel labels - Taskotop: a utility to monitor what Taskomatic is doing - Fix file permissions (bsc#970550) suseRegisterInfo: - Fix file permissions (bsc#970550) susemanager: - Add packages to bootstrap repo (bsc#971237) - Mgr-sync: use bulk channel reposync (bsc#961002) - Mgr_ncc_sync: adapt to bulk scheduling introduced in scheduleSingleSatRepoSync - Add SLES 4 SAP to mgr-create-bootstap-repo as an option (bsc#972341) - Put packages only available in SLE12 SP1 in a seperate list (bsc#970672) - Fix file permissions (bsc#970550) susemanager-sync-data: - Support SLE-POS 11 SP3 as addon for SLES 11 SP4 (bsc#976194) - HAE-GEO is an addon product for SLES 4 SAP (bsc#970425) - Add support for SLE-Live-Patching12 (bsc#924298, bsc#968851) susemanager-tftpsync: - Rename change_tftpd_proxies.py to sync_post_tftpd_proxies.py and change trigger type (bsc#966890) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 2.1: zypper in -t patch sleman21-suse-manager-21-201605-12567=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 2.1 (s390x x86_64): cobbler-2.2.2-0.61.2 rhnlib-2.5.69.8-11.2 spacewalk-backend-2.1.55.25-24.5 spacewalk-backend-app-2.1.55.25-24.5 spacewalk-backend-applet-2.1.55.25-24.5 spacewalk-backend-config-files-2.1.55.25-24.5 spacewalk-backend-config-files-common-2.1.55.25-24.5 spacewalk-backend-config-files-tool-2.1.55.25-24.5 spacewalk-backend-iss-2.1.55.25-24.5 spacewalk-backend-iss-export-2.1.55.25-24.5 spacewalk-backend-libs-2.1.55.25-24.5 spacewalk-backend-package-push-server-2.1.55.25-24.5 spacewalk-backend-server-2.1.55.25-24.5 spacewalk-backend-sql-2.1.55.25-24.5 spacewalk-backend-sql-oracle-2.1.55.25-24.5 spacewalk-backend-sql-postgresql-2.1.55.25-24.5 spacewalk-backend-tools-2.1.55.25-24.5 spacewalk-backend-xml-export-libs-2.1.55.25-24.5 spacewalk-backend-xmlrpc-2.1.55.25-24.5 spacewalk-branding-2.1.33.16-18.2 suseRegisterInfo-2.1.12-14.2 susemanager-2.1.24-23.1 susemanager-tftpsync-2.1.2-11.2 susemanager-tools-2.1.24-23.1 - SUSE Manager 2.1 (noarch): osa-dispatcher-5.11.33.11-15.2 spacewalk-certs-tools-2.1.6.10-18.3 spacewalk-java-2.1.165.23-20.1 spacewalk-java-config-2.1.165.23-20.1 spacewalk-java-lib-2.1.165.23-20.1 spacewalk-java-oracle-2.1.165.23-20.1 spacewalk-java-postgresql-2.1.165.23-20.1 spacewalk-taskomatic-2.1.165.23-20.1 spacewalk-utils-2.1.27.15-12.7 susemanager-sync-data-2.1.15-30.2 References: https://www.suse.com/security/cve/CVE-2015-0284.html https://www.suse.com/security/cve/CVE-2016-2103.html https://www.suse.com/security/cve/CVE-2016-2104.html https://www.suse.com/security/cve/CVE-2016-3079.html https://www.suse.com/security/cve/CVE-2016-3097.html https://bugzilla.suse.com/922740 https://bugzilla.suse.com/924298 https://bugzilla.suse.com/958923 https://bugzilla.suse.com/961002 https://bugzilla.suse.com/961565 https://bugzilla.suse.com/962253 https://bugzilla.suse.com/966622 https://bugzilla.suse.com/966737 https://bugzilla.suse.com/966890 https://bugzilla.suse.com/968257 https://bugzilla.suse.com/968406 https://bugzilla.suse.com/968851 https://bugzilla.suse.com/970223 https://bugzilla.suse.com/970425 https://bugzilla.suse.com/970550 https://bugzilla.suse.com/970672 https://bugzilla.suse.com/970901 https://bugzilla.suse.com/970989 https://bugzilla.suse.com/971237 https://bugzilla.suse.com/972341 https://bugzilla.suse.com/973162 https://bugzilla.suse.com/973432 https://bugzilla.suse.com/973550 https://bugzilla.suse.com/974010 https://bugzilla.suse.com/974011 https://bugzilla.suse.com/974315 https://bugzilla.suse.com/976194 https://bugzilla.suse.com/976826 https://bugzilla.suse.com/978166 From sle-security-updates at lists.suse.com Fri May 20 11:08:11 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 May 2016 19:08:11 +0200 (CEST) Subject: SUSE-SU-2016:1374-1: important: Security update for MozillaFirefox Message-ID: <20160520170811.8F4F2FF63@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1374-1 Rating: important References: #977333 #977374 #977376 #977381 #977386 Cross-References: CVE-2016-2805 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update to MozillaFirefox 38.8.0 ESR fixes the following security issues (bsc#977333): - CVE-2016-2805: Miscellaneous memory safety hazards - MFSA 2016-39 (bsc#977374) - CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (bsc#977376) - CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() - MFSA 2016-47 (bsc#977386) - CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (bsc#977381) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-MozillaFirefox-12569=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-MozillaFirefox-12569=1 - SUSE Manager 2.1: zypper in -t patch sleman21-MozillaFirefox-12569=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-MozillaFirefox-12569=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-MozillaFirefox-12569=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-MozillaFirefox-12569=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-12569=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-MozillaFirefox-12569=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): MozillaFirefox-38.8.0esr-40.5 MozillaFirefox-translations-38.8.0esr-40.5 libfreebl3-3.20.2-30.1 libfreebl3-32bit-3.20.2-30.1 libsoftokn3-3.20.2-30.1 libsoftokn3-32bit-3.20.2-30.1 mozilla-nspr-32bit-4.12-26.1 mozilla-nspr-4.12-26.1 mozilla-nss-3.20.2-30.1 mozilla-nss-32bit-3.20.2-30.1 mozilla-nss-tools-3.20.2-30.1 - SUSE Manager Proxy 2.1 (x86_64): MozillaFirefox-38.8.0esr-40.5 MozillaFirefox-translations-38.8.0esr-40.5 libfreebl3-3.20.2-30.1 libfreebl3-32bit-3.20.2-30.1 libsoftokn3-3.20.2-30.1 libsoftokn3-32bit-3.20.2-30.1 mozilla-nspr-32bit-4.12-26.1 mozilla-nspr-4.12-26.1 mozilla-nss-3.20.2-30.1 mozilla-nss-32bit-3.20.2-30.1 mozilla-nss-tools-3.20.2-30.1 - SUSE Manager 2.1 (s390x x86_64): MozillaFirefox-38.8.0esr-40.5 MozillaFirefox-translations-38.8.0esr-40.5 libfreebl3-3.20.2-30.1 libfreebl3-32bit-3.20.2-30.1 libsoftokn3-3.20.2-30.1 libsoftokn3-32bit-3.20.2-30.1 mozilla-nspr-32bit-4.12-26.1 mozilla-nspr-4.12-26.1 mozilla-nss-3.20.2-30.1 mozilla-nss-32bit-3.20.2-30.1 mozilla-nss-tools-3.20.2-30.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-devel-38.8.0esr-40.5 mozilla-nspr-devel-4.12-26.1 mozilla-nss-devel-3.20.2-30.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-38.8.0esr-40.5 MozillaFirefox-translations-38.8.0esr-40.5 libfreebl3-3.20.2-30.1 libsoftokn3-3.20.2-30.1 mozilla-nspr-4.12-26.1 mozilla-nss-3.20.2-30.1 mozilla-nss-tools-3.20.2-30.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libfreebl3-32bit-3.20.2-30.1 libsoftokn3-32bit-3.20.2-30.1 mozilla-nspr-32bit-4.12-26.1 mozilla-nss-32bit-3.20.2-30.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libfreebl3-x86-3.20.2-30.1 libsoftokn3-x86-3.20.2-30.1 mozilla-nspr-x86-4.12-26.1 mozilla-nss-x86-3.20.2-30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): MozillaFirefox-38.8.0esr-40.5 MozillaFirefox-translations-38.8.0esr-40.5 libfreebl3-3.20.2-30.1 libsoftokn3-3.20.2-30.1 mozilla-nspr-4.12-26.1 mozilla-nss-3.20.2-30.1 mozilla-nss-tools-3.20.2-30.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libfreebl3-32bit-3.20.2-30.1 libsoftokn3-32bit-3.20.2-30.1 mozilla-nspr-32bit-4.12-26.1 mozilla-nss-32bit-3.20.2-30.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): MozillaFirefox-debuginfo-38.8.0esr-40.5 MozillaFirefox-debugsource-38.8.0esr-40.5 mozilla-nspr-debuginfo-4.12-26.1 mozilla-nspr-debugsource-4.12-26.1 mozilla-nss-debuginfo-3.20.2-30.1 mozilla-nss-debugsource-3.20.2-30.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): mozilla-nspr-debuginfo-32bit-4.12-26.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): mozilla-nspr-debuginfo-x86-4.12-26.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): MozillaFirefox-debuginfo-38.8.0esr-40.5 MozillaFirefox-debugsource-38.8.0esr-40.5 mozilla-nspr-debuginfo-4.12-26.1 mozilla-nspr-debugsource-4.12-26.1 mozilla-nss-debuginfo-3.20.2-30.1 mozilla-nss-debugsource-3.20.2-30.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): mozilla-nspr-debuginfo-32bit-4.12-26.1 References: https://www.suse.com/security/cve/CVE-2016-2805.html https://www.suse.com/security/cve/CVE-2016-2807.html https://www.suse.com/security/cve/CVE-2016-2808.html https://www.suse.com/security/cve/CVE-2016-2814.html https://bugzilla.suse.com/977333 https://bugzilla.suse.com/977374 https://bugzilla.suse.com/977376 https://bugzilla.suse.com/977381 https://bugzilla.suse.com/977386 From sle-security-updates at lists.suse.com Fri May 20 18:07:49 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 May 2016 02:07:49 +0200 (CEST) Subject: SUSE-SU-2016:1378-1: important: Security update for java-1_7_0-ibm Message-ID: <20160521000749.39A13FF6E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1378-1 Rating: important References: #977646 #977648 #977650 #979252 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This IBM Java 1.7.0 SR9 FP40 release fixes the following issues: Security issues fixed: - CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648) - CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650) - CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646) - The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-java-1_7_0-ibm-12571=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-java-1_7_0-ibm-12571=1 - SUSE Manager 2.1: zypper in -t patch sleman21-java-1_7_0-ibm-12571=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_7_0-ibm-12571=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-java-1_7_0-ibm-12571=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): java-1_7_0-ibm-1.7.0_sr9.40-52.1 java-1_7_0-ibm-alsa-1.7.0_sr9.40-52.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.40-52.1 java-1_7_0-ibm-plugin-1.7.0_sr9.40-52.1 - SUSE Manager Proxy 2.1 (x86_64): java-1_7_0-ibm-1.7.0_sr9.40-52.1 java-1_7_0-ibm-alsa-1.7.0_sr9.40-52.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.40-52.1 java-1_7_0-ibm-plugin-1.7.0_sr9.40-52.1 - SUSE Manager 2.1 (s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.40-52.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.40-52.1 - SUSE Manager 2.1 (x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.40-52.1 java-1_7_0-ibm-plugin-1.7.0_sr9.40-52.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.40-52.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.40-52.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.40-52.1 java-1_7_0-ibm-plugin-1.7.0_sr9.40-52.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): java-1_7_0-ibm-1.7.0_sr9.40-52.1 java-1_7_0-ibm-devel-1.7.0_sr9.40-52.1 java-1_7_0-ibm-jdbc-1.7.0_sr9.40-52.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr9.40-52.1 java-1_7_0-ibm-plugin-1.7.0_sr9.40-52.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 From sle-security-updates at lists.suse.com Fri May 20 18:08:31 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 May 2016 02:08:31 +0200 (CEST) Subject: SUSE-SU-2016:1379-1: important: Security update for java-1_6_0-ibm Message-ID: <20160521000831.626A4FF63@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1379-1 Rating: important References: #977646 #977648 #977650 #979252 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This IBM Java 1.6.0 SR16 FP25 release fixes the following issues: Security issues fixed: - CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648) - CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650) - CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646) - The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-java-1_6_0-ibm-12572=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-java-1_6_0-ibm-12572=1 - SUSE Manager 2.1: zypper in -t patch sleman21-java-1_6_0-ibm-12572=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-java-1_6_0-ibm-12572=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-java-1_6_0-ibm-12572=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): java-1_6_0-ibm-1.6.0_sr16.25-69.1 java-1_6_0-ibm-devel-1.6.0_sr16.25-69.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-69.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-69.1 java-1_6_0-ibm-plugin-1.6.0_sr16.25-69.1 - SUSE Manager Proxy 2.1 (x86_64): java-1_6_0-ibm-1.6.0_sr16.25-69.1 java-1_6_0-ibm-devel-1.6.0_sr16.25-69.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-69.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-69.1 java-1_6_0-ibm-plugin-1.6.0_sr16.25-69.1 - SUSE Manager 2.1 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.25-69.1 java-1_6_0-ibm-devel-1.6.0_sr16.25-69.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-69.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-69.1 - SUSE Manager 2.1 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.25-69.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.25-69.1 java-1_6_0-ibm-devel-1.6.0_sr16.25-69.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-69.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-69.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.25-69.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.25-69.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.25-69.1 java-1_6_0-ibm-devel-1.6.0_sr16.25-69.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-69.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-69.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.25-69.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.25-69.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 From sle-security-updates at lists.suse.com Mon May 23 12:07:57 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 May 2016 20:07:57 +0200 (CEST) Subject: SUSE-SU-2016:1386-1: moderate: Security update for openssh Message-ID: <20160523180757.53D6EFF6E@maintenance.suse.de> SUSE Security Update: Security update for openssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1386-1 Rating: moderate References: #729190 #932483 #945484 #945493 #947458 #948902 #960414 #961368 #962313 #965576 #970632 #975865 Cross-References: CVE-2015-8325 CVE-2016-1908 CVE-2016-3115 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12-SP1 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has 9 fixes is now available. Description: This update for OpenSSH fixes three security issues. These security issues were fixed: - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed: - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-818=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-818=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-818=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-818=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): openssh-6.6p1-42.1 openssh-askpass-gnome-6.6p1-42.1 openssh-askpass-gnome-debuginfo-6.6p1-42.1 openssh-debuginfo-6.6p1-42.1 openssh-debugsource-6.6p1-42.1 openssh-fips-6.6p1-42.1 openssh-helpers-6.6p1-42.1 openssh-helpers-debuginfo-6.6p1-42.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): openssh-6.6p1-42.1 openssh-askpass-gnome-6.6p1-42.1 openssh-askpass-gnome-debuginfo-6.6p1-42.1 openssh-debuginfo-6.6p1-42.1 openssh-debugsource-6.6p1-42.1 openssh-fips-6.6p1-42.1 openssh-helpers-6.6p1-42.1 openssh-helpers-debuginfo-6.6p1-42.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): openssh-6.6p1-42.1 openssh-askpass-gnome-6.6p1-42.1 openssh-askpass-gnome-debuginfo-6.6p1-42.1 openssh-debuginfo-6.6p1-42.1 openssh-debugsource-6.6p1-42.1 openssh-helpers-6.6p1-42.1 openssh-helpers-debuginfo-6.6p1-42.1 - SUSE Linux Enterprise Desktop 12 (x86_64): openssh-6.6p1-42.1 openssh-askpass-gnome-6.6p1-42.1 openssh-askpass-gnome-debuginfo-6.6p1-42.1 openssh-debuginfo-6.6p1-42.1 openssh-debugsource-6.6p1-42.1 openssh-helpers-6.6p1-42.1 openssh-helpers-debuginfo-6.6p1-42.1 References: https://www.suse.com/security/cve/CVE-2015-8325.html https://www.suse.com/security/cve/CVE-2016-1908.html https://www.suse.com/security/cve/CVE-2016-3115.html https://bugzilla.suse.com/729190 https://bugzilla.suse.com/932483 https://bugzilla.suse.com/945484 https://bugzilla.suse.com/945493 https://bugzilla.suse.com/947458 https://bugzilla.suse.com/948902 https://bugzilla.suse.com/960414 https://bugzilla.suse.com/961368 https://bugzilla.suse.com/962313 https://bugzilla.suse.com/965576 https://bugzilla.suse.com/970632 https://bugzilla.suse.com/975865 From sle-security-updates at lists.suse.com Tue May 24 06:08:00 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 May 2016 14:08:00 +0200 (CEST) Subject: SUSE-SU-2016:1388-1: important: Security update for IBM Java 1.6.0 Message-ID: <20160524120800.C43EDFF6E@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 1.6.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1388-1 Rating: important References: #977646 #977648 #977650 #979252 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This IBM Java 1.6.0 SR16 FP25 release fixes the following issues: Security issues fixed: * CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648) * CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650) * CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646) * The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426 Security Issues: * CVE-2016-0376 * CVE-2016-0363 * CVE-2016-0264 * CVE-2016-3443 * CVE-2016-0687 * CVE-2016-0686 * CVE-2016-3427 * CVE-2016-3449 * CVE-2016-3422 * CVE-2016-3426 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.25-0.11.1 java-1_6_0-ibm-devel-1.6.0_sr16.25-0.11.1 java-1_6_0-ibm-fonts-1.6.0_sr16.25-0.11.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.25-0.11.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr16.25-0.11.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr16.25-0.11.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.25-0.11.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr16.25-0.11.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr16.25-0.11.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.25-0.11.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 https://download.suse.com/patch/finder/?keywords=133b4d37ec640a121ad2dbcba2704f70 From sle-security-updates at lists.suse.com Mon May 30 11:07:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 May 2016 19:07:54 +0200 (CEST) Subject: SUSE-SU-2016:1442-1: moderate: Security update for mercurial Message-ID: <20160530170754.9BB05FF5F@maintenance.suse.de> SUSE Security Update: Security update for mercurial ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1442-1 Rating: moderate References: #978391 Cross-References: CVE-2016-3105 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Software Development Kit 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mercurial fixes the following issues: Security issues fixed: - CVE-2016-3105: Versionsprior to 3.8 allowed arbitrary code execution when using the convert extension on Git repo. (bsc#978391) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-857=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2016-857=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): mercurial-2.8.2-9.1 mercurial-debuginfo-2.8.2-9.1 mercurial-debugsource-2.8.2-9.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): mercurial-2.8.2-9.1 mercurial-debuginfo-2.8.2-9.1 mercurial-debugsource-2.8.2-9.1 References: https://www.suse.com/security/cve/CVE-2016-3105.html https://bugzilla.suse.com/978391 From sle-security-updates at lists.suse.com Mon May 30 11:08:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 May 2016 19:08:09 +0200 (CEST) Subject: SUSE-SU-2016:1443-1: moderate: Security update for mercurial Message-ID: <20160530170809.A4F9EFF50@maintenance.suse.de> SUSE Security Update: Security update for mercurial ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1443-1 Rating: moderate References: #978391 Cross-References: CVE-2016-3105 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mercurial fixes the following issues: Security issues fixed: - CVE-2016-3105: Versionsprior to 3.8 allowed arbitrary code execution when using the convert extension on Git repo. (bsc#978391) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-mercurial-12585=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mercurial-12585=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): mercurial-2.3.2-0.14.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): mercurial-debuginfo-2.3.2-0.14.2 mercurial-debugsource-2.3.2-0.14.2 References: https://www.suse.com/security/cve/CVE-2016-3105.html https://bugzilla.suse.com/978391 From sle-security-updates at lists.suse.com Mon May 30 11:08:35 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 May 2016 19:08:35 +0200 (CEST) Subject: SUSE-SU-2016:1445-1: important: Security update for Xen Message-ID: <20160530170835.3D9BAFF50@maintenance.suse.de> SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1445-1 Rating: important References: #960726 #962627 #964925 #964947 #965315 #965317 #967101 #969351 Cross-References: CVE-2014-0222 CVE-2014-7815 CVE-2015-5278 CVE-2015-8743 CVE-2016-2270 CVE-2016-2271 CVE-2016-2391 CVE-2016-2841 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: Xen was updated to fix the following security issues: * CVE-2016-2841: net: ne2000: infinite loop in ne2000_receive (bsc#969351) * CVE-2016-2391: usb: multiple eof_timers in ohci module leads to null pointer dereference (bsc#967101) * CVE-2016-2270: x86: inconsistent cachability flags on guest mappings (XSA-154) (bsc#965315) * CVE-2016-2271: VMX: guest user mode may crash guest with non-canonical RIP (XSA-170) (bsc#965317) * CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#964947) * CVE-2014-0222: qcow1: validate L2 table size to avoid integer overflows (bsc#964925) * CVE-2014-7815: vnc: insufficient bits_per_pixel from the client sanitization (bsc#962627) * CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bsc#960726) Security Issues: * CVE-2016-2841 * CVE-2016-2391 * CVE-2016-2270 * CVE-2016-2271 * CVE-2015-5278 * CVE-2014-0222 * CVE-2014-7815 * CVE-2015-8743 Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): xen-3.2.3_17040_46-0.25.1 xen-devel-3.2.3_17040_46-0.25.1 xen-doc-html-3.2.3_17040_46-0.25.1 xen-doc-pdf-3.2.3_17040_46-0.25.1 xen-doc-ps-3.2.3_17040_46-0.25.1 xen-kmp-debug-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-kmp-default-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-kmp-kdump-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-kmp-smp-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-libs-3.2.3_17040_46-0.25.1 xen-tools-3.2.3_17040_46-0.25.1 xen-tools-domU-3.2.3_17040_46-0.25.1 xen-tools-ioemu-3.2.3_17040_46-0.25.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): xen-libs-32bit-3.2.3_17040_46-0.25.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): xen-kmp-bigsmp-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-kmp-kdumppae-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-kmp-vmi-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 xen-kmp-vmipae-3.2.3_17040_46_2.6.16.60_0.132.8-0.25.1 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2014-7815.html https://www.suse.com/security/cve/CVE-2015-5278.html https://www.suse.com/security/cve/CVE-2015-8743.html https://www.suse.com/security/cve/CVE-2016-2270.html https://www.suse.com/security/cve/CVE-2016-2271.html https://www.suse.com/security/cve/CVE-2016-2391.html https://www.suse.com/security/cve/CVE-2016-2841.html https://bugzilla.suse.com/960726 https://bugzilla.suse.com/962627 https://bugzilla.suse.com/964925 https://bugzilla.suse.com/964947 https://bugzilla.suse.com/965315 https://bugzilla.suse.com/965317 https://bugzilla.suse.com/967101 https://bugzilla.suse.com/969351 https://download.suse.com/patch/finder/?keywords=5674a3bc2ab2548e9b2b0ec9973724d0 From sle-security-updates at lists.suse.com Tue May 31 14:07:33 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 May 2016 22:07:33 +0200 (CEST) Subject: SUSE-SU-2016:1457-1: important: Security update for cyrus-imapd Message-ID: <20160531200733.DBEF6FF71@maintenance.suse.de> SUSE Security Update: Security update for cyrus-imapd ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1457-1 Rating: important References: #860611 #901748 #954200 #954201 #981670 Cross-References: CVE-2014-3566 CVE-2015-8076 CVE-2015-8077 CVE-2015-8078 Affected Products: SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Server 12 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: - Previous versions of cyrus-imapd would not allow its users to disable old protocols like SSLv1 and SSLv2 that are unsafe due to various known attacks like BEAST and POODLE. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3867 remedies this issue by adding the configuration option 'tls_versions' to the imapd.conf file. Note that users who upgrade existing installation of this package will *not* have their imapd.conf file overwritten, i.e. their IMAP server will continue to support SSLv1 and SSLv2 like before. To disable support for those protocols, it's necessary to edit imapd.conf manually to state "tls_versions: tls1_0 tls1_1 tls1_2". New installations, however, will have an imapd.conf file that contains these settings already, i.e. newly installed IMAP servers do *not* support SSLv1 and SSLv2 unless that support is explicitly enabled by the user. (bsc#901748) - An integer overflow vulnerability in cyrus-imapd's urlfetch range checking code was fixed. (CVE-2015-8076, CVE-2015-8077, CVE-2015-8078, bsc#981670, bsc#954200, bsc#954201) - Support for Elliptic Curve Diffie???Hellman (ECDH) has been added to cyrus-imapd. (bsc#860611) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-864=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-864=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): cyrus-imapd-debuginfo-2.3.18-37.1 cyrus-imapd-debugsource-2.3.18-37.1 perl-Cyrus-IMAP-2.3.18-37.1 perl-Cyrus-IMAP-debuginfo-2.3.18-37.1 perl-Cyrus-SIEVE-managesieve-2.3.18-37.1 perl-Cyrus-SIEVE-managesieve-debuginfo-2.3.18-37.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): cyrus-imapd-debuginfo-2.3.18-37.1 cyrus-imapd-debugsource-2.3.18-37.1 perl-Cyrus-IMAP-2.3.18-37.1 perl-Cyrus-IMAP-debuginfo-2.3.18-37.1 perl-Cyrus-SIEVE-managesieve-2.3.18-37.1 perl-Cyrus-SIEVE-managesieve-debuginfo-2.3.18-37.1 References: https://www.suse.com/security/cve/CVE-2014-3566.html https://www.suse.com/security/cve/CVE-2015-8076.html https://www.suse.com/security/cve/CVE-2015-8077.html https://www.suse.com/security/cve/CVE-2015-8078.html https://bugzilla.suse.com/860611 https://bugzilla.suse.com/901748 https://bugzilla.suse.com/954200 https://bugzilla.suse.com/954201 https://bugzilla.suse.com/981670 From sle-security-updates at lists.suse.com Tue May 31 14:08:26 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 May 2016 22:08:26 +0200 (CEST) Subject: SUSE-SU-2016:1458-1: important: Security update for java-1_6_0-ibm Message-ID: <20160531200826.D0E89FF50@maintenance.suse.de> SUSE Security Update: Security update for java-1_6_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1458-1 Rating: important References: #977646 #977648 #977650 #979252 #981087 Cross-References: CVE-2016-0264 CVE-2016-0363 CVE-2016-0376 CVE-2016-0686 CVE-2016-0687 CVE-2016-3422 CVE-2016-3426 CVE-2016-3427 CVE-2016-3443 CVE-2016-3449 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for java-1_6_0-ibm fixes the following issues: - Update to sr16 fp26 to fix a regression in TLS connections. (bsc#981087) - IBM Java 1.6.0 SR16 FP25 released (bsc#977646 bsc#977648 bsc#977650 bsc#979252) CVE-2016-0376 CVE-2016-0264 CVE-2016-0363 CVE-2016-3443 CVE-2016-0687 CVE-2016-0686 CVE-2016-3427 CVE-2016-3449 CVE-2016-3422 CVE-2016-3426 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2016-865=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.26-37.1 java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 - SUSE Linux Enterprise Module for Legacy Software 12 (x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 References: https://www.suse.com/security/cve/CVE-2016-0264.html https://www.suse.com/security/cve/CVE-2016-0363.html https://www.suse.com/security/cve/CVE-2016-0376.html https://www.suse.com/security/cve/CVE-2016-0686.html https://www.suse.com/security/cve/CVE-2016-0687.html https://www.suse.com/security/cve/CVE-2016-3422.html https://www.suse.com/security/cve/CVE-2016-3426.html https://www.suse.com/security/cve/CVE-2016-3427.html https://www.suse.com/security/cve/CVE-2016-3443.html https://www.suse.com/security/cve/CVE-2016-3449.html https://bugzilla.suse.com/977646 https://bugzilla.suse.com/977648 https://bugzilla.suse.com/977650 https://bugzilla.suse.com/979252 https://bugzilla.suse.com/981087